1

FW-7541 with pfSense Certified ® 2.1

Quick Start Guide

Contents

Introduction .............................................................................................................................................. 2

Plugging everything in .......................................................................................................................... 2

Description of Port Indicators ....................................................................................................... 2

Initial Configuration ............................................................................................................................... 3

Logging into the web interface ..................................................................................................... 3

Setup Wizard ........................................................................................................................................ 3

Hostname .......................................................................................................................................... 3

Domain .............................................................................................................................................. 4

DNS Servers ..................................................................................................................................... 4

Time Zone and Server .................................................................................................................. 4

WAN Configuration ....................................................................................................................... 5

Configure LAN Interface ............................................................................................................. 6

Setting the password ................................................................................................................... 6

Introduction to the web interface ........................................................................................... 7

Backing up and restoring ..................................................................................................................... 7

What else can I do? ................................................................................................................................. 7

Support ....................................................................................................................................................... 8

Other Support Options ..................................................................................................................... 8

Forum ................................................................................................................................................. 8

Mailing Lists .................................................................................................................................... 8

IRC ....................................................................................................................................................... 9

2

Using the serial console ........................................................................................................................ 9

Windows using PuTTY ..................................................................................................................... 9

Windows using Hyperterminal .................................................................................................. 10

Accessing the BIOS Using the Serial Console ........................................................................ 10

Additional Documentation ............................................................................................................... 10

Introduction Thank you for your purchase of the Netgate FW-7541 with pfSense Certified® 2.1.

The FW-7541 hardware platform in combination with the popular open source

pfSense software provides a powerful, reliable, cost-effective solution for your

network security needs.

This Quick Start Guide will help you get up and running with a basic configuration

on your FW-7541.

Plugging everything in The system comes pre-assembled and ready to plug in and get started with

configuration. The following image shows the location of the WAN and LAN ports.

Description of Port Indicators

The following list will help you in decoding the LED indicators on the face of the FW-

7541 unit.

HDD LED

If the light is on, the HDD or storage medium is being accessed.

Status LED

A programmable LED, not yet used by the OS.

Power LED

If the light is on, it indicates the system is powered on.

Network Interface LEDs

Left LED

Green indicates 100Mbit/s link, Orange is 1000Mbit/s.

Right LED

LED indicates port activity.

3

If you are replacing an existing firewall on a production network, you will want to go

through the initial configuration with the device not plugged into your production

network. You can plug a laptop or desktop PC into the LAN port to perform the

initial configuration. For new networks, you can start by plugging the LAN into your

switch.

Note: The FW-7541 Ethernet ports are auto MDI/MDI-X, meaning you can

use either a straight through or crossover CAT5 cable regardless of the type

of device you are connecting it to.

To get started, plug the LAN port into the network or system where you will

perform the initial configuration, and then plug in the power as seen in the image

below, which shows the rear side of the unit and the buttons/connectors found

there.

Initial Configuration After powering on your FW-7541, it will boot up and be ready for the initial

configuration after approximately two minutes. The initial boot takes longer if your

WAN interface is not plugged into something where it can receive a DHCP address,

as it must wait for that to time out. Once the system is booted, you should receive a

192.168.1.X IP address on the system(s) plugged into the LAN port from the DHCP

server.

Logging into the web interface

Browse to https://192.168.1.1 to access the web interface. You will be prompted for

username and password, the default username is admin and password is pfsense.

Setup Wizard

After logging in, the setup wizard will run. This will walk you through a few steps to

get up and running with a basic configuration. At the first screen, click Next. The

subsequent screen allows you to configure the hostname, domain and DNS servers

to be used.

Hostname

For hostname, choose a name for the host. This does not affect functionality.

4

Domain

If you have an existing DNS domain in use inside your network (such as a Microsoft

Active Directory domain), use that domain here. This is the domain suffix assigned

to DHCP clients, which you will want to match your internal network. For networks

without any internal DNS domains, you can fill in anything you want here.

DNS Servers

The DNS server fields can be left blank if you have a WAN connection using DHCP,

PPTP or PPPoE types of Internet connections and the ISP automatically assigns DNS

servers. When using a static IP on WAN, you must enter DNS server IPs here for

name resolution to function. You can specify DNS servers here even if your ISP

assigns different ones. Either enter the IPs provided by your ISP, or you may want to

consider using a service like OpenDNS (www.opendns.com) whose free service will

allow you to add content filtering and phishing protection amongst other benefits to

your pfSense install. Using Google’s public DNS servers (8.8.8.8, 8.8.4.4) is another

popular choice.

Click “Next” after filling in the fields as appropriate.

Time Zone and Server

The next screen allows you to configure the time (NTP) server to be used to

synchronize your firewall’s time, and also specify its time zone. The default NTP

server points you ntp.org’s NTP server pool. If you have an internal time server, you

should specify it here instead. You also want to select a city in your time zone so

your log timestamps are in local time (unless you have a policy to timestamp all logs

in GMT).

5

Click Next.

WAN Configuration

This page is where your Internet connection is configured. You will need

information from your ISP to configure this screen appropriately. A few notes to

assist you:

MAC address – if replacing an existing firewall, you may want to enter the old

firewall’s WAN MAC address here, if you can easily tell what that is. This commonly

avoids issues involved in switching out firewalls, such as ARP caches, ISPs locking to

single MAC addresses, etc.

If you can’t enter the MAC of your current firewall here, it probably isn’t a big deal –

power cycle your router or modem and your new MAC will usually be able to get

online. For some ISPs, you have to call when switching devices, or go through an

activation process of some sort.

Static IP configurations – the subnet mask is configured in CIDR format, which is

usually provided by the ISP in addition to the 255.x.x.x subnet mask. The following

table shows the most common subnet masks and their CIDR equivalent.

Block private networks and bogons – these two options will block private,

unassigned, and reserved IP subnets for traffic initiated on your WAN connection

(i.e. coming in from the Internet). These IP ranges should never be seen on the

Internet, and these should both be enabled on systems that are directly connected to

Subnet Mask CIDR

255.255.255.252 30

255.255.255.248 29

255.255.255.240 28

255.255.255.224 27

255.255.255.192 26

255.255.255.128 25

255.255.255.0 24

255.255.254.0 23

6

the Internet. If your WAN resides on a private network, you may not want to use

these options.

Configure LAN Interface

Here you configure the IP and subnet mask to be used on your LAN. If you don’t ever

plan to connect your network to any other network via VPN, the 192.168.1.x default

is fine.

If you want to be able to connect into your network using VPN from remote

locations, you should choose a private IP address range much more obscure than the

very common 192.168.1.0/24. Space within the 172.16.0.0/12 RFC1918 private

address block seems to be the least frequently used, so choose something between

172.16.x.x and 172.31.x.x for least likelihood of having VPN connectivity difficulties.

If your LAN is 192.168.1.x and you are at a wireless hotspot using 192.168.1.x (very

common), you won’t be able to communicate across the VPN – 192.168.1.x is the

local network, not your network over VPN.

Setting the password

Enter the admin password for your firewall here, and again to confirm. You should

choose a strong password, with a combination of letters, numbers and symbols.

Should you forget your password, you can reset it using a serial console on your FW-

7541.

After entering your password and confirming it, click Next.

Then click Reload to apply your changes.

7

Introduction to the web interface

You are now at the front page of the pfSense web interface. This screen provides an

overview of your system resource utilization. The menu on the left side of the screen

groups the various configuration, status and diagnostics screens. There are also

additional themes available to change the layout of the web interface, under System

-> General Setup if you prefer a different look and feel.

Note: The default theme does not function on an iPhone, iPad, or iPod Touch,

but when browsing from one of these devices it will automatically switch to a

different, plainer theme that is functional. Yes, you can configure your FW-

7541 from your iOS devices. The default theme does function properly in the

Android browser, but is difficult to navigate due to the screen size, so it also

will switch to the plainer theme.

The default firewall rules can be viewed under Firewall -> Rules. If you need to

forward ports, you will configure them under Firewall -> NAT. More information on

port forwarding can be found here:

http://doc.pfsense.org/index.php/How_can_I_forward_ports_with_pfSense%3F

You can view your real time traffic throughput under Status -> Traffic Graph. For

many longer term statistics, browse to Status -> RRD Graphs. Logs can be viewed

under Diagnostics -> System logs.

Backing up and restoring At this point your basic two interface LAN and WAN configuration is complete.

Before proceeding with additional configuration, you will want to get a backup of

your configuration. To do so, browse to Diagnostics -> Backup/Restore in the web

interface. Click the Download Configuration button, and a copy of your configuration

will be downloaded. You can restore this configuration at the same screen, by

choosing your backup file under “Restore configuration”.

If you purchased support with your FW-7541, you also have access to the

AutoConfigBackup service. This will encrypt your configuration and upload it to our

servers every time you make a configuration change. Just don’t lose your encryption

key – it’s impossible for anyone to read the backup without the key, and the backup

cannot be restored without the key. You can find more information here:

http://doc.pfsense.org/index.php/AutoConfigBackup

What else can I do? The pfSense software provides a wide array of functionality beyond the simple

configuration documented here. See the Additional Documentation section to find

information on this functionality and more. A few of the most commonly used

possibilities follow.

8

• IPv6 – support for native IPv6 connectivity on the LAN and several variations

of IPv6 connectivity on the WAN is available.

• Captive portal – allows you to present a splash page to all users upon

connecting to your network, optionally with authentication. This is

commonly used with wireless hot spots, or as an additional layer of

protection for wireless networks with authentication against a local user

database, or external RADIUS server such as Microsoft Active Directory.

• VPN – three types of VPNs are supported, IPsec, OpenVPN and PPTP. You can

use these options to connect roaming users for remote access, or site to site

connectivity to connect multiple locations.

• Multi-WAN – multiple Internet connections with failover and load balancing

are supported. In combination with a VLAN capable switch, you can connect

numerous Internet connections over a single physical interface on the

firewall.

• Dynamic DNS – if your public IP is dynamic, you may want to sign up with a

dynamic DNS provider (many options are free) and use the Dynamic DNS

client to keep your hostname updated. This is especially helpful if you want

to access services like VPN remotely.

• Wireless – with a wireless kit available from Netgate, your FW-7541 can act

as a wireless access point, or be used in Ad-hoc networks. It can also connect

to a wireless access point as a client – use your neighbor’s wireless as a

second WAN (with permission, of course), amongst many other possible

deployments.

Support Newly-purchased eligible firewall products come with one year of Netgate’s

Premium Support. If you are eligible for this, you should have received a welcome

letter with your login credentials to http://support.netgate.com. This service

entitles you to access to our dedicated support portal for subscribers of Netgate’s

Premium Support, free updates to new version releases of pfSense Certified®

pfSense® 2.1, and much more.

Other Support Options

There is a large community of pfSense users who volunteer their time to help others.

You may find all the help you need through the community, though generally not as

promptly as with commercial support, and with no assurance of response or a

resolution.

Forum

There is a very active forum at http://forum.pfsense.org.

Mailing Lists

Mailing lists are also available, with information at

http://www.pfsense.org/mailinglists.

9

IRC

The official IRC channel is ##pfsense on FreeNode.

Using the serial console With the pre-assigned interfaces on the FW-7541, you do not need to use the serial

console to setup the device. You may want to access the console menu at times, for

instance if you need to reset your admin password. The serial port on the FW-7541

is an RJ45 port, so you will need an RJ45 to DB9 converter in order to connect. It

requires a rollover cable similar to those used for connecting to Cisco devices, most

of which include an adapter for DB9 if they are not already fixed with a DB9

connector on one end. These rollover cables are already null modem cables, so they

are usable on their own. It may also be possible to use a traditional null modem

cable and a separate RJ45 to serial adapter. You may also want to consider

purchasing a VGA cable for connecting a monitor, which can be found on the Netgate

web site here: http://store.netgate.com/-P350C83.aspx

Plug one end of the console cable into the serial port on the FW-7541 (Or the

converter), and the other into a serial port on a computer with a terminal emulator.

USB to serial adapters should work well for systems that don’t have a serial port.

The FW-7541 ships with the speed set to 115200, but if the firmware image is

manually reloaded or other changes are made that result in the serial console not

working properly at 115200, try using a speed of 9600 instead.

Windows using PuTTY

PuTTY is a free option for Windows that includes serial console support.

http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html

For Connection type, select Serial. In Serial line, enter the COM port (e.g. COM1 or

COM3). Lastly, for Speed, enter 115200.

10

Windows using Hyperterminal

Hyperterminal is another free option for Windows.

http://www.hilgraeve.com/hyperterminal.html

Configure it as shown in the following screenshot.

Accessing the BIOS Using the Serial Console

To access the BIOS while connected to the serial console, press the TAB key as the

BIOS initializes.

Additional Documentation This guide illustrates the basics for getting up and running with your FW-7541.

There is much more that can be accomplished with the pfSense software. The best

source of information is the book pfSense: The Definitive Guide available from

Amazon, Barnes & Noble, and other booksellers. If you purchased support, contact

BSD Perimeter and they will provide the latest work in progress copy electronically.

The book was written for pfSense 1.2.3, but the fundamentals and much of the GUI

instructions still apply. There will be an updated book in the near future, available

from the same retailers.

There is also a growing amount of information freely available on the pfSense

documentation site at http://doc.pfsense.org.