The Complete Setup Guide to pfSense for Privacy and Security

The Complete Setup Guide to pfSense for Privacy and Security

Table of Contents

  1. Introduction
  2. Step 1: Installation
  3. Step 2: Initial Setup
  4. Step 3: pfSense WebConfigurator
  5. Step 4: Internet Connectivity
  6. Step 5: pfSenes Client VPN Setup
  7. Step 6: Always-on VPN
  8. Summary


This is the complete guide for installing pfSense, for privacy and security enthusiasts. I strongly recommend reading the first part, The Foundations of Digital Privacy - Beyond VPN, as it provides essential background on VPNs, the distinction between anonymity and privacy, and the use of secure DNS through DNS over HTTPS (DoH) and DNS over TLS (DoT).

In this guide, I’ve included a video that walks through the initial setup of pfSense on a Qotom Mini PC. Since 2019, I have been using a Qotom Mini PC for pfSense, starting with the Qotom 4 Q355G4, which served me well for several years. Recently, I upgraded to the Qotom Q555G6-S05, which offers improved performance and features. This guide will focus on setting up pfSense using the Qotom Q555G6-S05, but the steps are generally applicable to other hardware as well. It’s important to note that RAM isn’t usually included with the Qotom Mini PC so you’ll need to add this. I recommend the Crucial RAM 16GB DDR4 3200MHz CL22 SoDIMM. As of March 2024, purchasing these components comes in at just under $320 USD. You’ll also need an SSD drive, but these are cheap, typically costing another $20-$30 for around 120GB of capacity, which is more than enough for pfSense.

For less than $350 USD, you’ll have a 6-port pfSense router with 16GB of RAM, and an Intel Core i5-7200U Processor. A similarly configured Protectli VP4650 cost $794 USD, although this has 2.5G network ports. Both Qotom and Protectli support AES-NI which offloads AES instructions to the CPU, providing performance improvements and security, lowering the risk of side-channel attacks.

Protectli are certainly a credible name for pfSense, but it’s a lot more expensive. I’ll let you decide, but this setup guide should apply to both. One thing I’ll add here is that you should install pfSense yourself, instead of purchasing a router with pfSense pre-installed. Call me paranoid, but if you have already made the decision to run pfSense, you should know how to install it.

Shopping List

Item Link
Qotom Q555G6-S05 (my recommendation) Amazon Link
Crucial 16GB DDR4 3200MHz SoDIMM Amazon Link
SSD Drive Amazon Link
USB Flash Drive Amazon Link
pfSense USB Installer pfSense Link
Spare monitor and keyboard for the setup -

IP Addressing

Before proceeding with the installation, it’s best to decide on your IP configuration which will include the IP address of your pfSense router, DHCP ranges, and your DNS server IP (if you have one already). If you are looking to configure VLANs to segment different networks, such as guests, work, private, kids, IoT, and so on, providing you have a managed network switch capable of VLAN tagging, you should also decide this now.

In most cases, you’ll already have all of this information, especially if you are replacing an existing router, whether that is the ISP provided router, or your own. Use this example list to create your own, so you have this to hand during setup:

Example IP Checklist:

Item IP Address Description
pfSense LAN This will be your gateway IP
LAN DHCP Range - Your primary LAN DHCP Range
Work VLAN This will be the subnet and gateway for your work VLAN network
Work DHCP Range - Your work VLAN DHCP Range
Guest VLAN This will be the subnet and gateway for your work VLAN network
Guest DHCP Range - Your work VLAN DHCP Range

Note: In the screenshots you’ll see throughout this guide, I use, which is my setup network dedicated for lab / testing. Just replace these with your own IP configuration.

Step 1: Installation (pfSense 2.7.2)

Download the Installer

The first step is to download the pfSense installer. Make sure to select AMD64 (64-bit) architecture, USB Memstick Installer, and VGA console. I’ve included a screenshot below.

Verifying the SHA256 Checksum

Verifying the SHA256 checksum of the pfSense installer is a crucial step in the installation process to ensure the integrity and authenticity of the file. This verification step confirms that the downloaded installer has not been tampered with and matches the official version provided by Netgate.


  1. Open a command prompt (Start > type CMD)
  2. cd Downloads (or wherever you downloaded the pfSense installer to)
  3. Type certutil -hashfile pfSense-CE-memstick-2.7.2-RELEASE-amd64.img.gz SHA256


  1. Open a terminal window
  2. cd ~/Downloads (or wherever you downloaded the pfSense installer to)
  3. Type sha256sum pfSense-CE-memstick-2.7.2-RELEASE-amd64.img.gz


  1. Open a terminal window
  2. cd ~/Downloads (or wherever you downloaded the pfSense installer to)
  3. Type shasum -a 256 pfSense-CE-memstick-2.7.2-RELEASE-amd64.img.gz

This will display the hash (e.g. 7c68b40c02f06f17146e2f1d5899e2f4a2bcfd98803f06fef8ecf3e2d0f63dcb). Manually compare the displayed hash to the one provided on the pfSense website or in the .sha256 file. If the hashes match, it confirms that the file integrity is intact and the file has not been tampered with.

Creating the USB Installer

You’ll need to extract pfSense-CE-memstick-2.7.2-RELEASE-amd64.img.gz, which contains the .img file we need to create the USB Installer. I recommend 7zip if you are using Windows (just right click > 7-Zip > Extract here) or if you’re using Linux (or Mac), do the following:

Linux / Mac

  1. Open a terminal window (Linux)
  2. Type gunzip pfSense-CE-memstick-2.7.2-RELEASE-amd64.img.gz

Next, use Etcher to create your USB flash drive installer.

Step 2: Initial Setup

At this stage, you should have the USB installer inserted in the Qotom Mini-PC, and a keyboard and monitor attached. I’ve created a video of the initial setup process for you to follow along.

Note: The numbering of the network ports on the Qotom Mini-PC is right to left. The furthest right port is igb0 (WAN), igb1 (LAN) next, and so on.

Router Bridge (Modem) Mode

Before you connect your ISP modem/router to the WAN port on the pfSense router, you’ll need to make sure the internet router is configured in bridge mode (or modem, or pass-through mode). Before you do this, know that if you use your existing router for WiFi, DHCP, NAT, or port-forwarding, then these will be disabled since we’re going to do this on pfSense.

Bridge mode disables the NAT feature on the modem, allowing the router to function as a modem. By enabling bridge mode, pfSense receives the public IP address from your ISP, avoding a double NAT scenario where your pfSense uses an internal IP. This process can vary depending on the ISP and the specific router they provide, so I recommend you search for how to do this with your specific ISP / router.

Most ISP routers assign the public IP address based on the MAC address of the router. This means that if you simply unplug from the WAN port of your existing router, then plug into the WAN port (igb0) of pfSense, the ISP router will likely need to be rebooted before it’ll assign a new public IP address (since it now has a new MAC address).

In summary, you’ll be doing the following:

  1. Open a web browser and enter the IP address of your ISP-supplied router. This is often or, but check your device’s manual for the actual IP address.
  2. Use the credentials provided by your ISP (or on the device label). If you’ve changed the password and can’t remember it, you may need to reset the device to factory settings.
  3. Search for an option labeled as “Bridge Mode,” “Modem Mode,” or “IP Passthrough.” This is often found in the “Advanced,” “Network,” or “WAN Setup” menus.
  4. Follow the on-screen instructions to enable bridge mode.
  5. Ensure all changes are saved, and manually reboot the router if it doesn’t automatically do so.
  6. After enabling bridge mode, connect it to your pfSense WAN port (igb0).

Step 3: pfSense WebConfigurator

The WebConfigurator is the web UI for accessing pfSense. If you followed the video, you should now be connected to the web (E.g. or similar)

Change the admin password

The first step is to change the default username (admin) and password (pfsense).

  1. Go to System > User Manager
  2. Click the edit icon for the admin user
  3. Enter the new password and again for confirm
  4. Click Save

Change pfSense DNS to Quad9

Next, we’ll update pfSense to use Quad9 as its DNS servers. Keep in mind, this change applies to the DNS servers pfSense uses internally and may not directly affect the DNS servers your clients use. We’ll address client DNS configuration separately at a later stage.

  1. Go to System > General Setup
  2. Change both DNS server entries as per the table below (you can optionally add a third entry for IPv6)
  3. Click Save
IP Address DNS Server

These settings are also available on the Quad9 website:

Disable IPv6 (optional)

I’ve chosen to disable IPv6 features on my pfSense firewall as I don’t require them. If you rely on and utilize IPv6, feel free to skip this section. However, I’ll proceed under the assumption that most setups won’t need IPv6. Should you employ IPv6, it’s crucial to bear in mind the necessity of configuring both IPv4 and IPv6 rules within your firewall settings.

  1. Go to System > Advanced, then click on the Networking tab
  2. In IPv6 Options, de-select ‘Allow IPv6’
  3. Click Save

Configure DHCP for LAN

Next we’ll configure the DHCP server for your LAN. Unless you have a separate DHCP server, I’ll assume your ISP provided router (or another router) was doing this before. Later on, if you decide to use VLANs for different networks, we can use the pfSense DHCP server for each VLAN too.

You’ll need to decide the address pool range, which in most cases you copy from your existing router. Just remember to disable DHCP on your existing router before enabling the DHCP server on pfSense, otherwise devices on your network will get IP addresses from both pfSense and your other router, leading to conflicts and other problems.

Note: If you get this message “ISC DHCP has reached end-of-life and will be removed in a future version of pfSense. Visit System > Advanced > Networking to switch DHCP backend.” just go System > Advanced > Networking, and switch the server backend to “Kea DHCP” then click Save at the bottom of the screen.

For DNS, pfSense is equipped with the Unbound DNS Resolver by default, which is capable of handling DNS requests for your network.

  1. Go to Services > DHCP Server
  2. Enter your address pool range (e.g. -
  3. DNS Servers: Add the IP address of pfSense (e.g.
  4. Gateway: Add the IP address of pfSense (e.g.

Step 4: Internet Connectivity

Before we go any further, we should get pfSense connected to the internet. If you have an existing router, turn this off, unplug the cable from the WAN port and connect it to ibg0 which is the first port on the right. Make sure the ISP supplied router / modem is in ‘bridge mode’ (you may need to reboot the internet modem) before pfSense is able to assign the WAN IP address.

The WAN IP address is then assigned to the pfSense WAN port (igb0), and it binds to the physical MAC address of your pfSense router. This can be changed (or spoofed) by clicking on the WAN interface link from home page of pfSense (Dashboard), if you want to enter another MAC address. This is a more advanced use-case, so typically you’ll just leave this.

From the pfSense Dashboard > Interfaces, you should now see you have a public WAN IP address assigned.


By default pfSense uses ‘Automatic Outbound NAT’, which automatically creates NAT rules for each of your network interfaces (such as the LAN, and loopback) so you can access the internet without manually adding these. This is fine for most setups, but our approach is more intentional and allows for a more secure configuration since only the networks we specify can mapped to an external interface (WAN or VPN).

Also, by default pfSense creates NAT rules for loopback addresses ( for IPv4 and ::1/128 for IPv6). These addresses are designed for internal communication within the device itself and, under typical circumstances, do not require NAT rules since this traffic is not meant to be routed externally. Simplifying our NAT setup by removing these rules will result in a cleaner, more intentional configuration, reducing unnecessary complexity.

In this section, we’ll switch this to ‘Manual Outbound NAT’, and remove any unnecessary mappings.

  1. Go to Firewall > NAT > Outbound, then select ‘Manual Outbound NAT’, and click Save.
  2. Click Apply Changes

Once you’ve done this, you’ll have something similar to the screenshot below:

By default it creates NAT rules for ISAKMP (port 500) which you only need for IPSEC VPN and site-to-site setups. Since we’re not using IPSEC, let’s go ahead and delete any mappings for port 500.

  1. For each rule with a destination port of 500, click the trashcan icon
  2. Click Apply Changes.
  3. Remove the two mappings for and ::/128
  4. Click Apply Changes.

Now only one rule will remain, which maps your LAN (E.g. to the WAN interface. Later in this guide, we’ll change this to a VPN interface such as Mullvad or ProtonVPN.


Next we’ll visit the firewall configuration. Initially, the two networks you will focus on are the WAN and LAN. First, unless you are utilizing IPv6 on your network, we’ll simplify this and delete the ‘Default allow LAN IPv6 to any rule’, which allows any IPv6 addresses on your LAN, to any (the internet).

Deleting rules:

  1. Go to Firewall > Rules, and select the LAN tab
  2. Click the trashcan icon next to the ‘Default allow LAN IPv6 to any rule’, click OK
  3. Click Apply Changes.

Firewall rules:

  1. Go to Firewall > Rules, and select the LAN tab
  2. Select the edit (pencil icon) for the ‘Default allow LAN to any rule’ which should be the last one
  3. Scroll down to ‘Extra Options’ and click ‘Display Advanced’
  4. Scroll down and change ‘Gateway’ to ‘WAN_DHCP’
  5. Click Save, then Apply Changes.

Now you should have internet access, providing your client machine has DNS. You can test internet connectivity by pinging a known public IP (e.g.


If this works and your client machine can resolve DNS, then you have internet access. Next we want to make sure we only use VPN for all devices on the LAN.

Step 5: pfSense Client VPN Setup

In this step, we’ll setup our preferred VPN provider, create a dedicated interface for the VPN, and then go back to the NAT and Firewall rules to make sure all traffic is routed over VPN. This will vary slightly depending on the VPN provider, and most offer their own guides for pfSense. For the purpose of this guide, we’ll use ProtonVPN.

ProtonVPN Configuration

First, let’s gather the information we need from ProtonVPN, such as the username, password, VPN server IP address, and VPN certificate.

  1. Login to your ProtonVPN account (ProtonVPN Account) and click Downloads
  2. Scroll down to ‘OpenVPN configuration files’, then choose ‘Router’
  3. Leave Protocol as ‘UDP’
  4. Scroll down to your preferred country configuration (E.g. United States)
  5. Select a VPN location to download (E.g. US-NY#62)
  6. Click Download and save the .ovpn file to your computer
  7. Next, go to Account
  8. Copy the username and password from ‘OpenVPN / IKEv2 username’

I like to save Proton’s OpenVPN configuration files to my computer in case I want to switch to another server later. This way I have an offline copy of my preferred VPN servers.

Open the .ovpn configuration file in Notepad or similar, and along with the username and password, take note of the following:

  • OpenVPN / IKEv2 username
  • OpenVPN / IKEv2 password
  • VPN server IP address (E.g. in the line remote 1194)
  • Cipher (E.g. in the line cipher AES-256-GCM)
  • Tun MTU (E.g. in the line tun-mtu 1500)
  • CA Certificate (see below)
  • TLS Key (see below)

With the OpenVPN configuration file open, look for the section that starts with <ca> and ends with </ca>, and copy the text between these tags. You’ll have something similar to this example:

The first step is to import the CA (Certificate Authority) certificate from ProtonVPN. To do that, we need to obtain the OpenVPN configuration file which will contain all the information we need.


Also, you need the TLS key which is also in the configuration file:

-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----

Adding ProtonVPN CA Certificate

Now, we’ll import the CA certificate into pfSense.

  1. Go to System > Certificates, and click on the Authorities tab
  2. Click Add
  3. Descriptive Name: ‘ProtonCA’ or something similar
  4. Change ‘Method’ to ‘Import an existing Certificate Authority’
  5. Leave Trust Store and Randomize Serial unchecked
  6. Paste the certificate in ‘Certificate Data’ including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- text
  7. Click Save

OpenVPN Client Setup

Now we’ve imported the CA certificate from Proton, we can continue to the OpenVPN client setup. For entries that are left blank, I’ve not included them below.

  1. Go to VPN > OpenVPN, and select the Clients tab
  2. Click Add, and use the settings in the table below:
Description ProtonVPN or something similar
Server mode Peer to Peer (SSL/TLS) - default
Device mode tun - Layer 3 Tunnel Mode - default
Protocol UDP on IPv4 only - default
Interface WAN - default
Local port blank - default
Server host or address
Server port 1194 - default (You can change this if desired, to one of the other supported ports in the ovpn configuration file)
Proxy host or address blank - default
Username - Obtain from ProtonVPN (Account > OpenVPN / IKEv2 username)
Password - Obtain from ProtonVPN (Account > OpenVPN / IKEv2 password)
Authentication Retry Disabled - default (do not select this)
TLS Configuration Use a TLS Key - default (this should be selected)
Automatically generate a TLS Key Disabled (uncheck this)
TLS Key Paste TLS key you obtained earlier, including the -----BEGIN OpenVPN Static key V1----- and -----END OpenVPN Static key V1----- text
TLS Key Usage Mode TLS Authentication - default
TLS keydir direction Use default direction - default
Peer Certificate Authority ProtonCA (this is the name of the CA certificate you added in the last step)
Data Encryption Algorithms AES-256-GCM (this should be the only option on the right hand side)
Fallback Data Encryption Algorithm AES-256-CBC (256 bit key, 128 bit block) - default
Auto digest algorithm SHA512 (512 bit)
Hardware Crypto Intel RDRAND engine - RAND
Allow Compression Decompress incoming, do not compress outgoing (Asymmetric)
Compression Disable Compressions [Omit Preference]
Pull DNS Enable ‘Add server provided DNS’
  1. Go to Status > Services
  2. For ‘openvpn’ press the start (play) button
  3. Go to Status > OpenVPN

You should see that the VPN connection status is ‘Connected (Success)’. If this shows as ‘down’ or ‘pending’, you can check for errors in Status > System Logs > OpenVPN.

Step 6: Always-on VPN

If you’ve made it this far, congratulations! You’ve not only got pfSense as your primary router, but it’s running a VPN client connected to your VPN provider. All that remains, is to configure pfSense to route all outbound traffic from the LAN, to your VPN provider instead of the WAN port. This is where the magic happens, and because of the way we’ve setup routing, it acts as a ‘kill-switch’, should your VPN connection go down, it won’t default to the WAN interface.

In this final step, there 3 areas to configure:

  1. Create an interface for the VPN (E.g. ProtonVPN)
  2. Configure NAT (outbound) to use the new interface instead of the WAN interface
  3. Configure the LAN firewall rule to specify the VPN interface as the LAN gateway.

Create VPN Interface

We need to configure our VPN (E.g. ProtonVPN) as an interface. This will allow for the NAT and firewall rule configuration in the next steps to use this interface to route to the internet (via VPN).

  1. Go to Interfaces > Assignments
  2. Under ‘Available network ports’, select ‘ovpnc1 (ProtonVPN)’ or whatever your VPN client was named, then click Add.
  3. Click on the new interface (e.g. OPT1)
  4. Select ‘Enable interface’
  5. Change Description: ProtonVPN (or similar)
  6. Click Save, then Apply Changes

NAT Configuration

Now we have our interface, we’ll configure outbound NAT to use it as the external connection.

  1. Go to Firewall > NAT
  2. Select the ‘Outbound’ tab
  3. Select the edit (pencil icon) for the NAT rule which matches your LAN subnet (e.g.
  4. Change the interface from ‘WAN” to ‘ProtonVPN’ (or your VPN interface name)

LAN Firewall Default Rule

  1. Go to Firewall > Rules
  2. Sekect the ‘LAN’ tab
  3. Select the edit (pencil icon) for the ‘Default allow LAN to any rule’ which should be the last one
  4. Scroll down to ‘Extra Options’ and click ‘Display Advanced’ (if it’s not already showing)
  5. Scroll down and change ‘Gateway’ to ‘PROTONVPN_VPNV4’ (or the one for your VPN interface)
  6. Click Save, then Apply Changes.


A quick note on VLANs. To achieve this, you would:

  • Set up VLANs on your managed switch and configure corresponding interfaces in pfSense. Hint: You can use VLAN tagging to ‘trunk’ multiple VLANs using the single LAN port.
  • Create DHCP servers for each VLAN to manage IP address allocation.
  • Configure firewall rules to control traffic between each VLAN and the internet.
  • Set up your Ubiquiti access points to broadcast multiple SSIDs, each tagged with the appropriate VLAN ID.
  • Adjust pfSense’s NAT and firewall settings to ensure the correct routing of traffic, directing some through the VPN and others through the WAN as needed.


I hope you found this guide useful and easy to follow. I know there is a lot involved in setting up pfSense, especially given the extra configuration required to route all of your LAN traffic through the OpenVPN client in pfSense. However, I hope the enhanced privacy and security you gain makes it all worth it!

One of the powerful features of pfSense is the ability to set up multiple VLANs. By segmenting your network, you can create separate segments for different types of traffic, such as guest, work, private, and IoT devices. When paired with supported access points like those from Ubiquiti, you can configure multiple WiFi networks (SSIDs) within your environment. This allows you to assign specific VLANs to each SSID, enabling some networks to route traffic through the VPN for added privacy, while others can use the WAN for direct internet access. Perhaps this warrants a part two? If this would be useful, let me know.

If you encounter any mistakes or have suggestions for improvements, please feel free to contact me. Your feedback is valuable and helps make this guide even better for everyone.