This page presents a tutorial for installing pfSense; configuration files to import a custom build; updates since publication; and the previous files which are no longer supported.
Phase 1: Install pfSense
Phase One: Installation: Install the firewall software:
First, you must download and install the latest version of pfSense. Next, you must configure this download onto a portable USB device for installation onto the Protectli Vault. The following steps complete the process.
• Navigate to https://www.pfsense.org/download.
• Choose the following options:
• File Type: Install
• Architecture: AMD64
• Installer: USB Memstick Installer
• Console: VGA
• Mirror: New York.
• Download the .gz file and decompress it (typically by double-clicking it).
• If your OS cannot decompress the file, download and install 7-zip from 7-zip.org.
• Ensure you have a file with an .img extension, such as pfSense-CE-2.5.0-amd64.img.
• Download and install Etcher (https://www.balena.io/etcher/).
• Launch the program
• Select the downloaded .img file, select the target USB drive, and execute the Flash option.
• Remove the USB device when finished.
The pfSense installation image should now be properly copied to the USB drive. Next, the following steps install pfSense to the Protectli Vault.
• Verify that the new hardware is powered down.
• Verify that a monitor and USB keyboard are connected.
• Insert the USB install drive into another USB port on the hardware.
• Power the device and verify that it boots and begins the installation process.
Allow all default installation options, which should require you to strike the enter key several times. After installation completes, connect a computer via ethernet cable to the LAN port of the Protectli Vault. Navigate to 192.168.1.1 within a web browser and log in with the default username and password of "admin” and "pfsense". Accept all defaults within the setup process with "Next”. Apply any secure password when prompted.
If your Vault does not recognize the USB device and cannot boot into anything, you may need to enter the BIOS of the device and configure it to boot from USB. The procedure for this is different on any machine, but the Protectli device is fairly straight-forward.
• Turn on the device and immediately press F11 on the keyboard repeatedly.
• If the USB device is visible on the monitor attached to the Vault, select it for boot.
• If USB device is not visible, enter the setup menu and use the right keyboard arrow to highlight “Boot”, use the down arrow to highlight “Hard drive priorities” change Boot Option # 1 to the USB drive, and strike F4 to save and exit.
Phase 2: Import Settings
Note that pfSense 2.5.x required for the following files! Now that you have pfSense installed, you can import a file which applies all current recommended settings. First, select the following appropriate file for your device. The "Netflix" options provide no VPN protection within the last "OPT" port, which can be used for video streaming services if needed.
The following files assume ProtonVPN is the VPN service desired, and a U.S. server is optimal. This can be changed within the settings after installation.
The following files assume PIA is the VPN service desired, and a central U.S. server is optimal. This can be changed within the settings after installation.
Next, import the file. While logged into your pfSense portal, conduct the following
• Click on Diagnostics then Backup & Restore.
• Click Browse in the Restore section.
• Select the file downloaded.
• Click Restore Configuration and allow the device to reboot.
• Upon reboot, log into pfSense with a username of admin and password of admin1234.
• Click on System then User Manager.
• Click the pencil icon to the right of the admin user.
• Change the password to a secure option and save the changes. Reboot the router and verify login.
Phase 3: Apply Credentials and finish configuration
• In pfSense, click VPN then OpenVPN.
• Click the Clients menu option and click the pencil icon to edit the setting.
• In the User Authentication section, change the username and password to match your own credentials.
Note: If using ProtonVPN, your username and password are NOT the creds used for the app. Find your OpenVPN creds in the ProtonVPN Dashboard.
• Plug your home internet connection into the WAN port.
• Plug your Wi-Fi router into the LAN port.
• Any other devices can plug into the OPT ports (if present)
The following files are referenced within Extreme Privacy, Second Edition. These are no longer updated and are not supported, but should work fine with pfSense 2.3.x through 2.5.x.
We currently recommend the Protectli Vault for home firewalls with the following minimal specs:
The following direct purchase links are pre-configured for use as a Firewall:
2-Port FW2B: amzn.to/2NRIfpA
4-Port FW4B: amzn.to/31jMzlk
6-Port FW6B: amzn.to/3lPBaCo
If you have home internet speeds over 200mbps, choose the 4-port or 6-port. If your home internet speed is over 250mbps, choose the 6-port. If you want to have a non-VPN port for Netflix or other streaming, choose the 4-port or 6-port. I currently use THIS MODEL.