pfSense Advanced Settings - System Advanced Guide
The System > Advanced section groups parameters that require understanding of pfSense architecture and directly affect system security, performance, and stability. Incorrect configuration can result in loss of web GUI access or degraded network functions. Before modifying advanced settings, create a configuration backup .
Admin Access
The Admin Access tab controls the protocols and parameters for accessing the firewall management interface.
Web Interface (webConfigurator)
Protocol and Port
| Setting | Description | Default |
|---|---|---|
| Protocol | HTTP or HTTPS. HTTPS is recommended for all environments | HTTPS |
| SSL/TLS Certificate | Certificate for the HTTPS connection. A self-signed certificate is generated during installation | Automatic |
| TCP Port | Web interface port | 443 |
| Max Processes | Number of nginx worker processes | 2 |
Increasing Max Processes to 4-6 may be necessary when multiple administrators work concurrently. Each additional process consumes extra memory.
Warning:
Do not expose the pfSense web interface to untrusted networks. Use a VPN for remote administration.
Redirect and Security
| Setting | Description | Recommendation |
|---|---|---|
| WebGUI Redirect | Redirects HTTP (port 80) to the configured HTTPS GUI port | Enable unless port 80 is needed by other services |
| HSTS | HTTP Strict Transport Security - browser remembers HTTPS-only | Enable for regular administrators |
| OCSP Must-Staple | Enforces OCSP stapling for the GUI certificate | Enable when using a public CA |
| Login Autocomplete | Allows browsers to save the login password | Disable in environments with shared workstations |
| Anti-Lockout Rule | Prevents deny rules from blocking GUI/SSH access on LAN | Do not disable without alternative access |
Security Checks
DNS Rebind Check - prevents DNS rebinding attacks by rejecting DNS responses containing private IP addresses. Disable if internal DNS records point to pfSense by private address and GUI access is blocked as a result.
HTTP_REFERER Enforcement - validates the Referer header to protect against cross-site request attacks. May cause false blocks when proxy servers modify headers.
Alternate Hostnames - a list of additional hostnames accepted by the DNS Rebind and HTTP_REFERER checks. Add all names through which administrators access the interface.
Browser Tab Text - by default the browser tab shows the hostname first, then the page name. Enabling this option reverses the order.
SSH Access
| Setting | Description | Default |
|---|---|---|
| Enable Secure Shell | Activates the SSH daemon; generates keys on first start | Disabled |
| SSHd Key Only | Authentication method: password or key, key only, both required | Password or key |
| Allow Agent Forwarding | Permits SSH agent key forwarding | Disabled |
| SSH Port | SSH server port | 22 |
SSH security recommendations:
- Use key-only authentication in production environments
- Changing the port from 22 to a non-standard value provides minimal security and does not replace firewall rules
- User SSH keys are managed in the user management section
- For access from external networks, use a VPN rather than direct SSH through WAN
Serial Console
| Setting | Description | Default |
|---|---|---|
| Serial Terminal | Enables the console on the first serial port | Disabled |
| Serial Speed | Data rate in bits per second | 115200 |
| Primary Console | Selects the primary console: video or serial | Video (VGA) |
Enabling the serial console requires a reboot. On headless systems (servers without video output), the serial console is often the only means of physical access.
Console Menu Protection
The Console menu protection setting enables password protection on the physical console using web interface credentials. This is a supplementary measure and does not replace physical security of the server room. A reboot is required for activation.
Firewall and NAT
The Firewall & NAT tab contains packet processing, state table, and address translation parameters.
Packet Processing
IP Packet Options
| Setting | Description |
|---|---|
| IP Do-Not-Fragment | Clears the DF bit in packets instead of dropping them. Resolves compatibility issues with operating systems that generate fragmented packets with DF set |
| IP Random ID | Replaces predictable IP ID field values with random ones. Applies only to non-fragmented packets |
| Firewall Scrub | PF packet normalization. Disabling may be necessary for NFS and VoIP traffic |
Firewall Optimization
The Firewall Optimization Options setting determines the algorithm for expiring state table entries:
| Mode | Description | Use Case |
|---|---|---|
| Normal | Standard algorithm | Most environments |
| High Latency | Extended timeouts | Satellite and high-latency links |
| Aggressive | Faster expiration of idle connections | High-throughput environments |
| Conservative | Maximum connection preservation | Environments where session continuity is critical |
State Table
| Setting | Description | Default |
|---|---|---|
| Maximum States | Maximum number of tracked connections. Each state consumes approximately 1 KB of memory | ~10% of RAM |
| Maximum Table Entries | Maximum entries in address tables (aliases, blocked hosts) | 400,000 |
| Maximum Fragment Entries | Maximum fragments in the reassembly table (when scrub is enabled) | 5,000 |
Adaptive Timeouts
Controls state table behavior as it approaches capacity:
- Adaptive Start - threshold at which timeout reduction begins (default: 60% of Maximum States)
- Adaptive End - threshold for maximum timeout reduction (default: 120% of Maximum States)
Timeouts scale linearly between these thresholds, preventing table overflow.
VPN Parameters
| Setting | Description |
|---|---|
| VPN IP Do-Not-Fragment | Same as IP Do-Not-Fragment but applies only to VPN traffic |
| IP Fragment Reassemble | Buffers fragments until a complete packet is formed before filtering |
| MSS Clamping | Limits the maximum TCP segment size in IPsec tunnels. Default: 1,400 bytes |
Advanced Firewall Parameters
| Setting | Description |
|---|---|
| Disable Firewall | Disables PF entirely, converting the device into a router. Also disables NAT |
| State Policy | Interface Bound (more secure) or Floating (for asymmetric routing) |
| Static Route Filtering | Bypasses rules for traffic entering and exiting through the same interface |
| Disable Auto-added VPN rules | Disables automatic IPsec rules, giving the administrator full control |
| Disable Reply-To | Disables automatic binding of reply traffic to the ingress interface |
| Disable Negate rules | Removes automatic rules for local and VPN connectivity in Multi-WAN |
| Allow APIPA | Removes the block on 169.254.0.0/16 traffic |
Bogon Networks
The Update Frequency setting controls how often bogon network lists (reserved and unallocated IP ranges) are refreshed. Regular updates are important because IANA periodically allocates new address blocks.
NAT Reflection
NAT Reflection allows internal clients to access port-forwarded services using the firewall’s public IP address.
| Mode | Description | Limitations |
|---|---|---|
| Disabled | Port forwards accessible from WAN only | Default |
| Pure NAT | Reflection via NAT rules | Better scalability |
| NAT + Proxy | Reflection via a helper program | Limited to 500-port ranges, 1,000 total ports |
Additional reflection settings:
- Reflection Timeout - forced timeout for reflected connections in NAT + Proxy mode
- NAT Reflection for 1:1 NAT - enables reflection for static NAT mappings
- Automatic Outbound NAT for Reflection - creates outbound NAT rules for reflection when client and server reside in the same subnet
TFTP Proxy
A built-in proxy for the TFTP protocol, enabling internal clients to connect to external TFTP servers. Interfaces must be selected to activate.
State Timeouts
The State Timeouts section provides fine-grained control over protocol-specific timeouts (in seconds) for TCP, UDP, ICMP, and other protocols. In most cases timeouts are managed by the optimization mode, but manual adjustment may be needed for specific devices or applications.
Networking
The Networking tab contains IPv6 settings, hardware offloading, and network event logging parameters.
IPv6
| Setting | Description |
|---|---|
| Allow IPv6 | Controls IPv6 traffic blocking. Disabling blocks all IPv6 but does not remove IPv6 configuration |
| IPv6 over IPv4 Tunneling | Forwards protocol 41 (RFC 2893) traffic to a specified IPv4 address. Requires rules permitting protocol 41 on WAN |
| Prefer IPv4 over IPv6 | The firewall prefers IPv4 when DNS returns both record types. Affects updates and packages, not clients |
| IPv6 DNS Entry | When enabled, only IPv4 DNS entries are created for the firewall itself |
Hardware Offloading
Hardware offloading settings control the delegation of computational tasks to the network adapter. In the context of routers and firewalls, these features often cause problems.
| Setting | Effect When Checked | Recommendation |
|---|---|---|
| Hardware Checksum Offloading | Disables hardware checksum calculation | Check (disable offloading) for Realtek and virtual adapters |
| Hardware TCP Segmentation Offloading | Disables TSO | Check (disable offloading) - TSO is undesirable for routers |
| Hardware Large Receive Offloading | Disables LRO | Check (disable offloading) - LRO degrades routing performance |
Warning:
The checkboxes in this section work inversely: checking the box disables the offloading feature. Read each parameter description carefully to avoid confusion.
Virtual NIC ALTQ Support - enables ALTQ support for hypervisor virtual network adapters, which is required for the traffic shaper to function in virtualized environments. Requires a reboot.
Suppress ARP Messages
The Suppress ARP Messages setting prevents logging of messages about MAC address changes for IP addresses. Useful in environments with frequent legitimate binding changes (for example, VRRP or virtual machine migration).
Notifications
The Notifications tab configures alerting channels for system events.
Certificate Monitoring
| Setting | Description |
|---|---|
| Certificate Expiration | Enables notifications as certificates approach expiration |
| Ignore Revoked Certificates | Excludes revoked certificates from CRL checks |
| Expiration Threshold | Notification threshold in days (default: 27). Uses the lesser of the specified value or one-third of remaining certificate lifetime |
SMTP (Email)
Core settings for sending notifications by email:
| Setting | Description |
|---|---|
| E-mail Server | SMTP server address |
| SMTP Port | Port number (25 or 587 for submission) |
| Connection Timeout | Connection timeout in seconds |
| Secure SMTP Connection | Direct SSL/TLS connection (not STARTTLS) |
| Validate SSL/TLS | Validates the SMTP server certificate |
| From / To | Sender and recipient addresses (multiple recipients separated by comma) |
| Auth Username / Password | Credentials for authenticated SMTP |
| Auth Mechanism | PLAIN or LOGIN |
After configuration, use the Test button to verify delivery.
Telegram, Pushover, Slack
pfSense supports notifications through messaging and push services:
| Service | Required Parameters |
|---|---|
| Telegram | Bot API key, Chat ID or channel username |
| Pushover | API key, User Key, notification priority and sound |
| Slack | API key, channel name |
All services include a test button for validating the configuration before saving.
Sound Notifications
- Console Bell - the system speaker emits a tone for emergency messages
- Startup/Shutdown Sound - audio notification when the system starts or stops
Miscellaneous
The Miscellaneous tab covers cryptographic acceleration, power management, gateway monitoring, and RAM disk configuration.
Cryptographic Acceleration
| Setting | Description |
|---|---|
| IPsec-MB | Software acceleration for AES-CBC, AES-GCM, and ChaCha20-Poly1305 in VPN |
| Cryptographic Hardware | Hardware acceleration: Intel QAT, BSD Crypto Device, AES-NI, or combinations |
The appropriate acceleration method depends on the hardware platform. AES-NI is available on most modern Intel and AMD processors and provides significant acceleration for IPsec and OpenVPN.
Thermal Sensors
| Value | Description |
|---|---|
| None/ACPI | Reads sensors through the standard ACPI interface |
| Intel Core | Loads the coretemp module for Intel processors |
| AMD K8, K10, K11 | Loads the amdtemp module for AMD processors |
Power Management
Speed Shift - hardware-controlled CPU frequency management. The processor adjusts its frequency independently without OS intervention. The Power Preference slider (0-100) shifts the balance between energy efficiency and performance.
PowerD (SpeedStep) - software-controlled CPU frequency management:
| Setting | Description |
|---|---|
| Enable PowerD | Activates the frequency management daemon |
| AC Power Mode | Mode when on mains power: Maximum, Minimum, Adaptive, Hiadaptive |
| Battery Power Mode | Mode when on battery power |
| Unknown Power Mode | Mode when the power source is indeterminate |
Gateway Monitoring
These settings control state table behavior during gateway failures and recoveries:
| Setting | Description |
|---|---|
| State Killing on Gateway Recovery | Controls state clearing when a higher-priority gateway returns |
| State Killing on Gateway Failure | Do not kill / kill states for down gateways / flush all states |
| Skip Rules When Gateway is Down | Omits rules bound to an unavailable gateway |
The Skip Rules When Gateway is Down setting removes rules entirely rather than routing through the default gateway. Traffic will be processed by the next matching rule.
RAM Disks
Using RAM disks for /tmp and /var reduces SSD/CF card wear and accelerates I/O operations:
| Setting | Description | Default |
|---|---|---|
| Use RAM Disks | Enables RAM disks (requires reboot) | Disabled |
| /tmp Size | RAM disk size for /tmp | 40 MB |
| /var Size | RAM disk size for /var | 60 MB |
Recommended /var size for production systems: 512-1024 MB.
Periodic backups - interval (in hours) between saving RAM disk data to persistent storage:
| Data | Description |
|---|---|
| RRD Data | Graph databases |
| DHCP Leases | DHCP lease tables |
| Log Directory | System logs |
| Captive Portal Data | Captive portal databases |
Additional Parameters
| Setting | Description |
|---|---|
| Proxy Support | Proxy server settings for outbound connections (URL, port, authentication) |
| Load Balancing | Sticky Connections and Source Tracking Timeout for maintaining session affinity |
| Watchdog | Hardware watchdog timer for automatic reboot on system hang |
| Kernel PTI / MDS Mitigation | Spectre/Meltdown vulnerability protections (affects performance) |
| PHP Memory Limit | Memory limit for GUI processes |
| Hard Disk Standby | Idle time (minutes) before the disk enters power-saving mode |
Configuration Order
Recommended sequence for configuring advanced settings after completing general configuration :
- Configure the web interface protocol and port (Admin Access)
- Enable and configure SSH if required
- Review hardware offloading settings (especially in virtualized environments)
- Set up notification channels
- Optimize firewall parameters for your workload
For managing the firewall through the physical or serial console, proceed to the console access section.