Documentation
pfSense Documentation - Configuration and Administration Guides
pfSense Configuration - System Settings Guide
pfSense Console Access - Console, SSH, and Recovery

pfSense Console Access - Console, SSH, and Recovery

Console access to pfSense provides administrative functions available without the web interface: from basic diagnostics to a full factory reset. The console is an essential tool when GUI access is lost, during recovery from failures, and for initial network interface assignment. Serial console and SSH parameters are configured in the advanced settings section.

Console Access Methods

pfSense provides three methods for accessing the console menu:

MethodUse CaseRequirements
Keyboard and monitorPhysical server with video outputVGA/HDMI connection, USB/PS2 keyboard
Serial consoleHeadless systems, embedded devicesDB-9/RJ-45 cable, terminal program
SSHRemote administrationEnabled SSH daemon, network connectivity

Keyboard and Monitor Connection

The standard method for servers and workstations with video output. After boot, pfSense displays the console menu directly on the connected monitor. No additional configuration is required.

Serial Console Connection

For headless systems and embedded devices (Netgate 1100, 2100, 4100, and similar), the serial console is the primary management interface.

Connection Parameters

ParameterValue
Baud Rate115200 (default)
Data Bits8
Stop Bits1
ParityNone
Flow ControlNone

Terminal Programs

PlatformProgramExample Command
Linuxminicom, screen, picocomscreen /dev/ttyUSB0 115200
macOSscreen, CoolTermscreen /dev/tty.usbserial 115200
WindowsPuTTY, Tera TermSelect Serial, specify COM port and baud rate
FreeBSDcu, tipcu -l /dev/cuaU0 -s 115200

When using a USB serial adapter, verify that the driver is installed and the device is recognized by the operating system.

Configuration in pfSense

The serial console is enabled under System > Advanced > Admin Access:

  1. Check the Serial Terminal box
  2. Select the speed in the Serial Speed field (115200 for most devices)
  3. Change Primary Console to Serial if needed
  4. Save the settings and reboot the system

Warning:

On Netgate devices where the serial console is the only interface, do not change Primary Console to Video - this will result in loss of console access.

SSH Connection

SSH provides remote access to the console menu and command shell over an encrypted connection.

Enabling SSH

SSH can be enabled through two methods:

Via the web interface:

  1. Navigate to System > Advanced > Admin Access
  2. Check Enable Secure Shell
  3. Select the authentication method under SSHd Key Only
  4. Change the port under SSH Port if needed
  5. Save the settings

Via the console menu:

  1. Connect to the console (keyboard or serial port)
  2. Select 14) Enable/Disable Secure Shell (sshd)

Key-Based Authentication

Key-only authentication is recommended for production environments:

  1. Generate a key pair on the client machine:
ssh-keygen -t ed25519 -C "admin@firewall"
  1. In the pfSense web interface, navigate to System > User Manager
  2. Open the user settings
  3. Paste the contents of id_ed25519.pub into the Authorized SSH Keys field
  4. Under System > Advanced > Admin Access, set SSHd Key Only to Public Key Only

After this change, password authentication is disabled. Verify that key authentication works before disabling password access.

Connecting via SSH 

# Standard connection
ssh admin@192.168.1.1

# Non-standard port
ssh -p 2222 admin@192.168.1.1

# Specifying a key file
ssh -i ~/.ssh/id_ed25519 admin@192.168.1.1

After connecting, the console menu is displayed, identical to the local console except for the additional 0) Logout option.

Console Menu

The console menu provides a set of administrative functions accessible without the web interface. The menu is displayed automatically after the system boots.

Complete Menu Reference

0) Logout (SSH only)

Terminates the SSH session. This option is displayed only when connected via SSH and is absent during local access.

1) Assign Interfaces

Restarts the interface assignment wizard. Capabilities include:

  • Creating VLAN interfaces
  • Assigning physical and VLAN interfaces to WAN, LAN, and OPT roles
  • Reassigning interfaces after network adapter replacement

Used during initial setup and when the physical network configuration changes. For more on interface configuration, see the pfSense interfaces section.

2) Set interface(s) IP address

Configures IP addresses on WAN, LAN, and OPT interfaces. Features:

  • Assigning a static IP address, subnet mask, and gateway
  • Enabling/disabling the DHCP client on the interface
  • Switching the GUI from HTTPS to HTTP (for certificate-related access issues)
  • Restoring the Anti-Lockout rule on the LAN interface
  • Configuring the DHCP server range on LAN

This option is frequently used to restore web interface access when the LAN IP address has been changed incorrectly.

3) Reset admin account and password

Resets the administrator account and password. Capabilities:

  • Resetting the admin password to the default value
  • Recreating a deleted admin account
  • Re-enabling a disabled admin account
  • Reverting authentication to the local database (if LDAP/RADIUS was configured and the server is unreachable)

Starting with version 24.03, on first console connection after installation or factory reset, the system requires setting a new admin password.

4) Reset to factory defaults

Restores the configuration to factory defaults and removes installed packages. This operation is irreversible - verify that a configuration backup has been saved before proceeding.

5) Reboot system

Performs a clean shutdown and operating system restart. The preferred reboot method, ensuring proper state preservation.

6) Halt system

Cleanly stops the system. Depending on the hardware, it performs a full power-off or CPU halt. Always use this option before physically disconnecting power - abrupt power loss may cause filesystem corruption.

7) Ping host

Sends three ICMP requests to a specified host to verify connectivity. Uses ping for IPv4 addresses and hostnames, ping6 for IPv6. A basic tool for network troubleshooting.

8) Shell

Opens a command shell (tcsh or sh). Provides full access to the FreeBSD operating system, including:

  • Viewing and editing configuration files
  • Running diagnostic utilities (ifconfig, netstat, tcpdump)
  • Managing services
  • Executing scripts

Warning:

Incorrect actions in the shell can render the system inoperable. Use the shell only when you understand the commands being executed. Type exit to return to the console menu.

9) pfTop

Displays a real-time view of the firewall state table with information about active connections and data volumes. Useful for:

  • Identifying the most active connections
  • Diagnosing throughput issues
  • Verifying NAT and firewall rule operation

10) Filter Logs

Displays firewall log entries in real time in raw format. Contains more detail than the web interface log and is useful for immediate troubleshooting of blocked traffic. For advanced monitoring, consider integration with a SIEM system .

11) Restart GUI

Restarts the nginx web server process. Use when the web interface becomes unresponsive, pages fail to load, or errors are returned.

12) PHP shell + pfSense tools

Launches a PHP interpreter in the context of the running system. Intended for developers and experienced administrators, enabling:

  • Executing PHP code with access to pfSense internal functions
  • Reading and modifying the configuration programmatically
  • Diagnosing issues at the application level

13) Upgrade from console

Runs the pfSense upgrade script to update to the latest available version. Equivalent to upgrading through the GUI but does not require web interface access. For more on upgrades, see the pfSense upgrading section.

14) Enable/Disable Secure Shell (sshd)

Toggles the SSH daemon state. A quick method to enable or disable SSH without web interface access.

15) Restore recent configuration

Displays a list of configuration backups from history with timestamps and change descriptions. Allows restoring a previous configuration after erroneous changes. Each save in the web interface automatically creates a history entry.

16) Restart PHP-FPM

Restarts the PHP daemon for nginx. Use when the web server is running but PHP scripts fail to execute (blank pages, 502/504 errors).

Recovery Scenarios

Lost Web Interface Access

If GUI access is lost, perform the following steps via the console:

  1. Connect to the console (keyboard, serial port, or SSH if SSH is operational)
  2. Select option 2 - verify and correct the LAN interface IP address if needed
  3. When asked Do you want to revert to HTTP as the webConfigurator protocol?, answer y if the issue is HTTPS/certificate related
  4. When asked Do you want to enable the DHCP server on LAN?, review the DHCP settings
  5. When prompted about the Anti-Lockout Rule, answer y to restore the access rule

Admin Password Reset

  1. Connect to the physical console
  2. Select 3) Reset admin account and password
  3. Follow the prompts to set a new password
  4. Log in to the web interface with the new password

Recovery from a Failed Configuration Change

  1. Connect to the console
  2. Select 15) Restore recent configuration
  3. From the backup list, select the configuration preceding the erroneous change
  4. Confirm the restoration
  5. The system will reboot with the restored configuration

Full Factory Reset

When configuration recovery is not possible:

  1. Connect to the console
  2. Verify that a configuration backup has been saved to external media
  3. Select 4) Reset to factory defaults
  4. Confirm the operation
  5. After reboot, configure from scratch or import a backup through the web interface

Console Access Security

Physical Security

Physical console access grants full control over the system, including password resets and shell access. Protective measures:

  • Place the firewall in a locked server cabinet
  • Restrict access to the server room
  • Enable Console menu protection (System > Advanced > Admin Access) for password-protected console access
  • For devices with serial consoles, secure the terminal server

SSH Security

  • Do not open the SSH port on the WAN interface without absolute necessity
  • Use firewall rules to restrict SSH connection sources
  • Enable key-only authentication
  • Regularly review SSH connection logs
  • Consider fail2ban functionality through the pfBlockerNG package to protect against brute force attacks

Logging

All actions through the console menu, SSH connections, and authentication events are recorded in system logs. For centralized log collection and analysis, configure syslog forwarding to an external server or integrate with a SIEM system.

Last updated on
pfSense Advanced Settings - System Advanced GuidepfSense General Settings - System General Setup