pfSense Glossary - Terms and Definitions
This glossary defines terms commonly encountered when working with pfSense and networking technologies. Entries are arranged alphabetically. Each term includes the acronym expansion (where applicable) and a concise definition in the context of pfSense. For detailed configuration guidance on individual features, consult the corresponding documentation sections: firewall , NAT , VPN .
A
ACL
Access Control List - a set of rules that define permissions or denials for access to network resources. In pfSense, ACLs are implemented through firewall rules and access settings of individual services (DNS Resolver, Captive Portal).
AES-NI
Advanced Encryption Standard - New Instructions - a set of CPU hardware instructions that accelerate AES encryption operations. pfSense leverages AES-NI to improve VPN tunnel throughput (IPsec, OpenVPN). Systems handling heavy VPN traffic should have AES-NI support.
ALTQ
Alternate Queuing - a traffic queue management subsystem in the FreeBSD kernel, used by pfSense to implement QoS. ALTQ supports the PRIQ, HFSC, and CBQ scheduling disciplines. Configured via Firewall > Traffic Shaper.
ARP
Address Resolution Protocol - a data link layer protocol that resolves IP addresses to MAC addresses on a local network. The ARP table is accessible in pfSense via Diagnostics > ARP Table.
B
BGP
Border Gateway Protocol - an inter-autonomous system dynamic routing protocol. pfSense does not include BGP natively, but the protocol is available through the FRR (Free Range Routing) package.
BINAT
Bidirectional NAT - a type of address translation that statically maps an external IP address to an internal one in both directions. Configured in pfSense as 1:1 NAT via Firewall > NAT > 1:1.
Bogon
Bogon networks are IP address ranges that should not appear in internet routing tables: private ranges (RFC 1918), reserved addresses, and unallocated blocks. pfSense automatically updates its bogon list and can block traffic from these addresses on the WAN interface.
C
CARP
Common Address Redundancy Protocol - a protocol providing failover through virtual IP addresses shared across multiple nodes. In pfSense, CARP is used to build high availability clusters with automatic failover to the backup node.
CoDel
Controlled Delay - an active queue management (AQM) algorithm designed to combat bufferbloat. In pfSense, CoDel is available in Limiters via Firewall > Traffic Shaper > Limiters.
D
DHCP
Dynamic Host Configuration Protocol - a protocol for automatic assignment of IP addresses and network parameters to clients. pfSense includes a built-in DHCP server, configured via Services > DHCP Server on a per-interface basis.
DMZ
Demilitarized Zone - an isolated network segment for hosting publicly accessible servers. In pfSense, a DMZ is implemented as a separate interface (OPTn) with firewall rules restricting access from the DMZ to the LAN.
DNAT
Destination NAT - translation of the destination address in an incoming packet. In pfSense, DNAT is implemented as Port Forward via Firewall > NAT > Port Forward, redirecting inbound connections to internal servers.
DNS
Domain Name System - the system that translates domain names into IP addresses. pfSense provides the DNS Resolver (Unbound) for recursive resolution and the DNS Forwarder (dnsmasq) for proxying DNS queries.
DNSSEC
DNS Security Extensions - a suite of DNS extensions that protect against response forgery (DNS spoofing) through cryptographic signing of records. Supported by the built-in DNS Resolver (Unbound) in pfSense.
DPD
Dead Peer Detection - a mechanism for detecting the unreachability of a remote IPsec tunnel endpoint. When a dead peer is detected, pfSense can automatically restart the tunnel or switch to a backup gateway.
DSCP
Differentiated Services Code Point - a 6-bit field in the IP packet header used to mark traffic priority. pfSense uses DSCP in traffic shaper rules for packet classification and prioritization.
E
ESP
Encapsulating Security Payload - an IPsec protocol (IP Protocol 50) that provides encryption and authentication of IP packet contents. ESP is used in all pfSense IPsec tunnels to protect transmitted data.
F
FIB
Forwarding Information Base - the routing table used by the kernel for packet forwarding decisions. pfSense supports multiple FIBs to implement policy-based routing. The routing table is accessible via Diagnostics > Routes.
G
GIF
Generic Tunnel Interface - a tunnel interface type for encapsulating IPv6 within IPv4 (or vice versa). In pfSense, GIF tunnels are created via Interfaces > Assignments > GIFs and are commonly used for IPv6 tunnel broker connections.
GRE
Generic Routing Encapsulation - a tunneling protocol for encapsulating arbitrary network protocols within IP. In pfSense, GRE tunnels are created via Interfaces > Assignments > GREs and serve site-to-site connections without encryption.
H
HA
High Availability - an architecture with redundancy to minimize downtime. In pfSense, HA is achieved through CARP, pfsync, and XMLRPC configuration synchronization between two nodes.
HFSC
Hierarchical Fair Service Curve - a traffic queue discipline supporting hierarchical classes and bandwidth guarantees. HFSC is the most flexible traffic shaper discipline in pfSense, configured via Firewall > Traffic Shaper.
I
ICMP
Internet Control Message Protocol - a network-layer service protocol for transmitting diagnostic messages (ping, traceroute, destination unreachable). pfSense firewall rules can filter ICMP by message type.
IDS/IPS
Intrusion Detection System / Intrusion Prevention System - a system for detecting and preventing network intrusions. In pfSense, IDS/IPS functionality is provided by the Suricata or Snort packages, installed via System > Package Manager.
IKE
Internet Key Exchange - a protocol for negotiating security parameters and exchanging keys for IPsec. pfSense supports IKEv1 and IKEv2. IKE parameters are configured in Phase 1 of the IPsec configuration.
IPsec
Internet Protocol Security - a protocol suite providing authentication and encryption of IP traffic. pfSense supports IPsec in site-to-site and remote access modes. Configured via VPN > IPsec.
L
LAGG
Link Aggregation - combining multiple physical network interfaces into a single logical interface for increased throughput or failover. pfSense supports LACP, failover, loadbalance, and roundrobin modes via Interfaces > Assignments > LAGGs.
Limiter
A bandwidth restriction mechanism based on dummynet in pfSense. Unlike ALTQ, limiters can enforce per-IP bandwidth caps and apply AQM algorithms (CoDel, FQ-CoDel). Configured via Firewall > Traffic Shaper > Limiters.
M
MSS
Maximum Segment Size - the maximum payload size of a TCP segment. pfSense can enforce MSS clamping to prevent packet fragmentation in VPN tunnels and PPPoE connections. Configured at the interface level or in firewall rules.
MTU
Maximum Transmission Unit - the largest packet size that can traverse a network interface without fragmentation. The standard Ethernet MTU is 1500 bytes. When using VLANs, VPNs, or PPPoE, the MTU must be adjusted to account for encapsulation overhead.
N
NAT
Network Address Translation - address translation that modifies IP addresses as packets pass through a router. pfSense supports Port Forward, 1:1 NAT, and Outbound NAT. Configured via Firewall > NAT .
NAT-T
NAT Traversal - a mechanism that encapsulates ESP packets within UDP (port 4500) to allow IPsec traffic to traverse NAT devices. pfSense enables NAT-T automatically when NAT is detected between IPsec peers.
NDP
Neighbor Discovery Protocol - the IPv6 neighbor discovery protocol that performs ARP-equivalent functions for IPv6 networks (MAC address resolution, router discovery, autoconfiguration). The NDP table is accessible via Diagnostics > NDP Table.
NPt
Network Prefix Translation - translation of IPv6 prefixes without modifying the host identifier. In pfSense, NPt replaces one IPv6 prefix with another as the packet traverses the firewall, preserving end-to-end addressing.
NTP
Network Time Protocol - a protocol for time synchronization. pfSense includes a built-in NTP server to synchronize clocks on devices within the local network. Configured via Services > NTP.
O
OSPF
Open Shortest Path First - a link-state dynamic routing protocol. pfSense does not include OSPF natively, but the protocol is available through the FRR (Free Range Routing) package.
P
PBR
Policy-Based Routing - routing based on policies that direct traffic through different gateways depending on source, destination, or traffic type. In pfSense, PBR is implemented by assigning a gateway in firewall rules.
pf
Packet Filter - the packet filtering engine originating from OpenBSD, used in pfSense as the core firewall mechanism. All firewall rules, NAT, and traffic shaping in pfSense are translated into pf rules.
pfctl
A command-line utility for managing the pf packet filter. It provides access to states, rules, tables, and firewall statistics. Available in pfSense via Diagnostics > Command Prompt or SSH.
pfsync
A protocol for synchronizing the pf packet filter state table between HA cluster nodes. pfsync ensures that active connections are preserved during failover to the backup node (stateful failover).
PFS
Perfect Forward Secrecy - a property of key exchange protocols ensuring that compromise of a long-term key does not reveal previously established session keys. In pfSense, PFS is configured in Phase 2 of the IPsec setup.
PPPoE
Point-to-Point Protocol over Ethernet - a protocol for establishing point-to-point connections over Ethernet, widely used by ISPs for DSL and fiber-to-the-building connections. pfSense supports PPPoE as a WAN connection type and can also operate as a PPPoE server.
PRIQ
Priority Queuing - the simplest ALTQ queue discipline with fixed priorities. Packets in higher-priority queues are always processed first. Configured via Firewall > Traffic Shaper.
Q
QoS
Quality of Service - a set of mechanisms for managing traffic priorities and bandwidth allocation. In pfSense, QoS is implemented through the traffic shaper (ALTQ) and limiters (dummynet).
R
RADIUS
Remote Authentication Dial-In User Service - a protocol for centralized authentication, authorization, and accounting (AAA). pfSense supports RADIUS as an authentication source for VPN, Captive Portal, and administrative access.
RRD
Round-Robin Database - a fixed-size time-series data storage format. pfSense uses RRD to store historical monitoring data (traffic graphs, link quality, system load) displayed in Status > Monitoring.
S
SA
Security Association - a set of negotiated security parameters (algorithms, keys, lifetime) for an IPsec connection. Each IPsec tunnel establishes a pair of SAs - one for each traffic direction.
SLAAC
Stateless Address Autoconfiguration - a mechanism for automatic IPv6 address assignment based on Router Advertisements without DHCPv6. The device generates its address from the network prefix and its own interface identifier.
SNAT
Source NAT - translation of the source address in an outgoing packet. In pfSense, SNAT is implemented through Outbound NAT (Firewall > NAT > Outbound), which by default replaces the source address with the WAN interface address.
STP
Spanning Tree Protocol - a protocol that prevents loops in networks with redundant Layer 2 links. pfSense supports STP on bridge interfaces to prevent broadcast storms.
Suricata
A multi-threaded intrusion detection and prevention system (IDS/IPS) available in pfSense as an add-on package. Suricata inspects network traffic in real time against threat signatures and can block malicious connections.
V
VHID
Virtual Host ID - the CARP virtual host identifier (1-255). Each CARP virtual IP address must have a unique VHID within the broadcast domain. The VHID must match across all HA cluster nodes for a given virtual IP.
VLAN
Virtual Local Area Network - a technology for logically partitioning a physical network into isolated segments at the data link layer (IEEE 802.1Q standard). pfSense supports creating VLAN interfaces via Interfaces > Assignments > VLANs.
VPN
Virtual Private Network - a private network providing secure connectivity over a public network. pfSense supports IPsec, OpenVPN, WireGuard, and L2TP.
VTI
Virtual Tunnel Interface - a virtual tunnel interface for routable IPsec tunnels. VTI allows applying firewall rules and routing directly to IPsec traffic, simplifying configuration compared to Phase 2 policies.
X
XMLRPC
Extensible Markup Language Remote Procedure Call - an XML-based remote procedure call protocol over HTTP. pfSense uses XMLRPC to synchronize configuration between HA cluster nodes (firewall rules, NAT, aliases, DHCP, and other settings).