Part 1: Installation and Initial Configuration

1. Project Context

1.1 Objectives

We undertook the installation of a dedicated firewall solution for a homelab environment, with the goal of establishing a segmented and secure network infrastructure. This first phase consists of deploying pfSense as a dedicated security appliance, distinct from the existing virtualization infrastructure.

1.2 Hardware Used

Mini PC: Zotac ZBOX CI337 nano

  • Processor: Intel N100 (4 cores, up to 3.4 GHz)
  • Memory: 8 GB DDR5
  • Storage: 128 GB SSD
  • Network Interfaces: 2x Realtek PCIe Gigabit Ethernet
  • WiFi: Intel CNVi Wi-Fi 6 AX101 (detected but not used)
  • Boot Mode: Pure UEFI (Secure Boot disabled)

Acquisition Cost: 85€

2. Operating System Installation

2.1 Preparation

We downloaded pfSense 2.8.1 Community Edition from the official Netgate website. The ISO image was flashed onto a bootable USB drive to proceed with the installation on the target system.

2.2 BIOS Configuration

Before installation, we configured the Zotac ZBOX BIOS with the following settings:

  • Secure Boot: Disabled
  • Boot Mode: Pure UEFI
  • Boot Order: USB drive prioritized

2.3 Installation Process

We booted the system from the installation USB drive and followed the standard procedure:

  1. License Acceptance: We accepted the terms of the pfSense CE license
  2. Installation Mode: Selection of “Install pfSense”
  3. Keyboard Layout: Configuration to French AZERTY (optional)
  4. Partitioning: Selection of “Auto (ZFS)” for a modern and high-performance installation
  5. RAID Configuration: Selection of “Stripe” (no redundancy - single disk)
  6. Installation Media: Selection of the 128 GB SSD as the installation medium
  7. Confirmation: Validation of formatting and launch of the installation

The installation proceeded without incident, and the system restarted automatically upon completion.

3. Initial Network Interface Configuration

3.1 Interface Assignment

Upon the first boot, we accessed the pfSense console menu to proceed with network interface assignment.

Menu Option 1: Assign Interfaces

We configured the interfaces as follows:

  • WAN (re1): Interface connected to the main router (Internet box)
  • LAN (re0): Interface for the internal network

3.2 Temporary WAN IP Configuration

As part of our homelab setup, we opted for a temporary architecture allowing access to the WebGUI via the WAN interface, while finalizing the configuration before going into production.

Menu Option 2: Set interface(s) IP address

WAN Configuration:

  • Mode: Static IP (non-DHCP)
  • IPv4 Address: Fixed IP within the existing network subnet
  • Netmask: /24
  • Gateway: Address of the main router

LAN Configuration:

  • IPv4 Address: Dedicated subnet for the future internal network
  • Netmask: /24
  • DHCP Server: Enabled with a defined range

4. Accessing the Web Interface

4.1 Initial Issue

During the first attempt to access the WebGUI, we encountered a common problem: pfSense's automatic rules blocked access from the WAN interface due to the default activation of the “Block Private Networks” protection.

4.2 Resolution via Manual Configuration

We resolved this limitation by directly editing the configuration file:

Via console (Option 8 - Shell):

Installing the nano editor for convenience pkg update pkg install nano

Editing the configuration file nano /cf/conf/config.xml

text

We removed the <blockpriv/> and <blockbogons/> directives in the WAN section, then reloaded the configuration:

/etc/rc.reload_all

text

4.3 WebGUI Connection

After applying the modifications, we were able to access the web interface via a browser using HTTPS from the existing network.

Default Credentials:

  • User: admin
  • Password: pfsense

5. Basic Security Configuration

5.1 Changing the Administrator Password

The first security action performed was changing the default password.

Navigation: System > User Manager > Users > admin

We defined a robust password adhering to complexity criteria.

5.2 SSH Activation (Optional)

To facilitate remote maintenance, we enabled SSH access.

Navigation: System > Advanced > Admin Access

  • Enable Secure Shell: Enabled

6. Installation of Critical Drivers

6.1 Realtek Card Issue

Realtek network cards, although detected by FreeBSD, require a specific driver to ensure optimal stability. The generic driver can lead to disconnections or performance losses.

6.2 Installing realtek-re-kmod

We proceeded to install the package realtek-re-kmod via the Diagnostics > Command Prompt interface:

Installing the optimized Realtek driver pkg install realtek-re-kmod

Immediate module loading kldload if_re

Configuring automatic loading at boot echo ‘if_re_load=“YES”’ >> /boot/loader.conf.local

Verifying loading kldstat | grep if_re

text

We then rebooted the system via Diagnostics > Reboot to permanently apply the modifications.

6.3 Post-Installation Verification

After rebooting, we checked the status of the network interfaces:

Checking interface status ifconfig re0 ifconfig re1

Checking error statistics netstat -i

text

Results obtained:

  • re0 (LAN): Status “no carrier” (normal, no cable connected)
  • re1 (WAN): Status “active”, speed 1000baseT full-duplex
  • Interface Errors (Ierrs/Oerrs): 0 on both interfaces
  • MSI-X Interrupts: Enabled and functional

The hardware configuration is validated as perfectly operational.

7. WiFi Hardware Verification

7.1 Card Identification

We proceeded with the full identification of the installed network hardware:

Detailed list of PCI network devices pciconf -lvcb | grep -A10 “network”

text

Results:

  • WiFi: Intel CNVi Wi-Fi 6 AX101 detected
  • Ethernet 1: Realtek PCIe GbE (re0)
  • Ethernet 2: Realtek PCIe GbE (re1)

7.2 FreeBSD Limitations

The Intel AX101 WiFi card, although detected by the system, is not usable under pfSense/FreeBSD for the following reasons:

  • iwlwifi driver removed from recent pfSense versions
  • Experimental support only in client mode (no AP mode)
  • Limited performance even if functional

Technical Decision: We decided to use a dedicated external WiFi access point that will be connected to the pfSense LAN port, offering better performance and centralized management.

8. Installation of Essential Packages

8.1 System Update

Before installing third-party packages, we checked for available system updates via System > Update.

8.2 Installation of Security Packages

Navigation: System > Package Manager > Available Packages

We installed the following packages in order of priority:

1. pfBlockerNG-devel (DNS filtering and IP blocking)

  • Protection against advertisements, malware, and trackers
  • Blocking malicious IP addresses
  • DNSBL Mode for DNS filtering

2. Suricata (IDS/IPS)

  • Intrusion Detection and Prevention System
  • Inline IPS mode on the WAN interface
  • ET Open Rules (Emerging Threats)

3. WireGuard (Modern VPN)

  • High-performance VPN protocol
  • Modern encryption
  • Simplified configuration

4. ACME (Automatic SSL Certificates)

  • Let’s Encrypt Integration
  • Automatic certificate renewal

5. ntopng (Network Monitoring)

  • Real-time traffic analysis
  • Detailed statistics per host/protocol

6. iftop (Bandwidth Monitoring)

  • Installation via console: pkg install iftop
  • Real-time bandwidth monitoring

8.3 Disabling Hardware Offloads

Critical Prerequisite for Suricata: We disabled hardware offloads to ensure complete packet inspection.

Navigation: System > Advanced > Networking

Disabled options:

  • Hardware Checksum Offloading
  • Hardware TCP Segmentation Offloading
  • Hardware Large Receive Offloading

System reboot required after this modification.

9. Current Configuration Status

9.1 Temporary Network Architecture

Internet ↓ Main Box/Router ↓ [WAN - re1] pfSense ZBOX [LAN - re0] ↓ (Not connected - future expansion)

text

9.2 Active Services

  • ✅ pfSense Firewall operational
  • ✅ Realtek drivers installed and validated
  • ✅ WebGUI access functional
  • ✅ SSH enabled for remote maintenance
  • ✅ Security packages installed

9.3 Next Steps (Part 2)

The rest of the configuration will include:

  1. Detailed configuration of pfBlockerNG-devel
  2. Configuration of Suricata IDS/IPS
  3. Setting up network VLANs
  4. WireGuard VPN configuration
  5. Integration of an external WiFi access point
  6. Deployment of a managed switch with VLAN support
  7. Migration to the final network architecture

10. Optimizations and Best Practices

10.1 Intel N100 Optimization

The Intel N100 processor may present CPU frequency limitations. We recommend checking the following parameters in the BIOS:

  • PL1 (Power Limit 1): 10-12W (instead of default 6W)
  • PL2 (Power Limit 2): 25-30W
  • CPU Turbo: Enabled

10.2 System Monitoring

Useful commands for monitoring:

CPU and memory load top

Real-time CPU frequency sysctl dev.cpu | grep freq

Interface status ifconfig -a

Network statistics netstat -i

text

10.3 Backups

We recommend performing regular configuration backups:

Navigation: Diagnostics > Backup & Restore

  • Exporting the configuration in XML format
  • Backup after every major modification

Conclusion of Part 1

We successfully deployed a pfSense 2.8.1 instance on a Zotac ZBOX CI337 nano mini PC. The system is now operational with:

  • Two fully functional Gigabit Ethernet interfaces
  • Optimized hardware drivers (Realtek)
  • Security package suite installed
  • Secured basic configuration

The current architecture allows access and configuration via the web interface, while preserving the possibility of migrating to a segmented production architecture with VLANs. The hardware validation confirms the absence of network errors and optimal performance on both Ethernet interfaces.

Total Investment: 85€ for the hardware
Installation Time: ~2 hours (installation + configuration + optimizations)
Status: ✅ Operational and ready for advanced configuration

Document written as part of a homelab project for network segmentation and infrastructure security.