pfSense

While pfSense's initial configuration wizard provides a fully functional router and firewall, when running the router as a VM or on an SSD there are a few additional modifications that are recommended.

For VMs, while the virtio network interfaces are recommended to be used, the hardware checksum offloading used by pfSense can cause performance issues. To disable the checksum offloading go to System > Advanced > Networking and check "Disable hardware checksum offload". Additionally when running pfSense as a VM it can be preferable to be able to access the console over serial, especially as serial console more commonly support copy and paste from the local system. This can be achieved by going to System > Advanced > Admin Access, scroll down to "Serial Communications" and check "Serial Terminal", following a reboot the terminal will then be available over the serial port.

In was noticed that pfSense makes continual read and write access to the disk which can add up to several terabytes of writes each year. With an SSD based disk this can reduce the longevity of the storage, to remove almost all of these writes pfSense provides the option of storing some of the volatile data in RAM and only synchronising the data to disk at a set interval. This is done by going to System > Advanced > Miscellaneous, scroll down to "RAM Disk Settings", first check the "Use RAM Disks" option then set the "RAM Disk Size" 200MB for each has worked fine for me. Once these options are saved pfSense will need to be rebooted.

Additional Configuration

A nice feature that is included in pfSense but disabled by default is the ability to add the received hostnames from DHCP requests to be added as DNS entries. To do this go to Services > DNS Resolver and check both "Register DHCP leases in the DNS Resolver" and "Register DHCP static mappings in the DNS Resolver" so that both dynamic and static DHCP leases are included.

Equally pfSense provides fuctionality to keep a Cloudflare DNS entry up to date with the WAN IP address. To do this go to Services > Dynamic DNS and add a new entry following these instructions.

Some other useful packages are:

  • acme, for creating trusted SSL certificates,
  • bandwidthd, for monitoring bandwidth use per host.