Course Length : 16 hours 18 minutes
Chapters : 27
Course Goal
Students with no prior pfSense experience will build a secure, production-grade, single-node deployment. The course incorporates Zero Trust principles and real-world best practices suitable for small environments.
Target Audience
• Small business administrators
• Enthusiasts
• IT professionals preparing for larger deployments
• First line, second line, and third line support staff in any discipline (network, server, desktop) who want to build practical skills in security hardening and Zero Trust principles
• Field engineers delivering on-site configuration or support services
• Security Operations Centre (SOC) analysts requiring context on firewall enforcement and segmentation
• Managed Service Provider (MSP) staff deploying or managing pfSense for clients
• Internal and external auditors assessing firewall configuration and policy compliance
• Compliance, risk, or governance professionals requiring a practical understanding of baseline security controls
Notes
• High availability, multi-WAN, advanced IDS/IPS, advanced VPN configurations, and performance tuning are reserved for the Advanced Course
• IPv6 will be disabled in this course
• Squid proxy coverage is limited to basic transparent operation. SSL interception (SSL bumping) is excluded
• Advanced VPN scaling, high availability clustering, multi-WAN resilience, IDS/IPS tuning, and IPv6 dual-stack support are reserved for the Advanced Course
• This course does not cover DNS blocking or filtering solutions, including pfBlockerNG or advanced domain reputation lists
• Web filtering beyond basic Squid access control lists is excluded
• Although DNS blocking is not configured in this course, Module 13: DNS Resolver and Forwarder will include a dedicated topic on recognising DNS-layer threats, including:
o Use of Tor and encrypted DNS to bypass controls
o Indicators that DNS is being manipulated or tunneled
o Strategies for monitoring DNS traffic without full filtering
• Learners who require enforced DNS policy controls or content filtering must refer to the Advanced Course or dedicated filtering solutions
Course Objectives
By the end of this course, students will:
• Install pfSense 2.8 CE securely
• Harden default settings and credentials
• Configure essential services: DHCP, DNS, NTP
• Implement basic NAT, VPN, VLAN segmentation
• Understand operational practices consistent with Zero Trust
• Validate configurations through testing
• Prepare for more complex deployments in the Advanced Course
Lab Environment Requirements
• Hyper-V Server 2019 or Windows Server 2022/2025
• pfSense 2.8 CE ISO image and 2.7.2 image for upgrade demonstrations
• Ubuntu Desktop 24.04 (2 VMs)
• Ubuntu Server 24.04 (for WPAD and DNS)
• Windows 11 24H2 (2 VMs)
• VLAN-capable vSwitches (optional for this course)
• Internet connection behind DHCP-provided router
• External SMTP account for notifications
• API credentials for Telegram, Pushover, or Slack
• No IPv6 traffic permitted in lab
Course Introduction and Foundations
Topics
Presenter Background
• Professional experience with pfSense deployments in production environments
• Relevant certifications and credentials (e.g. networking, security)
• Track record of training delivery to IT professionals and small business administrators
Why This Course Exists
• Rapid growth in pfSense adoption without consistent security practices
• Prevalence of unsafe default configurations in small environments
• Demand for structured, step-by-step instruction aligned to Zero Trust principles
• Preparing students to scale skills confidently to larger deployments
Course Philosophy
• Build a clean, documented, reproducible configuration baseline
• Remove unnecessary complexity in early stages
• Prioritise clarity of design over premature optimisation
• Explicitly separate foundation skills from advanced topics (HA, multi-WAN, advanced IDS/IPS)
Scope and Exclusions
• Focused on a single-node deployment behind a DHCP-provided router
• IPv6 is disabled in all examples to reduce operational risks for beginners
• HA clustering and advanced VPN scaling reserved for Advanced Course
Building Blocks for Advanced Topics
• Importance of understanding:
o Interface assignments and VLAN tagging
o Role-based access and certificate management
o Separation of routing, NAT and firewall policies
o Transparent vs. explicit proxying
o Validation and baseline testing procedures
• How these elements will integrate into:
o HA clustering with CARP
o Multi-WAN failover and load balancing
o Dual-stack IPv6 deployment
o Full IDS/IPS tuning and alerting workflows
How to Use This Course
• Recommended order of modules
• Lab environment expectations
• Documentation practices
• Approach to assessments and validation
Course Modules
- Introduction to pfSense CE
• Community vs. Plus editions
• Open source licensing and long-term support
• Unsafe defaults: why default configurations do not meet modern security baselines - Download and Verification
• Official download sources and mirrors
• Verifying integrity with SHA256 checksums
• Preparing installation media (USB/ISO) - Hyper-V Host Preparation
• Setting up Hyper-V Server or Windows Server
• Designing vSwitch topology for WAN, LAN, management
• VLAN tagging in Hyper-V compared to hardware switches
• Differences between virtual and bare metal appliances - Installation Walkthrough
• Boot process and guided installer
• Interface assignment
• Disk partitioning and filesystem selection - Initial Setup Wizard
• Guided configuration steps
• Defaults to avoid
• Mandatory settings review (hostname, domain, DNS, NTP) - Initial Hardening
• Replacing default credentials
• Enabling HTTPS for management GUI
• Restricting or disabling SSH
• Lockout recovery procedures - Web Interface Tour
• Dashboard layout
• Appearance and theme adjustments
• Menu structure: locating logs, services, routing - User Account Management
• Creating non-default admin accounts
• Role-based access models
• Password policies for administrators
• SSH key configuration and storage - System Updates and Patch Management
• Selecting update branches (stable vs. development)
• Verifying updates and package signatures
• Scheduling regular maintenance windows - Configuration Backup and Restore
• Encrypted configuration backups
• Testing restore procedures
• Offsite storage practices - NTP Architecture
• The role of accurate time in security auditing
• Recommended NTP sources
• Configuring clients and server behaviour - DHCP Server Configuration
• Building DHCP scopes
• Static mappings for critical devices
• Methods to detect and suppress rogue DHCP servers - DNS Resolver and Forwarder
• Resolver vs. forwarder operation
• Enabling DNS over TLS
• Blocking outbound DNS queries from clients
• Split-horizon DNS for internal services - ARPwatch
• Monitoring MAC address changes
• Generating alerts and reviewing logs - Certificate Architecture
• Creating an internal Certificate Authority
• Issuing certificates for the GUI and VPN services
• Managing certificate renewal and revocation - Package Management
• Selecting packages safe for production use
• Updating installed packages
• Avoiding excessive or experimental packages - Squid Proxy (Introduction)
• Transparent proxy design
• Basic access controls
• Logging and storage considerations
• Preparing for advanced SSL interception in the next course - Logs and Logging Best Practices
• Selecting which logs to retain
• Log rotation and retention policies
• Syslog export configuration - NAT Configuration
• Automatic outbound NAT rules
• Configuring secure port forwarding
• Verifying NAT behaviour - Basic VPNs
• OpenVPN server setup
• IPsec site-to-site configuration basics
• WireGuard peer configuration
• Routing considerations when VPNs are active - Routing
• Static routes
• Policy routing for special cases
• Interactions with VPN and segmentation - Aliases
• Defining host, network, and port aliases
• Simplifying firewall rule management
• Reviewing alias usage for clarity - VLAN Design
• Creating VLAN interfaces
• Tagging in Hyper-V and switches
• Testing segmentation boundaries - Disable IPv6
• Rationale for disabling IPv6
• Steps to disable across interfaces and services
• Validating no IPv6 traffic leaks - Notifications
• Configuring SMTP notifications
• Integrating Telegram, Pushover, Slack
• Testing alerts end-to-end - Validation and Baseline Testing
• Port scanning the firewall
• Basic penetration testing techniques
• Verifying Zero Trust configurations - Best Practice Checklist
• Reviewing all configuration steps
• Downloadable checklist for audit preparation
• Guidance on next steps and Advanced Course readiness