pfSense Lab Setup – Step-by-Step

1. VM Requirements
  . CPU: 1–2 vCPUs (64-bit)
  . Memory: 1–2 GB RAM
  . Disk: 8–20 GB
  . Network Interfaces: 2 (WAN & LAN)
  . Platform: VirtualBox, VMware, or similar
2. Download pfSense
  . Visit: https://www.pfsense.org/download/
  . Select: pfSense Community Edition, AMD64 ISO
  . Download the ISO file
3. Create the Virtual Machine
  . Open VirtualBox/VMware and create a new VM
  . Name: pfSense
  . Type: BSD → FreeBSD 64-bit
  . CPU: 1–2 vCPUs
  . RAM: 1–2 GB
  . Disk: 8–20 GB (dynamically allocated)
  . Attach the pfSense ISO as the boot medium
Add two network adapters:
  . Adapter 1 (WAN): NAT or Bridged
  . Adapter 2 (LAN): Host-Only or Internal Network
4. Install pfSense
  . Start the VM and boot from the ISO
  . At the installer menu, select Install pfSense
  . Accept defaults for key-map and settings
  . Choose Guided Disk Setup (Stripe/No Redundancy)
  . Select the virtual disk and confirm
  . Let installation complete, then remove the ISO
  . Reboot the VM
5. Initial Console Setup
  . pfSense will auto-detect interfaces
  . Assign WAN and LAN as prompted
  . Default LAN IP: 192.168.1.1/24 
  . Skip VLAN setup (select “n”)
6. Access Web Interface
  . On a host or lab VM, open a browser to: http://192.168.1.1
Login:
  . Username: admin
  . Password: pfSense
7. Post-Install Configuration
  . Run the pfSense setup wizard
  . Change the admin password
  . Set WAN/LAN IPs as needed
  . Configure DNS, DHCP, NAT.
  . (Optional) Install Suricata IDS/IPS

pfSense Lab Troubleshooting Steps
.Devices on LAN could not access the internet

• • Checked if WAN interface received a valid IP address

  • Made sure default gateway was set correctly on WAN

  • Confirmed NAT was enabled

  • Rebooted ISP router or renewed WAN DHCP lease if needed

• Could not reach pfSense web interface at 192.168.1.1

  • Verified PC was connected to the correct LAN port or virtual network

  • Made sure PC had an IP in the same subnet as pfSense

  • Used default login (admin/pfsense) and bypassed browser warnings

• VLAN devices could not communicate or get online

  • Reviewed switch port VLAN assignments

  • Checked pfSense VLAN interface firewall rules

  • Allowed traffic on each VLAN interface

  • Fixed any incorrect switch port tagging

• LAN and WAN used the same subnet ( both 192.168.1.0/24)

  • Noticed routing problems

  • Changed LAN subnet to a different range to avoid overlap

• Installer error: “Cannot connect to installer daemon”

  • Checked VM resources (RAM, CPU, disk)

  • Made sure network adapters were supported

  • Verified ISO file was not corrupted

  • Tried a different network adapter or hypervisor if problem persisted

• Network interfaces missing or not detected after reboot

  • Checked interface assignments at the pfSense console

  • Installed updated network drivers if needed

  • Reassigned interfaces when prompted

• Devices could not route between subnets or reach the internet

  • Checked for a default route in pfSense

  • Used ping and traceroute to find where packets stopped

  • Made sure NAT and IP forwarding were active

• Clients could not resolve domain names

  • Checked DNS Resolver or Forwarder settings in pfSense

  • Verified DHCP was giving out the correct DNS server (pfSense LAN IP)

  • Enabled DNS Resolver if it was off

1. Hardware/VM Specifications
    . Server:
      . OS: Windows Server 2022
    . CPU: 2 vCPUs
    . RAM: 4 GB
    . Disk: 40 GB (dynamically allocated)
    . Network: Static IP 192.168.1.10/24, Gateway 192.168.1.1 (pfSense LAN IP)
Clients:
    . OS: Windows 10/11
    . CPU: 1–2 vCPUs
    . RAM: 2–4 GB
    . Disk: 30 GB
2. Install Windows Server 2022
    . Created VM in VirtualBox/VMware.
    . Booted from Windows Server 2022 ISO. 
    . Installed OS with default settings.
3. Assign Static IP
    . Opened Server Manager > Local Server > Ethernet.
    Set:
    . IPv4: 192.168.1.10
  . Subnet mask: 255.255.255.0)
  .Gateway: 192.168.1.1 (pfSense)
     . DNS: 192.168.1.10 (self)
4. Install Active Directory

• In Server Manager, clicked Add Roles and Features.
  . Selected Active Directory Domain Services.
  . Promoted server to Domain Controller.
  . Created new forest: Domain name: maxlab.local
  .Set DSRM password.
  . Rebooted server.

5. Create OUs
  . Opened Active Directory Users and Computers.
  . Right-clicked maxlab.local > New > Organizational Unit.
  . Created Users
  . Workstations
  . Servers
6. Create Users and Groups
  . In Users OU:
  . Created users maxwel.ngwa, maxwel.nfonemo
  . Password: Enforced complexity, changed at next login.
  . Created groups:
  . IT_Admins (added to Domain Admins)
  . HR_Users
  . Standard_Users
7. Configure DNS in pfSense
  . In pfSense:
  . Enabled DNS Resolver (Services > DNS Resolver).
  . Added upstream DNS servers (1.1.1.1, 8.8.8.8).
  . Verified DNS records (A, SRV) populated.
8. Join Clients to Domain
  . On Windows 10/11:
  . Set DNS to 192.168.1.10
 Went to Settings > System > About > Rename this PC.
  . Joined domain maxlab.local.
  . Rebooted and logged in with maxlab\maxwel.ngwa.
9. Configure Group Policies
  . Opened Group Policy Management.
  . Edited Default Domain Policy:
  . Password Policy:
 . Minimum length: 12 characters
  . Complexity: Enabled
  . Lockout: 5 attempts
  . Account Lockout: 30 minutes
  . Created GPO Restrict RDP:
  . Allowed only IT_Admins group to RDP.
10. Verify Functionality
    . DNS Check:
    . Ran nslookup maxlab.local on client → resolved to 192.168.1.10.
    .GPO Check:
    . Ran gpupdate /force on client.
    . Confirmed password policy enforced.
Login Test:
    . Logged in as maxwel.ngwa→ forced password change.

11. Security Hardening
    . Disabled built-in Administrator account.
    . Created new admin account maxadmin in IT_Admins.

• Enabled Windows Firewall with rules for AD traffic (ports 53, 88, 389, 445). 

• DNS Not Resolving:

  • Checked pfSense DNS Resolver logs.

  • Confirmed client DNS settings pointed to 192.168.1.10.

• GPO Not Applying:

  • Ran gpresult /r on client to check policy application.

  • Verified GPO linked to correct OU.
    
    

VLAN Network Documentation
Overview:
This topology deploys a hierarchical switched network using a core and access layer design.
Four VLANs are configured to segment traffic by department and function, including dedicated voice support.
VLAN Structure

VLAN ID   Name    Purpose    Subnet

10             Office    User PCs   192.168.10.0/24

20             HR        HR PCs      192.168.20.0/27

30             IT          IT PCs        192.168.30.0/26

40             Voice    IP Phones   To user ports

 
Configuration Steps
. VLAN Creation:
Define VLANs on all switches with descriptive names.
. Port Assignment:
Assign access ports to the correct VLAN based on department.
int range fa0/1-15 for Office (VLAN 10)
int range fa0/16-24 for HR (VLAN 20)
. Voice VLAN:
Configure voice VLAN (VLAN 40) as auxiliary on user ports for IP phones.
. Trunk Links:
Set trunk mode on uplinks between core and access switches, allowing all VLANs.
. Static IPs:
Assign static IP addresses to all devices, as no DHCP server is present.
Best Practice
Use clear VLAN naming and consistent port mapping.
Limit trunk VLANs to only those required.
Disable unused ports and assign them to an unused VLAN.
Enable port security on access ports.
Document all port assignments and IP allocations.
Troubleshooting Steps
. Connectivity:
Verify cable connections and link status LEDs.
. VLAN Membership:
Use show vlan brief to confirm correct port-to-VLAN mapping.
. Trunking:
Check trunk status with show interfaces trunk.
. IP Configuration:
Confirm device IP addresses and subnet masks are correct.
. Voice:
Ensure phones are detected and registered on the voice VLAN.
This design ensures logical separation, enhanced security, and streamlined management for a small enterprise network