pfSense install on Ubuntu

I’m looking forward to installing pfSense on my soon-to-arrive pico PC device, a little fanless unit with four gigabit interfaces. It’s been a long time since I had a proper stateless firewall to administer, and I’m hoping that the performance of this miniature monster will keep up in these COVID-19 ridden times. I notice that my internet usage has doubled in March and April and I’ve frequently had to reboot my existing, aging Asus RT-N66U which runs dd-wrt.

But I thought I’d write about my experience of getting a pfSense USB installer created. It was harder than I expected and the instructions that pfSense provide didn’t actually work for me.

What you’re meant to do is:

1. Figure out what the device descriptor is for your USB stick.

2. Use a dd command to clear the disk.

3. Download the img file and use another dd command to write the file to disk.

It all seems to work. But when I try to boot from the resulting USB key, I either got a black screen, or simply “missing operating system”.

So here’s what I ended up doing to get it working.

1. Download pfSense community edition from here: https://www.pfsense.org/download. These settings worked for me, but your “Architecture” will of course depend on the device you intend to install it on.

2. Check the SHA checksum. This is going to be your firewall, so if there’s a single download that you should check the authenticity of, it’s this one!

Personally, I use gtkhash for all my hash-checking needs. Install it with:

sudo apt install gtkhash

Copy the SHA256 checksum from the bottom of the installer page (you can see it in the screenshot above). Then run gtkhash from your menu. Drag your downloaded pfSense installer to the gtkhash window, and then paste in your SHA256 checksum into the “Check” field and hit the “Hash” button. Make sure you see the tick!

Easy. Peace of mind.

Go ahead and extract the img file from that download. I usually just browse to my Downloads folder, right click on the gz file and choose “Extract Here”.

3. Get a suitable USB key. Plug it in. We need to determine what it’s drive designation is.

And we need to make sure that we’re ABSOLUTELY SURE what that drive designation is. Because if we issue erase commands to the wrong place, we’ll be filled with regret, possibly tinged with a hint of burning rage. So tread carefully here.

Now there are commands that you can use to check your filesystems, but again, I prefer a GUI and there’s one built into Ubuntu/Mint called “System Monitor”. Go ahead and start that, then click on the “File Systems” tab at the top.

Make sure that you have “Device” ticked when you right-click on the column headers. That gives you the “Device” column and from that we can see that my primary operating system is on /dev/sda (over two partitions) and since I’ve already installed pfSense for this article, you can see that my USB key is /dev/sdb.

4. Now install gparted so that we can erase /dev/sdb

Run this command:

sudo apt install gparted

And run it from your menu. You’ll need to provide your password to start it up. Once it’s started, click on the device picker at the top-right and choose your USB key’s device which we identified from System Monitor.

5. We’re going to erase this disk, so be COMPLETELY certain that a) it’s the right disk you’ve chosen in gparted and b) there’s nothing on that USB stick that you don’t mind losing forever.

Once you’re confident that gparted is showing you the USB key, click on the “Device” menu and choose “Create Partition Table…”.

You’ll get this scary reminder that you’ll lose all the data on your key:

Go ahead and apply. While we’re in gparted, we’re also going to mark the key as “bootable”. On the resultant entry, right click and choose “Manage flags”, then tick the “boot” option. I’m not actually sure if this is necessary, but it takes all of a second to apply and I did it, so I’m noting it here.

Go ahead and close gparted. It’s time to write the image.

6. Use the terminal command to write the image.

The first time I tried this, I used the device’s full designation ie. I used /dev/sdb1. Turns out, while that writes the image file to that partition, that’s not what we want here. The image file has three partitions on it, and so we need to write the image file to the device and not the partition. So the final command is simply:

sudo dd if=~/Downloads/pfSense-CE-memstick-2.4.5-RELEASE-amd64.img of=/dev/sdb bs=4M

That command will take anywhere between one and five minutes depending on the speed of your USB key.

When it’s finished, you can test if the operation worked by unplugging the key, then plugging it back in again. You’ll get an error popping up about not being able to mount the FreeBSD_Install partition, but you should also see a PFSENSE partition, on which you can find two text files.

Congratulations! You can eject your USB and remove it, then use it to install pfSense on whatever device you think might be your next firewall!