TekOnline

How to Set Up SSH Access to pfSense: Complete Guide

Setting up SSH access to your pfSense firewall/router gives you powerful command-line capabilities for troubleshooting, monitoring, and advanced configuration. This guide covers everything you need to know to set up secure SSH access to pfSense.

Why Use SSH with pfSense?

SSH access to pfSense enables you to:

  • Troubleshoot network issues with direct access to system logs and commands
  • Check DHCP leases and network configurations
  • Monitor system resources in real-time
  • Perform advanced diagnostics not available in the web interface
  • Automate tasks with scripts and remote commands
  • Recover from lockouts if the web interface becomes inaccessible

Prerequisites

  • Access to pfSense web interface (admin credentials)
  • A computer with SSH client installed (built into Windows 10+, macOS, and Linux)
  • Basic understanding of command-line interfaces

Method 1: Password Authentication (Quick Setup)

Password authentication is the fastest way to enable SSH access, ideal for occasional use or initial setup.

Step 1: Enable SSH in pfSense

  1. Log into pfSense web interface
    • Navigate to your pfSense IP address (commonly 192.168.1.1 or similar)
    • Enter your admin credentials
  2. Enable SSH service
    • Go to: System → Advanced → Admin Access
    • Scroll down to the “Secure Shell (SSH)” section
    • Check the box: “Enable Secure Shell”
    • Ensure “SSH password login” is enabled (for password authentication)
    • Click “Save” at the bottom of the page
  3. Verify SSH is running
    • SSH should start automatically after saving
    • You can verify by checking Status → Services and looking for sshd

Step 2: Connect via SSH

From your computer’s terminal/command prompt, connect using:

ssh admin@192.168.1.1

Replace:

  • admin with your pfSense username (default is admin)
  • 192.168.1.1 with your pfSense IP address

Example:

ssh admin@192.168.2.1

Enter your admin password when prompted.

To simplify future connections, add pfSense to your SSH config file:

On Windows (Git Bash) / macOS / Linux:

  1. Open or create your SSH config file:nano ~/.ssh/config # or code ~/.ssh/config
  2. Add the following entry:Host pfsense HostName 192.168.2.1 User admin StrictHostKeyChecking no
  3. Save and exit

Now you can connect simply with:

ssh pfsense

SSH key authentication is more secure and convenient for regular use—no password needed after initial setup.

Step 1: Generate SSH Key Pair

On Windows (Git Bash) / macOS / Linux:

  1. Generate a new SSH key:ssh-keygen -t ed25519 -C "pfsense-access"
  2. When prompted:
    • Press Enter to accept default location (~/.ssh/id_ed25519)
    • Enter a passphrase (optional but recommended) or press Enter twice for no passphrase
  3. This creates two files:
    • Private key: ~/.ssh/id_ed25519 (keep this secret!)
    • Public key: ~/.ssh/id_ed25519.pub (this goes to pfSense)

Step 2: Copy Your Public Key

Display your public key:

cat ~/.ssh/id_ed25519.pub

Copy the entire output—it will look like:

ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILlwTLJTrH5EV7cRTvJ0fLWvspKU+AhEKknVlMUfc2JB pfsense-access

Step 3: Add Key to pfSense

  1. Log into pfSense web interface
  2. Navigate to User Manager:
    • Go to: System → User Manager
    • Click on your admin user (or the user you want to enable SSH for)
  3. Add SSH Key:
    • Scroll down to “Authorized SSH Keys”
    • Paste your public key into the text area
    • Click “Save”
  4. Enable SSH (if not already enabled):
    • Go to: System → Advanced → Admin Access
    • Check “Enable Secure Shell”
    • Optionally, uncheck “SSH password login” for key-only access (more secure)
    • Click “Save”

Step 4: Update SSH Config

Update your ~/.ssh/config file:

Host pfsense
  HostName 192.168.2.1
  User admin
  IdentityFile ~/.ssh/id_ed25519
  StrictHostKeyChecking no

Step 5: Connect

Now connect without entering a password:

ssh pfsense

If you set a passphrase on your key, you’ll be prompted for that instead.

Useful SSH Commands for pfSense

Once connected, here are some useful commands:

View DHCP Leases

cat /var/dhcpd/var/db/dhcpd.leases

Check Network Interfaces

ifconfig

View ARP Table

arp -a

Check System Logs

tail -f /var/log/system.log

View Running Processes

ps aux

Check Disk Usage

df -h

Exit SSH Session

exit
# or press Ctrl+D

Security Best Practices

1. Use SSH Keys Instead of Passwords

  • More secure than password authentication
  • Protects against brute-force attacks
  • Convenient—no password entry needed

2. Disable Password Authentication

  • Once SSH keys are working, disable password login
  • In pfSense: System → Advanced → Admin Access
  • Uncheck “SSH password login”

3. Use Strong Passphrases

  • If you use a passphrase on your SSH key, make it strong
  • Consider using a password manager

4. Limit SSH Access by Source

  • Use pfSense firewall rules to restrict SSH access
  • Only allow SSH from trusted IP addresses
  • Go to: Firewall → Rules → [Your Interface]
  • Create a rule allowing SSH (port 22) only from your trusted networks

5. Change Default SSH Port (Optional)

  • Reduces exposure to automated attacks
  • Edit SSH configuration in pfSense advanced settings
  • Update your SSH config file accordingly

6. Regularly Update pfSense

  • Keep pfSense updated to patch security vulnerabilities
  • Go to: System → Update

Troubleshooting

Connection Refused

  • Check SSH is enabled: System → Advanced → Admin Access → Enable Secure Shell
  • Check firewall rules: Ensure port 22 is not blocked
  • Verify IP address: Make sure you’re using the correct pfSense IP

Permission Denied (Publickey)

  • Verify key is added: Check System → User Manager → Your User → Authorized SSH Keys
  • Check key format: Ensure you copied the public key, not private key
  • Try password auth first: Enable password login temporarily to test connection

Host Key Verification Failed

  • Update known hosts: ssh-keygen -R 192.168.2.1 (replace with your pfSense IP)
  • Or disable check: Add StrictHostKeyChecking no to your SSH config

Password Authentication Not Working

  • Check user credentials: Verify username and password in pfSense
  • Check password login enabled: System → Advanced → Admin Access → SSH password login
  • Try web interface: Ensure you can log into web UI with same credentials

Advanced: Using SSH for Automation

With SSH keys set up, you can automate tasks:

Run Remote Commands

ssh pfsense "cat /var/dhcpd/var/db/dhcpd.leases | grep esphome"

Create Helper Scripts

#!/bin/bash
# check_dhcp_leases.sh
ssh pfsense "cat /var/dhcpd/var/db/dhcpd.leases | grep $1"

Use SSH in Scripts

# Example: Monitor DHCP leases
while true; do
  ssh pfsense "cat /var/dhcpd/var/db/dhcpd.leases | wc -l"
  sleep 60
done

Conclusion

SSH access to pfSense provides powerful capabilities for network management and troubleshooting. Whether you use password authentication for occasional access or SSH keys for regular use, following this guide will get you set up securely and efficiently.

Remember to:

  • ✅ Enable SSH in pfSense web interface
  • ✅ Prefer SSH keys over passwords for security
  • ✅ Configure firewall rules to limit SSH access
  • ✅ Keep pfSense updated

With SSH access configured, you’ll have command-line access to your firewall whenever you need it, making network management and troubleshooting significantly easier.

Author’s Note: This guide assumes pfSense 2.7.x. Interface locations may vary slightly in different versions. Always ensure you have proper backups before making configuration changes.

Posted

in

by

jcianci12

Tags:

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *