Networking

pfSense Virtual Machine as a Network Firewall

Discover the benefits of using pfSense as a virtual machine network firewall. Get enterprise-level features for free.

Highlights

  • Running a pfSense virtual machine installation as opposed to a physical appliance is a great way to take advantage of existing virtual hosts that you may have and save on the need for dedicated hardware and power draw associated with having a dedicated firewall appliance.
  • Running a pfSense router or firewall is a great way to have a really powerful firewall solution in front of your self-hosted services to protect these from malicious traffic.
  • We will set up a pfSense virtual machine using a dedicated server, such as an ESXi host or a Proxmox host.

The pfSense network firewall solution is a great free and open-source firewall that many run in their home labs or even SMB environments. PfSense has many enterprise features, and the community edition is free to download and install. Running a pfSense virtual machine installation as opposed to a physical appliance is a great way to take advantage of existing virtual hosts that you may have and save on the need for dedicated hardware and power draw associated with having a dedicated firewall appliance.

We will set up a pfSense virtual machine using a dedicated server, such as an ESXi host or a Proxmox host. This guide will cover all the necessary steps.

What is pfSense?

pfSense is a free, open-source firewall and router that is based on FreeBSD. It has enterprise-level features found in paid solutions. Running a pfSense router or firewall is a great way to have a really powerful firewall solution in front of your self-hosted services to protect these from malicious traffic.

A pfSense setup is largely used for small networks but can also be used in large enterprise networks. You can install it on bare metal, a physical machine, or a virtual machine.

Why Run pfSense as a Virtual Machine?

Running pfSense as a virtual machine lends itself to a few advantages. It allows you to:

  • Use existing hardware
  • Simplify backups and restores
  • Integrate with other virtual machines on the same host
  • Set up network labs to try out things and learn pfSense better
  • Easily add or spin up additional networks with a virtual switch and VLANs as needed

This type of setup is great for lab environments, small businesses, or even home networks. It keeps you from having to invest in dedicated hardware for a bare metal install and not have the power draw of another piece of hardware.

Use Cases

  1. Home Lab EnvironmentsRunning pfSense in a home lab environment allows you to experiment and learn. You can test real-world scenarios and configurations without impacting a production network.
  2. Small Business NetworksSMBs can benefit from pfSense without the need for expensive hardware. Many already have a virtual infrastructure estate. Running pfSense as a VM makes a lot of sense from a cost perspective.
  3. Enterprise DeploymentsIn larger enterprises, pfSense can be deployed as a VM to manage and secure segmented network zones or development environments.

Prerequisites

Before installing pfSense, you need the following:

  • A hypervisor (ESXi, Proxmox, or another platform)
  • The pfSense ISO image (free to download)
  • Extra CPU, memory, and disk resources
  • At least two network interfaces (NICs) – this is for the WAN interface and the LAN interface

Step-by-Step Guide to Setting Up pfSense VM

First let’s look at creating a new VM for running pfSense.

Create a New VM

Start by creating a new VM on your hypervisor. I will first show how to do this in VMware ESXi.

You can name it anything you want and allocate CPU, memory, and disk space. These can be minimal, especially for a test or lab environment. Ensure you have at least two network interfaces configured for this VM.

You need a WAN and LAN interfaces. If you are actually connecting the VM as your Internet router, the WAN interface virtual NIC must be in the same VLAN as your cable modem, etc.

Properties of the virtual machine in vmware esxi
Properties of the virtual machine in vmware esxi

In the above configuration, you can see the two virtual network adapters. I have each connected to a different virtual switch. One of the cool things you can do is just configure this as a learning environment. Connect your WAN interface to your normal home lab VLAN that will grab a normal internal address.

Then, in the above, the DPG-Clusters VLAN is a separate isolated port group. Using this vSphere port group, I can connect a Windows virtual machine and test the configuration like the pfSense VM is the actual Internet router.

For a Proxmox installation, you will want to make sure you have your networking set up ahead of time. You will need an interface to serve as a WAN and LAN interface, so you will need Proxmox networks for each of these.

Creating a new pfsense virtual machine in proxmox
Creating a new pfsense virtual machine in proxmox

Install pfSense

Attach the pfSense ISO image to the VM and boot from it. The installation process will begin. Follow the on-screen instructions to install pfSense.

Booting from the pfsense iso
Booting from the pfsense iso

Accept the EULA during the installation of pfSense.

Accept the eula to begin the pfsense virtual machine installation
Accept the eula to begin the pfsense virtual machine installation

Start the Install of pfSense.

Begin the pfsense installation
Begin the pfsense installation

Being the setup of the network to continue the installation.

Setting up the pfsense network
Setting up the pfsense network

Select the WAN interface.

Select your pfsense wan interface
Select your pfsense wan interface

You can configure the mode of operation for the WAN interface. Select the Interface IP mode and VLAN settings. Once you have selected that configuration,

Configuring the interface mode for the pfsense wan interface
Configuring the interface mode for the pfsense wan interface

Select the LAN interface for use with pfSense. Here we are selecting the other vmnic from the VMware virtual machine.

Select the lan interface
Select the lan interface

Here I am setting up the LAN interface, accepting the defaults for the STATIC configuration which it sets for the configuration. Proceed with the installation.

Proceed with the ip address configured for the lan interface in pfsense
Proceed with the ip address configured for the lan interface in pfsense

Next, continue the installation.

Confirm the interface assignment and proceed with the installation
Confirm the interface assignment and proceed with the installation

The installer will verify whether or not you have an active pfSense Plus subscription. If one is not detected (based on the NDI identifier on the pfSense VM), you can proceed to Install CE.

Install pfsense community edition
Install pfsense community edition

Proceed with the installation.

Proceed with the installation selecting zfs as default
Proceed with the installation selecting zfs as default

Continue with the ZFS configuration. Since I have a single disk, I am just choosing Stripe No Redundancy.

Select the zfs configuration for pfsense
Select the zfs configuration for pfsense

Next, Select the disks for software installation.

Select the disk for the pfsense installation
Select the disk for the pfsense installation

Destroy the contents of the current disk.

Confirming destroying the disk contents
Confirming destroying the disk contents

Select the version of pfSense CE to install.

Select the pfsense ce version to install
Select the pfsense ce version to install

Number of packages to install displayed to continue with the installation.

The pfsense installation begins
The pfsense installation begins

After the installation, you will see the installation setup is succeeded.

The pfsense installation finishes
The pfsense installation finishes

Reboot the pfSense installation.

Reboot the pfsense installation after it finishes
Reboot the pfsense installation after it finishes

Configure Network Interfaces

After the initial installation is completed successfully you will be asked to earmark the WAN interface and the LAN interface. This is a bit redundant, I know, but the console/text setup will have you confirm this as well.

Enter the wan interface for pfsense after the reboot
Enter the wan interface for pfsense after the reboot

Here I have selected the interfaces.

Setting the interface configuration
Setting the interface configuration

Changing IP address on WAN

If you want to change the IP address on either interface, you can select option 2 Set interfaces IP address.

The console menu for pfsense
The console menu for pfsense

Enter the IP address information for the selected interface. Here I am changing the WAN IP which is used for Internet access.

Changing the ip address on the wan interface
Changing the ip address on the wan interface

After changing the IP addresses.

Back to the pfsense console menu viewing the ip address configuration
Back to the pfsense console menu viewing the ip address configuration

Configuring a management workstation

To access the pfSense LAN interface, we need to get a machine on the LAN side of the pfSense virtual machine, connected to the same virtual switch.

Windows vm has already grabbed a lan address from pfsense dhcp
Windows vm has already grabbed a lan address from pfsense dhcp

Connecting to the pfSense Web Interface

After the initial setup, you can connect to the pfSense admin interface on the LAN side of things. The default username and password is admin and the password is pfsense.

Logging into the pfsense web interface with the default credentials
Logging into the pfsense web interface with the default credentials

Beginning the configuration with the general settings for your pfSense VM, including DNS.

Configuring the hostname domain and dns settings
Configuring the hostname domain and dns settings

Time server configuration pointing the pfSense VM to a specific time server.

Setting the time server configuration
Setting the time server configuration

Configure the WAN interface. Here (you are probably worn out by the interface configuration), you don’t have to select anything. It will pull your existing configuration.

Configure the wan address information
Configure the wan address information

Next, Configure the LAN interface and make changes if needed.

Configure the lan interface address
Configure the lan interface address

Set the admin password on the webGUI.

Configure the webgui admin password
Configure the webgui admin password

Reload the configuration. Step 8 is missing in a screenshot after this pic since the reload process itself is step number 8.

Reload the configuration of pfsense
Reload the configuration of pfsense

After reloading/rebooting your pfSense router, you will see the following screen. This means it is ready to go. You can choose to run updates if you want as well.

Reload is completed and pfsense is fully configured
Reload is completed and pfsense is fully configured

Advanced Configuration and Optimization

Below are a few advanced configuration notes of settings you may decide to configure in your pfSense installation.

  1. Setting Up VLANsWith VLANs, you can segment your network. pfSense allows you to separate different types of traffic with VLANs. To configure these, navigate to the “Interfaces” menu and create VLANs as needed.
  2. Creating Virtual SwitchesVirtual switches in your hypervisor allow communication between VMs and pfSense. Configure virtual switches to map physical NICs to virtual NICs. Keep in mind you will need to configure the VLANs on the virtual switch tagging as well so VLAN traffic can flow as expected.
  3. Optimizing Network PerformanceTo achieve the best performance, make sure you have enough resources for the pfSense VM. Monitor CPU and memory usage and adjust if performance is not good.

Security specific configuration

  1. Enable Firewall RulesDefine rules to allow or block traffic based on source and destination IP addresses, ports, and protocols.
  2. Set Up a VPNConfigure VPN settings to secure remote access to your network.
  3. Monitoring & logsMonitor pfSense logs. Set up alerts for suspicious activities and regularly review logs to identify and mitigate potential threats.

Troubleshooting and Maintenance

Note the following troubleshooting tips and tricks

  1. Common problems
    • Network Connectivity issues: If you can’t connect to the LAN interface, make sure you have your pfSense virtual machine assigned to the correct virtual switch.
    • Performance problems: If you run into performance problems, monitor the metrics of your pfSense virtual machine and adjust resources as needed
  2. Maintenance
    • Update pfSense: Keep your pfSense installation up to date with the latest security patches and features.
    • Backups: Regularly back up your pfSense configuration to avoid data loss in case of failures. The great thing about running pfSense as a VM, you can use your current virtual backup solutions for backing up your pfSense VM and VM disk.

Video showing pfSense in Proxmox

Wrapping up

The pfSense open source firewall is a great solution for home lab, SMB environments, and even enterprise use cases. It has many great features that are found only in other paid solutions. If you can think of a way to tweak the network, pfSense probably has a way you can do it in the settings and configuration.

Subscribe to VirtualizationHowto via Email 🔔

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Brandon Lee

Brandon Lee is the Senior Writer, Engineer and owner at Virtualizationhowto.com and has over two decades of experience in Information Technology. Having worked for numerous Fortune 500 companies as well as in various industries, He has extensive experience in various IT segments and is a strong advocate for open source technologies. Brandon holds many industry certifications, loves the outdoors and spending time with family. Also, he goes through the effort of testing and troubleshooting issues, so you don't have to.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.