This install will cover how to install pfSense firewall as a virtual machine. Is it safe to virtualize a firewall? I will leave it up for you to do your own research to find your answer there numerous online discussions which go over this topic. These are just two which I have stumbled upon. From serverfault and Security Week. Personally I am more in the camp of folks who agree it is safe to Virtualize a firewall. You can read about pfSense here.
How to virtualize pfSense firewall including using VirtIO drivers
The requirements of this tutorial are the following:
- A functioning Proxmox Hypervisor with version 3.3-5/bfebec03 or newer.
- You have already created the necessary network bridges. I have gone over this on my other tutorial how to Virtualize IPCop on Proxmox.
- Administrative rights on the Proxmox server.
- (Might be optional) I have a Proxmox Community subscription plan for pricing you can check it here. The subscription plan provides access to the Enterprise repository. The cost is very reasonable when compared to other commercial virtualization platforms. I paid 99.80 euro’s, at the time of conversion it was $115.41 per year.
- Comfortable using Linux.
- Some knowledge using vi
- You should have two physical network cards on the Proxmox host three if you want to create a DMZ.
Creating a Linux Bridge
This is the part I miss using VMware ESX control panel assigning virtual switches and nic cards. Proxmox web interface has the ability to create Linux Bridges and OVS switches for virtual machines to use but the configuration I am going to use can’t be done through the Proxmox web interface. This has to be done through the command line.
I prefer to use vi when editing files so I had to install this.
apt-get install vim
Connect to Proxmox host using SSH.
ssh -l root proxmox-server-ip
What the following bridge settings mean.
bridge_stp off # disable Spanning Tree Protocol
bridge_fd 0 # no forwarding delay
bridge_ports eth0 # which nic card to attach
Move to the network directory.
Edit the interface file.
Copy and paste below after any configuration already in there. On my Proxmox host physical server I have 5 physical network cards installed. I therefore created 4 network bridges.
Below is the process of creating one network bridge. Each time you add another network bridge just rename each network bridge as vmbr1, vmbr2, vmbr3, etc.
## this is for pfSense WAN nic auto vmbr1 iface vmbr1 inet manual bridge_ports eth1 bridge_stp off bridge_fd 0
Save and exit.
Each time a network bridge is created a reboot is needed to apply new settings. So it is better to add all of the bridge configuration one time.
Below is what my network bridge configuration file looks like. Yours make look different depending on how many you have.
I purposely left out network bridge vmbr0 from being assigned for use for virtual machines. This is considered as a best practice. This is the network I will be using solely when I connect to my Proxmox web gui. Proxmox scheduled backups is also going through this network.
After Proxmox reboots your network settings should look similar to mine. The IP address for vmbr0 and gateway settings have been erased for security reasons. vmbr1 settings for Port/Slaves, IP address, Subnet mask and Gateway are intentionally left blank. This is to make sure any network traffic coming through vmbr1/eth1 will pass through pfSense WAN virtual nic.
When you have met all of the requirements let us begin.
From the pfSense website download the 64bit installer.
Check to make sure the pfSense ISO has not been altered. On my Mac I open a terminal and use md5 to check the checksum against the md5 checksum posted on the pfSense website.
Logging in to the Proxmox web GUI
Login to the Proxmox web gui this will be https://172.16.1.10:8006. The Proxmox hypervisor will be using a self signed certificate do your acceptance for your specific browser of choice. I will be using Firefox.
Upload the ISO to the Proxmox Hypervisor
On the left menu click on local the choose content tab then upload. Navigate to where your pfSense ISO is then click upload.
Virtualizing pfSense using KVM (Kernel-based Virtual Machine)
Create a Virtual Machine
After you login click on the menu Create VM which is located on the top right.
Give your VM an ID and name. Click next.
Choose other OS types since pfSense is built using FreeBSD. Click next.
For the ISO click on the drop down to choose your uploade pfSense ISO file. Click next.
Choose IDE for Bus/Device for now we will later replace this using a VirtIO driver. I choose Raw disk for my block format. According to Proxmox developers this is the more performant. Click next.
Allocate your CPUs. My Super Micro box has two sockets hence the settings below. Leave it at kvm64 bit. Click next.
Allocate memory. It will depend on how much your physical server has to spare and your intended use for your pfSense firewall. Click next.
Add a nic card assign it to network bridge. I have mine to use vmbr1 using an Intel E1000 driver for the nic card. Click next the finish.
Then go back into the hardware tab and add another nic card using Intel E1000 driver. Click add.
Be sure to add the second nic card to use a different network bridge. Mine is setup as vmbr3.
Then go back into the hardware tab and add the third nic card using Realtec driver. Add it no another bridge for mine it will vmbr4. Click add.
This third nic card will be assigned for our DMZ.
Yours will look similar to my hardware summary here except maybe for the CPU count. If you’re curios to know what sort of resources you need for your environment consult this guide.
Launch the VM
Click on the newly create pfSense VM, then on the top right menu click Start. When it starts immediately click on Console. These two menus are pretty much close to each other. Choose noVNC.
You know you will be successful when you see the image below. Use the settings shown. Enter.
Choose Quick/Easy Install. Enter. OK. Enter.
Click OK to proceed with installation.
Install standard kernel. Enter.
Choose n (No) when asked to setup vlans. Enter.
Type in em0 (0) is numeral zero for the WAN interface. Enter.
For the LAN nic hit enter em1.
For the DMZ nic enter re0.
You will be asked for Optional2 just hit enter for none.
Confirm network settings. y enter.
This is the part we will load necessary modules so we can use VirtIO drivers. We will be editing the file /boot/loader.conf.local. Choose option 8. Enter.
I will be using vi to edit the configuration file. We need to put it into this file so the instruction becomes permanent otherwise it will be gone each our pfSense virtual firewall reboots.
Add the following entries one on each line.
When done the file will look like below.
If you want to add the VirtIO Memory Ballooning add the following to /boot/loader.conf file just below virtio_blk_load=”YES”. To learn more about VirtIO Memory Ballooning click here. Why you may want to use this click here.
Save the file.
Type exit. Enter. To close out the shell console.
This part we will shutdown our pfSense VM. Choose option 6. Enter. Type y enter.
Your VM icon will turn from white black indicating the VM has been shutdown. Click your VM pfSense from the left menu of the Proxmox web GUI then go to hardware tab. Click CD/DVD choose remove. Click yes.
Now start the VM back up by clicking start from the top right menu. Access the console again.
When the options menu comes up choose option 2. Enter.
You will again be asked if you want to setup vlans. Choose n. If you want to setup vlans you can read the pfSense online docs.
You’re shown available interfaces to configure.
Enter the number of the interface you want to configure. I am will be adding a static IP for the LAN interface.
Enter the LAN IP. I am putting in IP address 172.16.2.6. Enter.
I am using the subnet mask 255.255.255.0, therefore I will put in 24 for bit count. Enter.
When you get to this part just enter for none. Enter.
For LAN IPv6 enter for none. Enter.
Do you want to enable DHCP on the LAN interface. I will enable DHCP for mine. Enter y.
Enter the beginning IP for your DHCP client range. This is what I have. Enter
Enter the end of the IP range. This is what I have. Enter.
Set to n when asked to revert the webconfigurator protocol to HTTP. We want to access our pfSense web GUI through SSL.
Now it indicates we will be able to access our pfSense firewall using IP 172.16.2.6 from a web browser. Enter to take console back to menus.
Connecting to pfSense web gui
From another computer we will now connect to our pfSense Web GUI using the IP address you have used for your LAN nic.
Type in the URL in your browser
https://172.16.2.6 (Replace with your own LAN IP)
Default login are:
pfSense wizard will assists you setting up your newly installed pfSense firewall. Click next.
You can sign up for the pfSense Gold Subscription. I will skip this for now. Click next.
Provide your pfSense hostname and domain. Add your DNS name servers or have DHCP provide those for you. I am using Google’s name servers. Click next.
Set your timezone. Use the default time server. Click next
Set your WAN settings here. Yours could be DHCP or PPOE. I will set mine as static IP. The static IP the address, subnet mask and gateway will be provided to you by your Internet Service Provider. Click next.
After you set your WAN IP as static go to General Setup menu. Look at the DNS settings if it has an option to use a GW set this to the default gateway provided to you by ISP provider.
Note: I had an issue where I was unable to update my pfSense firewall even though I was able to ping an external host from the pfSense console. I was even able to do an nslookup successfully but each time I tried to update pfSense an error came back which said it was unable to contact the pfSense update server. After putting this GW information for my DNS the update worked.
We have already set our LAN IP through the console so just click next.
Change the admin password for the web gui. Click next.
Congratulations! You have just setup your pfSense router.
Let us check if our pfSense has any updates. From the System menu > Firmware > Auto Update tab.
As I was checking the update it turns out pfSense version 2.2 just got released! With a click of a button I was able to uprade my pfSense 2.1.5 to 2.2 easily. After installation of the upgrade the firewall will automatically reboot.
Click invoke auto upgrade. (Give it time to download could take a few minutes).
Since there are significant changes introduce by 2.2, I did a simple to test to make sure my virtIO enabled nic cards still works using the ping option 7 from the pfSense console. Test looked good.
From my Linux workstation I am also able to ping an external address. The Linux worstation is using the IP address of the pfSense as its default gateway. This is the LAN IP of the pfSense firewall.
You now have a functioning pfSense firewall but if you want to use the VirtIO device drivers continue with instructions below.
Change the block and nic device driver to use VirtIO on pfSense
Why would you want to do this? Here is the answer from the libvirt.org website.
“Virtio is a virtualization standard for network and disk device drivers where just the guest’s device driver “knows” it is running in a virtual environment, and cooperates with the hypervisor. This enables guests to get high performance network and disk operations, and gives most of the performance benefits of paravirtualization.”
From the pfSense console choose option 8 for shell. Enter.
Change the following two lines.
/dev/ad0s1a / ufs rw 1 1
/dev/ad0s1b none swap rw 0 0
To read as.
/dev/vtbd0s1a / ufs rw 1 1
/dev/vtbd0s1b none swap sw 0 0
Save your changes.
Then exit out of the console. Type in exit.
Shutdown your pfSense server from the console. Choose option 6. Enter.
The configuration we will need to change could be found at the Proxmox hypervisor. Log back into your Proxmox web gui then on the left menu click on your Proxmox host. Mine is called proxmox-supermicro.
Then from the top right menu click console then choose noVNC.
Then move to the directory where the configuration file we need is located. This will contain all of the configuration files of your KVM based virtual machine which is what we’re using for our pfSense firewall. My pfSense virtual machine has the VM ID of 198.
Before you alter the original file it is wise to make a copy first.
cp 198.conf 198.conf.orig
After making the copy edit the file. We need to change this line
to read as (the one marked in red is the numeral zero indicating this is the first block device).
Change the bootdisk also to.
Save your changes.
Start up your pfSense virtual machine. Good job! Now you’re running your block device using the virtIO driver. If you look at your hardware summary you will find your hard disk is using (virtio0).
Set VirtIO nic drivers for pfSense
Shutdown your pfSense firewall from the console or web gui.
Click on your VM ID, then hardware tab then click nic card you want to change the driver then click edit. I am going to change all nic cards to use virtIO.
Start pfSense backup. You will once again be asked to configure your network interfaces. Click n when asked to setup VLANS. Pay attention to the naming convention which has changed for the network cards they all start with vtnet with 0,1,2 appended on each end for each network card.
Lets start to assigned each one.
Enter for WAN using vtnet0
Enter for LAN using vtnet1
Enter for DMZ using vtnet2
Enter for none.
Confirm y to apply new settings.
From the pfSense console choose option 7. This will test if our new network card drivers are working. Ping an external host IP.
Enjoy the awesome pfSense Open Source Enterprise grade firewall for free!