pfSense Firewall on Proxmox

calendar 20-Oct-2022 · 14 min read · virtualization proxmox network pfsense setup guide  ·
Share on: linkedin copy

Overview

Introduction.

What is pfSense

pfSense is an open-source firewall and router that you can install on your own hardware completely for free. Many consumer routers today have a lot of features but pfSense have more! If you wish to segregate parts of your network, you can setup VLAN's.

Here are some of the features pfSense include: VPN (Multiple types) VLAN (virtual local area network) Dynamic DNS (Great for when you don't have a static IP for your network.) Package manager (To add even more functionality.)

The way Netgate (the company behind pfSense) earns their money is selling hardware and support agreements. These are of course not cheap by some home lab standards but are aimed at companies which lose money every second that the network may be down.

The plan

I will be setting up a pfSense router on Proxmox and adding two USB network cards. With this I will be able to have a separated LAN within Proxmox and one physical LAN "port". Configured correctly, this will not come in contact with my home LAN.

Requirements

  • Processor: 64-bit AMD64 compatible CPU (No ARM processor like the raspberry)
  • Memory: 1 gigabyte.
  • Storage 8 gigabyte.

Video guide

Installation media

ISO

The first thing we need is the ISO file so we can add it to Proxmox. Head over to the download page at pfSense

  • Architecture: Here you should choose AMD64 (64-bit). This just means that you will be installing it on a machine with a regular PC processor (AMD or Intel). Netgate ADI is for Netgate hardware.
  • Installer: Select DVD Image (ISO) Installer. You can also install it directly with the USB Memstick Installer on a PC. This is a good way to bring life to older hardware.
  • Mirror: Just pick the one that is nearest you.
  • Download: What you get is a zipped file so you have to download it, extract the ISO then upload it to Proxmox. You will get an error message if you try to use the link to download it directly in Proxmox.

Upload to Proxmox

  1. Start with navigating to the storage named local in the server view.
  2. In the menu to the right of server view click ISO Images.
  3. Click the upload button.
  4. When the select file is clicked, a file browser will be opened.
  5. Navigate to where you have stored your ISO file and select it.
  6. To start the file transfer, click Upload. Nothing can be done during this so just lean back and wait.
  7. After a little while a new box will appear which is for the process of copying the file from one place to another on Proxmox. nothing else to do than waiting some more.

Creating the VM

Start by clicking the Create VM button in the upper right corner of Proxmox.

  1. General.
    • Node: Make sure you have selected the correct node if you have multiple.
    • VM ID: No need to change unless you want to.
    • Name: Give your VM a name. This can be changed later with no problem.
    • Start at boot: If you check this option, the VM will start after Proxmox have started.
  2. OS.
    • Storage: The default location for ISO files is the storage partition named local. You are able to have ISO files on other drives and partitions but it's usually not worth changing.
    • ISO image: Select the ISO file for pfSense.
    • Guest OS: No need to change anything here.
  3. System
    There is no need to change anything here for pfSense
  4. Disks.
    • Storage: The type of storage does not matter to much. It can even be run on regular hard drives.
    • Disk size: 8 gigabyte is enough for home use but if you think you might need it you can double that.
  5. CPU.
    • Cores: The amount of cores you should add depends on the processor you have and the amount of traffic going through the router. One or two cores should do.
    • Type: There is a range of CPU types you can make it look like you have but I will just pass through host as the type.
  6. Memory.
    • Memory: 1 gigabyte is enough to start out with and can be increased later.
    • Ballooning: Ballooning should be avoided when it comes to critical servers. If the router on your network is not up, you might run into major issues.
  7. Network.
    • No network device: I'm checking this because the networking has not been made ready yet.
  8. Confirm.
    • Start after created: As it says, The VM will start after you hit Finish. Networking has not been added and needs to be done before starting the VM.

Networking

Clicking the Proxmox node followed by network, you will see both physical and virtual network interfaces. There are four types of physical interfaces depending on how they are connected to the machine.

  • eno: The o stands for onboard and are mounted to the motherboard of the machine.
  • ens: This is a card with a single port slotted into a PCI slot.
  • enp: These are also connected to a PCI slot but often contain more ports.
  • enx: This is a device picked up by its MAC address. Often something you will get when plugging inn a USB network interface.

There are a few choices when it comes to virtual interfaces. What I use is a Linux Bridge Which is able to do most of what you might need. These is shown as vmbr followed by a number.

Creating virtual interfaces

I will be bridging a physical port with the virtual one I'm creating. This way I will be able to connect both physical and virtual devices to the network I am creating. Doing it this way I have the ability to control certain parts of the network in Proxmox. Another thing I avoid is PCIE and USB passthrough.

74226553a3c230e218e0e3adb124114b.png

  1. Select your Proxmox node.
  2. Click network.
  3. Before clicking create you might want to copy the name of the network card you wish to bridge.
  4. In the drop-down menu, click Linux Bridge.
  5. You can edit the number of the name if you wish. In Bridge ports you should add the physical port you wish to use.
    • Name: you can change the number here while vmbr needs to stay. This has to do with what type of network device it is.
    • IPv4/CIDR: Here you can add an IP address which is meant to be used to connect to Proxmox. Do not add anything if it is not needed.
    • Gateway (IPv4): Here you can add the IP address of the router if that is needed.
    • IPv6/CIDR: The same as with IPv4 but for IPv6 if you run that on your network.
    • Gateway (IPv6): The same as with IPv4 but for IPv6 if you run that on your network.
    • Autostart: If this is not checked, you will need to manually start the interface each time the Proxmox node is started.
    • VLAN aware: When this is not checked all VLAN information will be stripped off by the interface.
    • Bridge ports: Here you add the name of the ports you wish to bridge. You can bridge multiple ports separated by a comma.
    • Comment: Do yourself a favor and add a comment so you know what you plan to use it for.
    • MTU: This has to do with optimizing the network which can be needed if you have more than 1GB networking.
  6. Click create when you are done configuring the bridge.

I will be doing this twice since I want two physical ports to my pfSense firewall.

When you have made however many interfaces and changes you want, click Apply configuration.

Adding interfaces to VM

One thing to think about adding the Interface to your VM is that the first one added will show up as the first port in the VM. So if you want the WAN port as the first port, add that first.

f1bae5f748b7103407d128455181b97d.png

  1. Select the VM you wish to add the network interfaces to.
  2. Click Hardware.
  3. Click Add.
  4. In the drop-down menu select Network device.
  5. All you really have to do here is select the virtual interface you wish to add in bridge.
    • Bridge: Here you select the virtual interface you wish to add.
    • VLAN Tag: If you have your network setup with VLAN you can add the Tag here. The Tag is a number between 0 and 4095. Tag 1 is default and should not be used unless you know what you are doing.
    • Firewall: The firewall is to filter internal traffic on the server. It can be deactivated without issue for pfSense
    • Model: There are different types of network interface cards you can simulate. Most will make the VM think there is a cable connected. VirtIO will show up as virtualized. Some operating systems may require one specific type.
    • MAC Address: You can set something specific here if you wish but its not needed for pfSense.
    • Disconnect: This is used to disconnect the interface without removing it entirely. I often use it as a way to "reconnect" the interface, which is sometimes needed.
    • Rate limit (MB/s): Used to limit the speed of the network for devices. Useful if you have a VM dedicated to download and upload files.
    • Multiqueue: This is used to split incoming traffic over multiple processor cores/queues.

As with creating the virtual interfaces I will be adding both of them to pfSense.

pfSense setup

You can now open a console window and start pfSense.

Installation

  1. Installation: When first starting up you will get a few options. If you just wait, the installation will start after a few seconds.
  2. copyright and distribution notice: The first thing you actively have to do is pressing Accept on the copyright and distribution notice. You can also read it if you wish.
  3. Welcome: Again you will get a few options to pick from. For a new installation, click enter when Install and OK is selected.
  4. Keymap: Next is keymap selection. This is done by scrolling down and pressing the enter key on the desired keymap. After pressing the enter key you will be able to test it. When done navigate up to >>> Continue with (your) keymap: There is not much that has to be done in the terminal but correct keymap can be helpful.
  5. Partitioning: Auto (ZFS) works great so you can just press the enter key to continue.
  6. ZFS Configuration:
    1. In the first window you will be able to change some general configuration. Nothing is needed to be changed here unless you have any specific needs. Adding a hard drive will be done in the next steps so press the enter key when Install is marked.
    2. Upon continuing you will be able to choose a Raid solution. If you have multiple drives for pfSense, this can be a good insurance against downtime.
    3. Select the drive(s) you wish to install pfSense on. This is done by pressing the space key on the marked drive(s) followed by the enter key to continue.
    4. Finally you will get a warning about the content of the drives being destroyed when starting the installation. Navigate to YES and press the enter key to start the Installation.
  7. Manual Configuration: After installation before reboot, you are able to do some manual configurations if you wish. You can just press no to reboot. If you press yes and regret, just type exit and press the enter key to get the reboot prompt.

The main part of the installation is now done but there is some configuration that has to be done before it is ready to be used.

First time configuration

There are two parts to the configuration. One is in the terminal while the other is in the web UI.

Terminal

  1. The first question you get is if you wish to setup VLAN. I will not be setting it up so I will be pressing n
  2. Next is selecting which interface should be the WAN interface, connected to the Internet. And the LAN interface to connect to your local network. The first Interface added in Proxmox will be the first interface in pfSense.
  3. Press y if you are happy with the interface assignments

You are now done with what is needed to do in the terminal, but you have access to a range of tools via the terminal. If you ever have problems and need to troubleshoot, give it a try. You can also change the IP addresses for the network here.

If you do not wish to configure the IP address in the terminal, you can take the LAN IP address and type it into a web browser of a machine connected to the LAN side of the firewall.

Optional Terminal setup

This is optional to do in the terminal and does not need to be done at all if you don't wish to change the IP address on the LAN interface. The reason for changing from the 192.168.1.1 address is that you might run into issues if you setup a VPN and try to connect from another network using the same IP address.

I also go through how to how to do this in the web UI if you wish to do it there instead.

  1. Press 2 on the keyboard to start the network configuration.
  2. Select your LAN interface.
  3. Type the IP address you wish to have for the network. This will also be the IP address for the firewall.
  4. Enter the subnet mask. Usually, the subnet mask with 24 bits will give you all the IP addresses you might need for a normal network.
  5. In the two next steps, do not add anything and just press the enter key.
  6. Press y to enable the DHCP server. This is to make sure you are assigned and IP address upon connection to the network.
  7. Next is setting up an IP range for addresses to be assigned by the DHCP server. If you set a range that starts at 100 and ends at 200, you will have a bulk of IP addresses at the start and the end that can be used for manual assignment.
  8. HTTP as webconfigurator protocol: Personally press n here to stick with HTTPS.
  9. You will now see the new address you can connect to the firewall with.

Take the address and type it into the web browser of a machine connected to the LAN side of the firewall.

Web UI

To access pfSense you will need to be connected to the LAN side of the network. This means either connecting physically or adding the LAN interface to another VM on the same Proxmox node.

To log in, type the default username: admin and password: pfSense

The first time you log in, you will be guided through a setup wizard. Click Next twice to get started.

  1. General Information:
    • Hostname: Set the name you wish for the firewall.
    • Domain: If you have your own domain, that can be used here.
    • Primary and Secondary DNS Server: If you wish to use a specific DNS server, that can be set here.
    • Override DNS: If you want to use your own DNS uncheck this.
  2. Time Server Information: Here you can specify a time server and time zone.
  3. Configure WAN Interface: There is quite a few settings you can do here but in this setup I will just go over three of them.
    • Selected Type: If you have a static IP address, you can set that here. Otherwise let it stay on DHCP.
    • RFC1918 and block bogon networks: Since this is a lab environment, I will uncheck these two. If you plan on connecting the firewall directly to the internet, these can remain checked.
  4. Configure LAN Interface:
    • LAN IP Address: If you did this in the terminal, there is no need to change anything here. If you wish to use another IP address on the other hand, you can change it here. There is usually no major reason to use another
    • Subnet mask: Unless you have a specific use case, 24 is a good all-around subnet mask and will give you 254 IP addresses to use for devices.
  5. WebGUI Password: Set a password that is secure and you will remember.
  6. Reload configuration When you are done with the setup you can click the reload button for pfSense to activate the changes.
  7. Wizard completed You can now check for updates. If you changed the IP address in the web GUI you might have to disconnect and reconnect the network cable or interface to receive the new IP address.

Firewall up and running

With this setup you will have a bare bones pfSense firewall up and running. You can now start using this as your router if you wish. The firewall is extremely safe with default settings.

I plan to make some more guides on things on how to setup VLAN's, VPN and other useful things on pfSense. Time will tell what I will be able to get around to.