How to Install pfSense® CE as a VM on Proxmox VE

Print
You are here:

Overview

pfSense® CE can be installed and utilized on Proxmox VE as a virtual machine (VM). pfSense® CE is an open source routing and firewall software which is based on FreeBSD. This guide will cover the installation process as well as some additional configuration settings to get pfSense® CE running smoothly on Proxmox VE.

Note: pfSense® CE is open source software developed for the benefit of the community.  If you are using pfSense® CE with the Vault, please consider supporting the pfSense project. https://www.pfsense.org/get-involved

Performance Limitations

Although a pfSense® CE virtual machine can be successfully installed on the FW2B and FW4B, the performance will be lower when compared to running the VM on our other products. If you wish to use pfSense® CE on an FW2B or FW4B, it is recommended to install the operating system as a bare metal firewall rather than running it as a virtual machine on Proxmox VE.

Throughput tests can be found at the end of this article under the “Observed Throughput Speeds” section.

Downloading pfSense® CE ISO

First, head to https://www.pfsense.org/download/ to download the ISO image of pfSense® CE. The latest version of pfSense® CE we have tested on Proxmox VE is 2.6.0.

After the ISO has been downloaded, you will need to upload the ISO to Proxmox VE in order to install the VM.

Uploading the ISO to Proxmox VE

  • Login to your Proxmox VE dashboard via your web browser
  • On the left side of the dashboard, expand the Datacenter drop-down, and the node with your server name.
  • Select your local storage, select ISO Images, and click Upload
Uploading pfSense® CE ISO
  • Click Select File and choose your pfSense® CE ISO. Click Upload.
Confirm ISO Upload

The ISO is now uploaded.

Before we create the VM, we need to create a Linux Bridge on Proxmox VE so we can assign network interfaces on pfSense® CE.

Creating Linux Bridges To Use As Network Interfaces

A Linux bridge is used to bridge your VMs to a physical network device. This allows you to plug in an ethernet cable to one of your Vault’s network ports which allows for traffic to travel to/from the VM. Additionally, bridges allow other VMs to acquire an IP through the pfSense® CE VM.

Here at Protectli, we use the default Linux Bridge vmbr0 as the Proxmox VE management port. We will create a Linux Bridge for a WAN port as well as a LAN port.

*Note: If your Vault is capable of PCI passthrough (VT-d), you can assign the network ports directly instead of creating a Linux Bridge. System compatibility and information can be found here. Setup instructions can be found on the “PCI Passthrough for NICs” section on the current page.

  • On the Proxmox VE dashboard, select the node with your server’s name and choose System > Network
  • Click ‘Create > Linux Bridge
    Proxmox Network Configuration

     

  • For Name: use the value that is automatically entered (vmbr1)
  • For Bridge ports: enter the name of your desired WAN interface
    • In this example, we have Proxmox VE installed on a 4-port VP2410, so we will be using enp2s0 (port 2) for the WAN.
  • To add the LAN port, follow the same steps above, but use enp3s0 (port 3)
Linux Bridges for WAN and LAN (Ports 2 and 3)

Now that the ISO has been uploaded and you have your interfaces, you can create the VM.

Creating the VM

  • At the top of the Proxmox VE dashboard, click the blue Create VM button:
  • Under the General tab:
    • Choose a VM ID number and enter a name for the VM.
General Tab
  • Continue to the OS tab:
    • Choose Use CD/DVD disc image file:
    • For Storage: leave the default value of local
    • For ISO image: select the pfSense® CE ISO you uploaded earlier
    • For Guest OS Type: select Other
OS Tab
  • Continue to System tab:
    • For Graphic card: select Default
    • Make sure SCSI Controller is VirtIO SCSI (See screenshot below)
System Tab
  • Continue to Disks tab:
    • For Bus/Device: select VirtIO Block
    • For Disk size(GiB): choose at least 8GB. In this example we select 32GB.
Disks Tab
  • Continue to CPU tab:
    • For Sockets: select 1
    • For Cores: select at least 1
      • We selected 4 cores for this example, as this is how many cores the VP2410’s processor has
    • For Type: select host
CPU Tab
  • Continue to the Memory tab:
    • For Memory (MiB): select at least 1024
      • We selected 4096 (4GB) for this example
Memory Tab
  • Continue to the Network tab:
    • For Bridge: select vmbr1 (your WAN Linux Bridge)
    • For Model: select VirtIO (paravirtualized)
Network Tab
  • Continue to the Confirm tab:
    • Click Finish

The VM has been created, but we need to add the Linux Bridge for your LAN.

Adding the LAN Linux Bridge to pfSense® CE VM

  • Choose your pfSense® CE VM located under the node with your server’s name
  • Select Hardware
  • Click the Add button and select Network Device
Adding Network Device
  • For Bridge: select vmbr2
  • For Model: select VirtIO (paravirtualized)
Adding LAN Linux Bridge

You now have both a WAN and LAN port to use with pfSense® CE.

Starting, Installing, and Configuring pfSense® CE VM

You can now start the VM for the first time, and begin the installation process.

  • Click the Start button
Starting pfSense® CE VM
  • Choose the Console tab to view the video output
  • Let pfSense® CE run until it gets to the Copyright and Trademark Notices
  • Accept the notice by pressing Enter on your keyboard
  • Press Enter while highlighted over Install pfSense
pfSense® CE VM install
  • Choose your keymap selection (default should be fine in most cases)
  • Choose Auto (ZFS) for your partitioning selection and press Enter
  • Press Enter again to proceed with installation
  • Select stripe for ZFS Configuration and hit Enter
  • Press your Spacebar key to select vtbd0 (there will be an asterisks next to the drive name), and hit Enter
Selecting a drive
  • Select Yes with your arrow keys and hit Enter to confirm the installation location
  • Allow installation to finish
  • Choose No when asked if you would like to open a shell
  • Select Reboot

Configuring interface assignments

After pfSense® CE has rebooted, you will be prompted to setup some initial configuration.

  • When asked if VLANs should be setup:
    • Type n and press Enter
  • For WAN interface, type vtnet0 and hit Enter
  • For LAN interface, type vtnet1 and hit Enter
  • When asked to proceed, type y and hit Enter

pfSense® CE has now been installed and interfaces have been assigned. You will need to access the Web GUI to disable hardware checksums in order for traffic to properly pass through the VM.

Accessing Web GUI

We will now disable hardware checksums on the Web GUI. This is an important step!

  • Connect a computer to the LAN port of your Vault
  • Open a web browser and navigate to the default pfSense Web GUI address of 192.168.1.1
  • Login with default credentials. (username: admin , password: pfsense)
  • Go to the System tab at the top and select Advanced
  • Select the Networking tab
pfSense® CE Web GUI Networking Tab
  • Scroll to the Network Interfaces section, and check the Disable hardware checksum offload
Disabling Hardware Check Sum
  • Hit Save at the bottom of the page.

Congratulations! You now have a working VM of pfSense® CE.

For more detailed configuration instructions, visit the documentation page at: https://docs.netgate.com/pfsense/en/latest/index.html

If you experience any issues, please feel free to reach out: support@protectli.com

PCI Passthrough for NICs

You can use PCI passthrough to directly assign the physical network ports on your Vault to be used as interface assignments on your pfSense® CE VM. They can be used instead of a Linux Bridge. The following steps are under the assumption you have already created the VM.

Ensure that IOMMU is enabled before proceeding (This is enabled by default if you are using Proxmox VE 7.2 or newer (https://pve.proxmox.com/wiki/Pci_passthrough)

You should remove any existing Linux Bridges on the Hardware tab of the VM before proceeding.

In order to add your NICs to your VM to use as interface assignments, follow these steps:

  • Go to the Hardware tab of your pfSense® CE VM
  • Double click on Machine and choose q35, click Ok to confirm
Changing Machine type

 

Changing machine type to q35
  • Go back to the Hardware tab, and Add a PCI Device
  • From here, you can add whatever network connection you would like
    • DO NOT passthrough the port you are already using for Proxmox VE’s management (most likely port 1), this will cause issues when you boot the VM
    • The screenshot below shows a list of all the ethernet ports on the VP2410, these will potentially be named differently depending on the device and NICs
Adding NICs as PCI Device
  • For a WAN and LAN port, choose port 2 and 3 (see below screenshot)
Passing Through Port 2 and 3

Assigning the WAN and LAN Interfaces on pfSense® CE

  • Load up the VM until asked to assign interfaces
  • When asked to set up VLANs, type n and hit your Enter key
  • for WAN: type igb0 and hit Enter
  • for LAN: type igb1 and hit Enter
    • *Note: these interfaces may be named differently depending on the NICs in your Vault
  • When asked if you want to proceed: type y and hit Enter

You can now use these interfaces as normal. To access the Web GUI, go to the default address of 192.168.1.1 with a computer connected to your assigned LAN port.

Observed Throughput Speeds

The following chart displays the average observed throughput speeds on a pfSense® CE VM for each Vault. Tests were completed via iperf3 (https://iperf.fr/iperf-download.php) as well as the Speedtest® CLI (https://www.speedtest.net/apps/cli).

The pfSense® CE VM was configured with 4GB of RAM, and installed with the same settings shown on this article.

For the iperf test: traffic was initiated on a host outside of the pfSense® CE VM. The traffic was routed through the pfSense® CE VM to a physical client connected to the LAN port of the Vault. We completed an additional test where the same iperf host routed traffic through the pfSense® CE VM, and into an Ubuntu 22.04 VM that was virtually connected to pfSense® CE via a Linux Bridge network interface.

We also tested throughput speeds while utilizing PCI Passthrough for the physical NICs.

For the Speedtest® CLI test: the same host server was used for each Vault.

Vaultiperf: Physical Client on LAN Portiperf: Virtual MachineSpeedtest CLI: Physical Client on LAN PortSpeedtest CLI: Virtual Machineiperf: Physical Client on LAN Port (PCI Passthrough)Speedtest CLI: Physical Client on LAN Port (PCI Passthrough)
FW2B326 Mb/s179 Mb/s189 Mb/s172 Mb/sN/AN/A
FW4B630 Mb/s560 Mb/s417 Mb/s373 Mb/sN/AN/A
FW6A900 Mb/s780 Mb/s920 Mb/s625 Mb/s951 Mb/s942 Mb/s
FW6B949 Mb/s949 Mb/s953 Mb/s924 Mb/s952 Mb/s953 Mb/s
FW6C950 Mb/s950 Mb/s953 Mb/s936 Mb/s952 Mb/s955 Mb/s
FW6D952 Mb/s952 Mb/s958 Mb/s936 Mb/s952 Mb/s959 Mb/s
FW6E952 Mb/s952 Mb/s959 Mb/s936 Mb/s952 Mb/s960 Mb/s
VP2410951 Mb/s949 Mb/s939 Mb/s914 Mb/s952 Mb/s942 Mb/s

 

Table of Contents