Have a Question?

How to Install pfSense® CE as a VM on Proxmox VE

Print

Overview

pfSense® CE can be installed and utilized on Proxmox VE as a virtual machine (VM). pfSense® CE is an open source routing and firewall software which is based on FreeBSD. This guide will cover the installation process as well as some additional configuration settings to get pfSense® CE running smoothly on Proxmox VE.

Note: pfSense® CE is open source software developed for the benefit of the community.  If you are using pfSense® CE with the Vault, please consider supporting the pfSense project. https://www.pfsense.org/get-involved

Performance Limitations

Although a pfSense® CE virtual machine can be successfully installed on the FW2B, FW4B, and FW4C the performance will be lower when compared to running the VM on our other products. If you wish to use pfSense® CE on an FW2B, FW4B, or FW4C it is recommended to install the operating system as a bare metal firewall rather than running it as a virtual machine on Proxmox VE.

Throughput tests can be found at the end of this article under the “Observed Throughput Speeds” section.

Downloading pfSense® CE ISO

First, head to https://www.pfsense.org/download/ to download the ISO image of pfSense® CE. The latest version of pfSense® CE we have tested on Proxmox VE is 2.7.0.

After the ISO has been downloaded, you will need to upload the ISO to Proxmox VE in order to install the VM.

Uploading the ISO to Proxmox VE

  • Login to your Proxmox VE dashboard via your web browser
  • On the left side of the dashboard, expand the Datacenter drop-down, and the node with your server name.
  • Select your local storage, select ISO Images, and click Upload
Uploading pfSense® CE ISO
  • Click Select File and choose your pfSense® CE ISO. Click Upload.
Confirm ISO Upload
  • Verify that the output messages state that the ISO has been imported successfully (“TASK OK”)
  • Verify that the ISO is viewable on the ISO Images tab on your local storage

Before we create the VM, we need to create a Linux Bridge on Proxmox VE so we can assign network interfaces on pfSense® CE.

Creating Linux Bridges To Use As Network Interfaces

A Linux bridge is used to bridge your VMs to a physical network device. This allows you to plug in an ethernet cable to one of your Vault’s network ports which allows for traffic to travel to/from the VM. Additionally, bridges allow other VMs to acquire an IP through the pfSense® CE VM.

Here at Protectli, we use the default Linux Bridge vmbr0 as the Proxmox VE management port (which is how you are able to access the Proxmox VE web interface). We will create a Linux Bridge for a WAN port (vmbr1) as well as a LAN port (vmbr2). (If you absolutely want to make port 1 pfSense®’s WAN port (vmbr0), you can, but you won’t be able to use PCI Passthrough to passthrough the NIC as a PCI device, and there is a chance that performance will suffer. This is because it would be sharing an interface with Proxmox VE’s Management Interface)

*Note: If your Vault is capable of PCI passthrough (VT-d), you can assign the network ports directly instead of creating a Linux Bridge. System compatibility and information can be found here. Setup instructions can be found on the “PCI Passthrough for NICs” section on the current page.

  • On the Proxmox VE dashboard, select the node with your server’s name and choose System > Network
  • Click ‘Create > Linux Bridge
Proxmox Network Configuration
  • For Name: use the value that is automatically entered (vmbr1)
  • For Bridge ports: enter the name of your desired WAN interface
    • In this example, we have Proxmox VE installed on a 4-port VP2420, so we will be using enp2s0 (port 2) for the WAN.
  • To add the LAN port, follow the same steps above, but use enp3s0 (port 3)
  • Make sure to press the Apply Configuration button
  • Linux Bridges for WAN and LAN (Ports 2 and 3)

    Now that the ISO has been uploaded and you have your interfaces, you can create the VM.

    Creating the VM

    • At the top of the Proxmox VE dashboard, click the blue Create VM button:
    • Under the General tab:
      • Choose a VM ID number and enter a name for the VM.
    General Tab
    • Continue to the OS tab:
      • Choose Use CD/DVD disc image file:
      • For Storage: leave the default value of local
      • For ISO image: select the pfSense® CE ISO you uploaded earlier
      • For Guest OS Type: select Other
    OS Tab
    • Continue to System tab:
      • For Graphic card: select Default
      • For Machine: select i440fx
        • If you plan on utilizing PCI Passthrough, select q35
      • For SCSI Controller: select VirtIO SCSI
    System Tab
    • Continue to Disks tab:
      • For Bus/Device: select VirtIO Block
      • For Disk size(GiB): choose at least 8GB. In this example we select 32GB.
    Disks Tab
    • Continue to CPU tab:
      • For Sockets: select 1
      • For Cores: select at least 1
        • We selected 4 cores for this example, as this is how many cores the VP2420’s processor has
      • For Type: select host (this will offer some of the best performance)
    CPU Tab
    • Continue to the Memory tab:
      • For Memory (MiB): select at least 1024
        • We selected 4096 (4GB) for this example, this is the minimum recommended amount for performance reasons
    Memory Tab
    • Continue to the Network tab:
      • For Bridge: select vmbr1 (your WAN Linux Bridge)
      • For Model: select VirtIO (paravirtualized)
    Network Tab
    • Continue to the Confirm tab:
      • Click Finish

    The VM has been created, but we need to add the Linux Bridge for your LAN.

    Adding the LAN Linux Bridge to pfSense® CE VM

    • Choose your pfSense® CE VM located under the node with your server’s name
    • Select Hardware
    • Click the Add button and select Network Device
    Adding Network Device
    • For Bridge: select vmbr2
    • For Model: select VirtIO (paravirtualized)
    Adding LAN Linux Bridge

    You now have both a WAN and LAN port to use with pfSense® CE. In this example, it would be ethernet ports 2 and 3 on the Vault.

    Starting, Installing, and Configuring pfSense® CE VM

    You can now start the VM for the first time, and begin the installation process.

    • Click the Start button
    Starting pfSense® CE VM
    • Choose the Console tab to view the video output
    • Let pfSense® CE run until it gets to the Copyright and Trademark Notices
    • Accept the notice by pressing Enter on your keyboard
    • Press Enter while highlighted over Install pfSense®
    pfSense® CE VM install
    • Choose your keymap selection (default should be fine in most cases)
    • Choose Auto (ZFS) for your partitioning selection and press Enter
    • Press Enter again to proceed with installation
    • Select stripe for ZFS Configuration and hit Enter
    • Press your Spacebar key to select vtbd0 (there will be an asterisks next to the drive name), and hit Enter
    Selecting a drive
    • Select Yes with your arrow keys and hit Enter to confirm the installation location
    • Allow installation to finish
    • Choose No when asked if you would like to open a shell
    • Select Reboot

    Configuring interface assignments

    After pfSense® CE has rebooted, you will be prompted to setup some initial configuration.

    • When asked if VLANs should be setup:
      • Type n and press Enter
    • For WAN interface, type vtnet0 and hit Enter
    • For LAN interface, type vtnet1 and hit Enter
    • When asked to proceed, type y and hit Enter

    pfSense® CE has now been installed and network interfaces have been assigned (WAN and LAN). You will need to access the pfSense® Web GUI to disable hardware checksums in order for traffic to efficiently pass through the VM. In this example, you can connect a computer to the third port on the Vault to access the webGUI. Alternatively, if you have another VM running on Proxmox (like Ubuntu), and if you have set that VM’s network interface as vmbr2, you can access the webGUI through the web browser on the Ubuntu VM.

    Accessing Web GUI

    We will now disable hardware checksums on the Web GUI. This is an important step!

    • Connect a computer to the LAN port of your Vault
    • Open a web browser and navigate to the default pfSense Web GUI address of 192.168.1.1
    • Login with default credentials. (username: admin , password: pfsense)
    • Go to the System tab at the top and select Advanced
    • Select the Networking tab
    pfSense® CE Web GUI Networking Tab
    • Scroll to the Network Interfaces section, and check the Disable hardware checksum offload
    Disabling Hardware Check Sum
    • Hit Save at the bottom of the page.
    • Reboot the VM

    Congratulations! You now have a working VM of pfSense® CE.

    For more detailed configuration instructions, visit the documentation page at: https://docs.netgate.com/pfsense/en/latest/index.html

    If you experience any issues, please feel free to reach out: support@protectli.com

    PCI Passthrough for NICs

    You can use PCI passthrough to directly assign the physical network ports on your Vault to be used as interface assignments on your pfSense® CE VM. They can be used instead of a Linux Bridge. The following steps are under the assumption you have already created the VM.

    Ensure that IOMMU is enabled before proceeding (https://kb.protectli.com/kb/pci-passthrough-vt-d-proxmox-ve/)

    You should remove any existing Linux Bridges on the Hardware tab of the VM before proceeding.

    In order to add your NICs to your VM to use as interface assignments, follow these steps:

    • Go to the Hardware tab of your pfSense® CE VM
    • Double click on Machine and choose q35, click Ok to confirm
    Changing Machine type
    Changing machine type to q35
    • Go back to the Hardware tab, and Add a PCI Device
    • Click on the Raw Device button
    • From here, you can add whatever network connection you would like
      • DO NOT passthrough the port you are already using for Proxmox VE’s management (most likely port 1), this will cause issues when you boot the VM
      • The screenshot below shows a list of all the ethernet ports on the VP2420, these will potentially be named differently depending on the device and NICs
    Adding NICs as PCI Device
    • For a WAN and LAN port, choose port 2 and 3 (see below screenshot)
    Passing Through Port 2 and 3

    Assigning the WAN and LAN Interfaces on pfSense® CE

    • Load up the VM until asked to assign interfaces
    • When asked to set up VLANs, type n and hit your Enter key
    • for WAN: type igc0 (or potentially igb0) and hit Enter
    • for LAN: type igc1 (or potentially igb1) and hit Enter
      • *Note: these interfaces may be named differently depending on the NICs in your Vault (Ex: igb0, em0) Please pay attention to the console on what the proper names are for your NICs.
    • When asked if you want to proceed: type y and hit Enter

    You can now use these interfaces as normal. To access the Web GUI, go to the default address of 192.168.1.1 with a computer connected to your assigned LAN port.

    Observed Throughput Speeds

    The following chart displays the average observed throughput speeds on a pfSense® CE VM for each Vault. Tests were completed via iperf3 as well as the Speedtest® CLI.

    The pfSense® CE VM was configured with 4GB of RAM, and installed with the same settings shown on this article.

    For the iperf test: traffic was initiated on a host outside of the pfSense® CE VM. The traffic was routed through the pfSense® CE VM to a physical client connected to the LAN port of the Vault. We completed an additional test where the same iperf host routed traffic through the pfSense® CE VM, and into an Ubuntu 22.04 VM that was virtually connected to pfSense® CE via a Linux Bridge network interface.

    We also tested throughput speeds while utilizing PCI Passthrough for the physical NICs.

    For the Speedtest® CLI test: the same host server was used for each Vault.

    Vaultiperf: Physical Client on LAN Portiperf: To Virtual MachineSpeedtest CLI: Physical Client on LAN PortSpeedtest CLI: To Virtual Machineiperf: Physical Client on LAN Port (PCI Passthrough)Speedtest CLI: Physical Client on LAN Port (PCI Passthrough)
    FW2B326 Mb/s179 Mb/s189 Mb/s172 Mb/sN/AN/A
    FW4B630 Mb/s560 Mb/s417 Mb/s373 Mb/sN/AN/A
    FW4C801 Mb/s710 Mb/s520 Mb/s420 Mb/sN/AN/A
    FW6A900 Mb/s780 Mb/s920 Mb/s625 Mb/s951 Mb/s942 Mb/s
    FW6B949 Mb/s949 Mb/s953 Mb/s924 Mb/s952 Mb/s953 Mb/s
    FW6C950 Mb/s950 Mb/s953 Mb/s936 Mb/s952 Mb/s955 Mb/s
    FW6D952 Mb/s952 Mb/s958 Mb/s936 Mb/s952 Mb/s959 Mb/s
    FW6E952 Mb/s952 Mb/s959 Mb/s936 Mb/s952 Mb/s960 Mb/s
    VP2410951 Mb/s949 Mb/s939 Mb/s914 Mb/s952 Mb/s942 Mb/s
    VP24202350Mb/sTBDTBDTBD2370Mb/sTBD
    VP46302370Mb/sTBDTBDTBD2370Mb/sTBD
    VP46502370 Mb/sTBDTBDTBD2370 Mb/sTBD
    VP46702370Mb/sTBDTBDTBD2370Mb/sTBD

     

    Table of Contents