Run pfSense® in Proxmox

Introduction

Proxmox is an excellent virtualization platform based upon Debian Linux. pfSense® (and OPNsense®) will run nicely in a KVM based VM running on a Proxmox server. This guide will walk you through a simple install to get you started.

Disclaimer

There is a school of thought around if a VM can provide adequate isolation for a Firewall to provide network security. There is a similar school of thought as to if privileged and unprivileged VLAN's should share the same physical links and hardware. Flaws in the underlying software and hardware, as well as mis-configuration, can undermine the security of an entire ecosystem.

This guide should not be considered to endorse the suitability of pfSense running on Proxmox for your systems. You should make this judgement yourself. This guide is also provided without warranty.

Proxmox Network Configuration

For this guide Proxmox has been configured with two bridge networks each connected to an external network port.

Here is the /etc/network/interfaces file:

auto vmbr0
iface vmbr0 inet dhcp
    bridge_ports eth0
    bridge_stp off
    bridge_fd 0

iface eth1.303 inet manual
    vlan-raw-device eth1

auto vmbr303
iface vmbr303 inet manual
        bridge_ports eth1.303
        bridge_stp off
        bridge_fd 0

Download pfSense CD ISO on Proxmox

Using a convenient web browser running on your desktop of laptop:

• Browse to https://pfsense.org/download/
• Select the AMD64 Architecture
• Select the CD Image (ISO) Intaller Installer
• Select a mirror location suitable to your locale
• Right click on the Download link/button and select  'Copy link location'. This may vary slightly depending on your browser
• Take note of the SHA256 checksum

Use ssh to connect to a terminal on your Proxmox server and run commands as follows, placeholders are noted with <>:

• cd /var/lib/vz/template/iso/
• wget <download link>
• sha256sum <pfsense-file.iso.gz>
  Check your checksum matches the checksum on the pfSense website
• gunzip <pfsense-file.iso.gz>

Create the pfSene VM

Create VM Wizard

Log in to your Proxmox server's web interface, then click the Create VM button. Follow the following recommended settings.

• Node by default will be the Proxmox server you are logged in to. Change this as needed, if connecting to cluster
• Insert a suitable VM ID, the default will probably be fine
• Give your pfSense VM a suitable Name
• Enable the Start at boot check box
• Optionally, select a suitable Resource Group
• Optionally, enter suitable Startup and Shutdown options. Most likely this VM should be started first (Startup/Shutdown order value of 1)
• Click Next

  

pfSense inherits excellent support for KVM from FreeBSD, so Proxmox can simply consider it to be Linux as follows:

• Select Use CD/DVD disc image
• Select Storage as local
• Select from ISO Image the pfSense iso file
• The VM Type will be Linux
• In Proxmox 6.0, the Version will be 5.x - 2.6 Kernel
• Prior releases of Proxmox, the Version will be 4.X/3.X/2.6 Kernel
• Click Next

 

The defaults (show above) are adequate, so click Next

 

• The Bus/Device default should be adequate
• Select suitable Storage and Disk Size to suit your needs
• We recommend enabling IO thread
  which should improve IO performance by giving the disk its own worker thread
• Optionally, configure other disk settings to suit your needs or return to them later

 

For an example set up, the default CPU settings should be adequate. These can easily be adjusted as needed after installation. Click Next

 

• Setting Memory to 1024 is adequate for an example installation and can easily be adjusted after installation
• Disable the Ballooning Device check box
• Click Next

 

• Select from the Bridge drop down, your WAN network bridge
• Disable the Firewall checkbox, as we do not want Proxmox to apply its own network policy on to our pfSense VM
• Select from Model the VirtIO option as pfSense has excellent support for this device type
• Optionally, specify a specific MAC address
• Set Multiqueue to 8. Which will allow the BSD kernel to negotiate the optimal value with Proxmox
• Click Add

 

 

Review the details selected, ensure that Start after created is not set, then click Finish

 

Select the newly created VM, then click Hardware, then Add. A pop up will appear.

 

• From the Bridge drop down, select your LAN bridge
• Disable the Firewall checkbox as before with WAN
• Select from Model the VirtIO option as before with WAN
• Optionally, specify a specific MAC address
• Set Multiqueue to 8. Which will allow the BSD kernel to negotiate the optimal value with Proxmox
• Click Next

 

KVM presents a tablet stylus pointer device to the Guest OS. This is convenient for Windowing systems but can cause high CPU usage even when idle. pfSense has no Windowing system, so we recommend disabling it.

• Click Options
• Double click on Use tablet pointer, a pop up window will appear
• Un-check the Enabled check box
• Click OK

 

Configuration of the VM itself is now complete. Click Start to run the VM for the first time and install the pfSense software.

 

Proceed as normal with the pfSense installation process.

As pictured, you can use the MAC addresses of the Network interfaces to ensure you assign them to the correct LAN and WAN functions.

 

Post-Install Configuration

Disable Network Hardware Off-loading

 

Ensure hardware offload features on the network interfaces are disabled, as VirtIO interfaces have problems with NAT.

• From the top menu, click System -> Advanced
  
• Click the Networking tab
  
• Ensure Hardware Checksum Offloading, Hardware TCP Segmentation Offloading, and Hardware Large Receive Offloading are Ticked
• Click Save
• Reboot the firewall

 

If not a VM, what should I run OPNense on?

For home, check out the A10 Dual Core or A10 Quad Core appliances in Desktop profile.

For business, check out the A10 Quad Core or the Xeon Quad Core Gen4 as Rackmount appliances.

Stuck?

We offer commercial support, why not contact us