Never Ending Security

It starts all here

How to virtualize pfSense firewall including using VirtIO drivers on Proxmox VE

This install will cover how to install pfSense firewall as a virtual machine. Is it safe to virtualize a firewall?  I will leave it up for you to do your own research to find your answer there numerous online discussions which go over this topic.  These are just two which I have stumbled upon. From serverfault and Security Week.  Personally I am more in the camp of folks who agree it is safe to Virtualize a firewall. You can read about pfSense here.

How to virtualize pfSense firewall including using VirtIO drivers

The requirements of this tutorial are the following:

  1. A functioning Proxmox Hypervisor with version 3.3-5/bfebec03 or newer.
  2. You have already created the necessary network bridges.  I have gone over this on my other tutorial how to Virtualize IPCop on Proxmox.
  3. Administrative rights on the Proxmox server.
  4. (Might be optional) I have a Proxmox Community subscription plan for pricing you can check it here.  The subscription plan provides access to the Enterprise repository.  The cost is very reasonable when compared to other commercial virtualization platforms.  I paid 99.80 euro’s, at the time of conversion it was $115.41 per year.
  5. Comfortable using Linux.
  6. Some knowledge using vi

Creating a Linux Bridge

This is done on the Proxmox host.

This is the part I miss using VMware ESX control panel assigning virtual switches and nic cards.  Proxmox web interface has the ability to create Linux Bridges and OVS switches for virtual machines to use but the configuration I am going to use can’t be done through the Proxmox web interface.  This has to be done through the command line.

I prefer to  use vi when editing files so I had to install this.

apt-get install vim

Connect to Proxmox host using SSH.

ssh -l root proxmox-server-ip

What the following bridge settings mean.

bridge_stp off # disable Spanning Tree Protocol

bridge_fd 0 # no forwarding delay

bridge_ports eth0 # which nic card to attach

Move to the network directory.

cd /etc/network

Edit the interface file.

vi interfaces

Copy and paste below after any configuration already in there.  On my Proxmox host physical server I have 5 physical network cards installed.  I therefore created 4 network bridges.

Below is the process of creating one network bridge. Each time you add another network bridge just rename each network bridge as vmbr1, vmbr2, vmbr3, etc.

## this is for pfSense WAN nic

auto vmbr1
iface vmbr1 inet manual
bridge_ports eth1
bridge_stp off
bridge_fd 0

Save and exit.


Each time a network bridge is created a reboot is needed to apply new settings.  So it is better to add all of the bridge configuration one time.


Below is what my network bridge configuration file looks like.  Yours make look different depending on how many you have.

network bridges

I purposely left out network bridge vmbr0 from being assigned for use for virtual machines.  This is the network I will be using solely when I connect to my Proxmox web gui.  Proxmox scheduled backups is also going through this network.

Note: vmbr0 is the only network bridge which should have a gateway IP assigned!


The reason we don’t put a gateway IP address for the network bridges we create because we add the gateway IP on the virtual machines nic card.  Example: the image below shows my Windows 7 computer has a gateway IP address of which is the IP address of my pfSense LAN nic card.

win7 gw

After Proxmox reboots your network settings should look similar to mine.  The IP address for vmbr0 and gateway settings have been erased for security reasons.  vmbr1 settings for Port/Slaves, IP address, Subnet mask and Gateway are intentionally left blank.  This is to make sure any network traffic coming through vmbr1/eth1 will pass through pfSense WAN virtual nic.

When you have met all of the requirements let us begin.

Download pfSense

From the pfSense website download the 64bit installer.

pfsense download

Check to make sure the pfSense ISO has not been altered.  On my Mac I open a terminal and use md5 to check the checksum against the md5 checksum posted on the pfSense website.

md5 checksum

Logging in to the Proxmox web GUI

Login to the Proxmox web gui this will be  The Proxmox hypervisor will be using a self signed certificate do your acceptance for your specific browser of choice.  I will be using Firefox.

Upload the ISO to the Proxmox Hypervisor

On the left menu click on local the choose content tab then upload.  Navigate to where your pfSense ISO is then click upload.

iso upload

 Virtualizing pfSense using KVM (Kernel-based Virtual Machine)

Create a Virtual Machine

After you login click on the menu Create VM which is located on the top right.

create vm

Give your VM an ID and name.  Click next.


Choose other OS types since pfSense is built using FreeBSD. Click next.

choose other

For the ISO click on the drop down to choose your uploade pfSense ISO file. Click next.

iso file

Choose IDE for Bus/Device for now we will later replace this using a VirtIO driver. I choose Raw disk for my block format.  According to Proxmox developers this is the more performant. Click next.

block device

Allocate your CPUs. My Super Micro box has two sockets hence the settings below. Leave it at kvm64 bit. Click next.

cpu allocation

Allocate memory.  It will depend on how much your physical server has to spare and your intended use for your pfSense firewall.  Click next.

allocate memory

Add a nic card assign it to network bridge.  I have mine to use vmbr1 using an Intel E1000 driver for the nic card.  Click next the finish.


Then go back into the hardware tab and add another nic card using Intel E1000 driver.  Click add.

add 2nd nic

Be sure to add the second nic card to use a different network bridge.  Mine is setup as vmbr3.


Then go back into the hardware tab and add the third nic card using Realtec driver.  Add it no another bridge for mine it will vmbr4. Click add.

This third nic card will be assigned for our DMZ.

Yours will look similar to my hardware summary here except maybe for the CPU count.  If you’re curios to know what sort of resources you need for your environment consult thisguide.

hardware summary

 Launch the VM

Click on the newly create pfSense VM, then on the top right menu click Start.  When it starts immediately click on Console.  These two menus are pretty much close to each other. Choose noVNC.


Pay attention to the screen I mean it, it will fly past so quickly. When you see the install option menu enter i.  You know you will be successful when you see the image below.  Use the settings shown.  Enter.

video settings

Choose Quick/Easy Install. Enter.  OK. Enter.

easy install

Click OK to proceed with installation.

ok install

Installation proceeds.

install progress

Install standard kernel. Enter.

standard kernel



Note down the names your three identified nic cards.


Choose n (No) when asked to setup vlans.  Enter.

no vlans

em0 (0) is numeral zero

Type in em0 (0) is numeral zero for the WAN interface. Enter.


For the LAN nic hit enter em1.

no lan nic

For the DMZ nic enter re0.

You will be asked for Optional2 just hit enter for none.

card assignments

Confirm network settings. y enter.


Enabling VirtIO

This is the part we will load necessary modules so we can use VirtIO drivers.  We will be editing the file /boot/loader.conf.local.  Choose option 8. Enter.

option 8

I will be using vi to edit the configuration file.  We need to put it into this file so the instruction becomes permanent otherwise it will be gone each our pfSense virtual firewall reboots.


vi /boot/loader.conf

Add the following entries one on each line.


When the done the file will look.


Save the file.


Type exit. Enter.  To close out the shell console.

This part we will shutdown our pfSense VM.  Choose option 6.  Enter.   Type y enter.

shutdown pfsense

Your VM icon will turn from white black indicating the VM has been shutdown.  Click your VM pfSense from the left menu of the Proxmox web GUI then go to hardware tab.  Click CD/DVD choose remove. Click yes.

remove cdrom

Now start the VM back up by clicking start from the top right menu.  Access the console again.


When the options menu comes up choose option 2. Enter.

option 1

You will again be asked if you want to setup vlans.  Choose n.  If you want to setup vlans you can read the pfSense online docs.

You’re shown available interfaces to configure.


Enter the number of the interface you want to configure.  I am will be adding a static IP for the LAN interface.

Enter 2

Enter the LAN IP.  I am putting in IP address  Enter.

enter lan ip

I am using the subnet mask, therefore I will put in 24 for bit count.  Enter.

24 bit count

When you get to this part just enter for none.  Enter.

upstream gateway

For LAN IPv6 enter for none.  Enter.


Do you want to enable DHCP on the LAN interface.  I will enable DHCP for mine. Enter y.

enable dhcp

Enter the beginning IP for your DHCP client range.  This is what I have.  Enter

ip range

Enter the end of the IP range.  This is what I have. Enter.

end of ip range

Set to n when asked to revert the webconfigurator protocol to HTTP.  We want to access our pfSense web GUI through SSL.

pfsense gui

Now it indicates we will be able to access our pfSense firewall using IP from a web browser.  Enter to take console back to menus.

Connecting to pfSense web gui

From another computer we will now connect to our pfSense Web GUI using the IP address you have used for your LAN nic.

Type in the URL in your browser

Note: Your browser will warn you since you’re connecting to self signed certificate. Just accept it.  (Replace with your own LAN IP)

Default login are:

Username: admin

Password: pfsense

default login

pfSense wizard will assists you setting up your newly installed pfSense firewall.  Click next.

pfsense wizard

You can sign up for the pfSense Gold Subscription.  I will skip this for now. Click next.

pfsense gold subscription page

Provide your pfSense hostname and domain.  Add your DNS name servers or have DHCP provide those for you.  I am using Google’s name servers. Click next.

pfsense hostname

Set your timezone. Use the default time server.  Click next

time zone

Set your WAN settings here.  Yours could be DHCP or PPOE.  I will set mine as static IP.  The static IP the address, subnet mask and gateway will be provided to you by your Internet Service Provider.  Click next.

wan stattic

stattic ip

After you set your WAN IP as static go to General Setup menu.  Look at the DNS settings if it has an option to use a GW set this to the default gateway provided to you by ISP provider.

Note: I had an issue where I was unable to update my pfSense firewall even though I was able to ping an external host from the pfSense console.  I was even able to do an nslookup successfully but each time I tried to update pfSense an error came back which said it was unable to contact the pfSense update server.  After putting this GW information for my DNS the update worked.

dns gw

We have already set our LAN IP through the console so just click next.


Change the admin password for the web gui.  Click next.

web gui pass

Click reload.


Congratulations!  You have just setup your pfSense router.


pfSense Dashboard.


Let us check if our pfSense has any updates.  From the System menu > Firmware > Auto Update tab.

As I was checking the update it turns out pfSense version 2.2 just got released!  With a click of a button I was able to uprade my pfSense 2.1.5 to 2.2 easily.  After installation of the upgrade the firewall will automatically reboot.

Click invoke auto upgrade.  (Give it time to download could take a few minutes).


Since there are significant changes introduce by 2.2, I did a simple to test to make sure my virtIO enabled nic cards still works using the ping option 7 from the pfSense console.  Test looked good.

ping check

From my Linux workstation I am also able to ping an external address.  The Linux worstation is using the IP address of the pfSense as its default gateway.  This is the LAN IP of the pfSense firewall.

ping external

You now have a functioning pfSense firewall but if you want to use the VirtIO device drivers continue with instructions below.

Change the block and nic device driver to use VirtIO on pfSense

Why would you want to do this?  Here is the answer from the website.

“Virtio is a virtualization standard for network and disk device drivers where just the guest’s device driver “knows” it is running in a virtual environment, and cooperates with the hypervisor. This enables guests to get high performance network and disk operations, and gives most of the performance benefits of paravirtualization.”

From the pfSense console choose option 8 for shell. Enter.

option 8

Type in

vi /etc/fstab

Change the following two lines.

/dev/ad0s1a       /           ufs       rw     1     1
/dev/ad0s1b       none    swap   rw      0    0

To read as.

/dev/vtbd0s1a    /            ufs       rw    1     1
/dev/vtbd0s1b    none     swap   sw    0     0

Save your changes.


Then exit out of the console. Type in exit.

Shutdown your pfSense server from the console.  Choose option 6. Enter.

Screen Shot 2015-01-21 at 4.53.05 PM

The configuration we will need to change could be found at the Proxmox hypervisor.  Log back into your Proxmox web gui then on the left menu click on your Proxmox host.  Mine is called proxmox-supermicro.

proxmox host

Then from the top right menu click console then choose noVNC.


Then move to the directory where the configuration file we need is located.  This will contain all of the configuration files of your KVM based virtual machine which is what we’re using for our pfSense firewall. My pfSense virtual machine has the VM ID of 198.

cd /etc/pve/qemu-server/

Before you alter the original file it is wise to make a copy first.

cp 198.conf 198.conf.orig

After making the copy edit the file. We need to change this line

vi 198.conf

ide0: local:198/vm-198-disk-1.raw,format=raw,size=10G

to read as (the one marked in red is the numeral zero indicating this is the first block device).

virtio0: local:198/vm-198-disk-1.raw,format=raw,size=10G

Change the bootdisk also to.

bootdisk: virtio0

Save your changes.


Start up your pfSense virtual machine.  Good job!  Now you’re running your block device using the virtIO driver.  If you look at your hardware summary you will find your hard disk is using (virtio0).


Set VirtIO nic drivers for pfSense

Note: Very important! Before proceeding with changing anything this needs to be done using the pfSense gui. Go to System then Advance then Networking. Disable hardware checksum offload. Click save.


Shutdown your pfSense firewall from the console or web gui.

option 6

Click on your VM ID, then hardware tab then click nic card you want to change the driver then click edit. I am going to change all nic cards to use virtIO.

change to virtio

Start pfSense backup.  You will once again be asked to configure your network interfaces. Click n when asked to setup VLANS.  Pay attention to the naming convention which has changed for the network cards they all start with vtnet with 0,1,2 appended on each end for each network card.

setup vlans

Lets start to assigned each one.

Enter for WAN using vtnet0

Enter for LAN using vtnet1

Enter for DMZ using vtnet2

Enter for none.

Confirm y  to apply new settings.


From the pfSense console choose option 7.  This will test if our new network card drivers are working.  Ping an external host IP.

ping host

Enjoy the awesome pfSense Open Source Enterprise grade firewall for free!



Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s