10 Jul 2021
I have been using pfSense for a while now, its been running on a small embedded CPU system. It started out as an experiment to gain some exposure to pfSense for my own personal study.
Since I have also dappled with Proxmox for virtualisation and containerisation. Now I would like to create a Virtual Machine for my pfSense installation and decommission the other computer system.
I already have my Proxmox setup and ready, this article will not cover how to install and setup Proxmox. This article will cover the following topics:
I have created a simple diagram to illustrate what I plan of doing in terms of physical and logical devices.
Its worth mentioning that I have an Intel PRO/1000 PT 4-port 1GB NIC installed in my Proxmox server ready for this project.
We’ll first need the latest copy of pfSense, which can be downloaded from their website. I will be installing version 2.5.2, AMD64 DVD Image (ISO).
We’ll need an up to date backup file for our pfSense instance, we can download a configuration XML by navigating to Diagnostics > Backup & Restore.
On the Backup & Restore tab, we will check to include extra data and select Download configuration as XML.
Make sure to keep this file safe and to hand as we’ll need it to restore our configuration to the new virtual pfSense.
Once done, turn off the physical pfSense box.
To configure our Proxmox server so its ready for a virtual router we need to create two bridges one for our LAN and the other for our WAN, these will have physical interfaces attached to them.
I already had the LAN bridge as you need a minimum of 1 bridge for virtual machines in Proxmox. I have also commented my interfaces so I know which port is which.
The WAN bridge does not have any IP configuration applied.
Creating a Virtual Machine for pfSense is easy, the Netgate Documentation provide some guidance when creating a VM for pfSense.
I will step through the Create: Virtual Machine wizard and mention anything I changed from the default values.
On the general tab I have checked the Start at boot option, you may need to check the “Advanced” options box at the bottom. I have also added a start order of 1 with 0 delay as I want my pfSense virtual machine to start as soon as possible.
On the OS tab I have changed the Guest OS type to “Other”.
On the System tab I have changed the Graphic card to SPICE, this provides us with more features if we wish, but will also save us some system resource.
On the Hard Disk tab I have selected VirtIO Block as advised by Netgate.
On the CPU tab I have selected 4 cores, this should be plenty given my host CPU and the expected pfSense workload. I have also selected the Type as host, this means our CPU type will be passed through and reported correctly by pfSense.
On the Memory tab I have unchecked Ballooning (Dynamic RAM) and set the RAM to 4GB.
EDIT: I have since bumped this upto 8GB as some of my services were using quite a bit of RAM
On the Network tab I have unchecked the Firewall option and set the Model to VirtIO (paravirtualised). I have also configured the Multiqueue to 8 (Max).
Multiqueue: This option allows the guest OS to process networking packets using multiple virtual CPUs, providing an increase in the total number of packets transferred. - PVE Proxmox
Complete the wizard but do not start the virtual machine.
Now we’ll need to add an additional Network Device, go to the Virtual Machine > Hardware > Add > Network Device.
Here we will add the other bridge, in my case VMBr3. The settings are the same as the Network Device we configured in the wizard.
Our Virtual Machine is now ready to start the installation of pfSense.
Start the pfSense VM and open a Console.
The pfSense installation wizard is very straight forward so I will only skim over it, noting points which I needed to alter.
By default the keymap is set to US, I wanted to change mind to United Kingdom as thats where I am from an the type of keyboard I use.
I went for a Auto (ZFS) installation, continuing with the defaults.
With the installation complete, I selected No as I did not need a shell. The new pfSense install with now reboot.
The pfSense will boot and ask us to assign the interfaces. The interfaces should have MAC addresses that match your Proxmox bridge MAC addresses, which makes it really easy to know the correct assignment.
In my pfSense instance I did not require any VLAN setup, I then assigned vtnet1 as my WAN and vtnet0 as my LAN, this was based upon the MAC address given above and comparing against Proxmox.
We should now have a fresh pfSense instance we can access via the LAN IP address. The default user credentials:
Before attempting to restore I ensure that I have a working base system, with a WAN address issued by my ISP modem.
EDIT: I had to power off my ISP modem until the restore process completed, please see the Troubleshooting section
Now we can restore, navigate to Diagnostics > Backup & Restore.
In the Restore Backup section, we will be restoring all. Browse to the configuration file we backed up earlier and begin the restore process.
Once the initial restore completed my pfSense instance restarted and on my console I was prompt for assigning my interfaces again.
The complete restore process takes a while, so be patient!
Once the restore has complete, we are finished, give it a test and check everything is okay.
When using VirtIO interfaces in Proxmox VE, hardware checksums must be disabled, otherwise the virtual machine will not pass traffic properly, accessing pfSense may be sluggish as well.
These should be disabled by default, but its worth checking, they can be found by navigating to System > Advanced > Networking.
I had difficulties with my ISP’s modem, I found that I had to power the device off and leave it for a few minutes before I could obtain an IP address for my WAN.
During my restore process I had to leave the ISP modem off until restore completed, restore power to the ISP modem and wait until I had my WAN IP leased to me correctly, then the restore process could continue in the background.
I have a custom .conf file listed in my DNS resolver custom options, which was not brought over with the Backup & Restore. The entry caused an issue with the Restore but after removing it, services started correctly and everything continued nicely.