1080*80 ad
Home » Blog » Setting up pfSense Firewall in KVM

Setting up pfSense Firewall in KVM

Benhcmark Administrator Benhcmark Administrator
01/10/2025
4 Views 0
Setting up pfSense Firewall in KVM

Virtualize Your Network Security: A Step-by-Step Guide to pfSense on KVM

Virtualizing your firewall is a powerful strategy for consolidating hardware, increasing flexibility, and creating a robust, isolated network environment. By running a dedicated firewall as a virtual machine, you gain the ability to easily create snapshots, migrate your setup, and manage resources dynamically. One of the best combinations for this task is the open-source powerhouse pfSense running on the Linux KVM (Kernel-based Virtual Machine) hypervisor.

This comprehensive guide will walk you through the entire process of installing and configuring a pfSense firewall inside a KVM virtual machine. We will cover everything from network preparation on the host to the final configuration of your new virtual firewall.

Prerequisites: What You’ll Need

Before we begin, ensure you have the following in place:

  • A Linux host with KVM and libvirt installed. This guide assumes you are comfortable with command-line tools like virsh or graphical clients like virt-manager.
  • At least two physical network interfaces (NICs) on your KVM host. One will be dedicated to your WAN (internet) connection, and the other to your LAN (internal network).
  • The latest pfSense Community Edition ISO image. You can download it for free from the official pfSense website. Select the “AMD64 (64-bit)” architecture and “ISO Installer” file type.

Step 1: Preparing Network Bridges on the KVM Host

The most critical step is correctly configuring the networking on your KVM host. To allow pfSense to manage traffic, it needs exclusive access to the WAN and LAN interfaces. We achieve this by creating network bridges. A bridge acts like a virtual switch, allowing virtual machines to connect directly to a physical network.

You will need two separate bridges:

  1. WAN Bridge (br-wan): This bridge will be linked to the physical NIC connected to your modem or internet source.
  2. LAN Bridge (br-lan): This bridge will be linked to the physical NIC connected to your local network switch.

Crucially, do not assign an IP address to the WAN bridge on the KVM host. Your pfSense VM will handle all IP addressing for the WAN interface via DHCP or a static assignment from your ISP. You can assign a static IP to your LAN bridge for host management if desired.

Creating these bridges can be done using nmcli, netplan, or by editing network scripts, depending on your Linux distribution.

Step 2: Creating the pfSense Virtual Machine

With the network bridges in place, it’s time to create the VM. We recommend using virt-manager for a straightforward graphical setup.

  1. Launch virt-manager and create a new virtual machine.
  2. Select the pfSense ISO as your installation media.
  3. Allocate Resources:
    • CPU: 1-2 vCPUs are sufficient for most home and small business use cases.
    • RAM: A minimum of 1 GB of RAM is recommended.
    • Disk: A virtual disk of 10-16 GB is more than enough for the base system and logging.
  4. Configure Networking: This is the most important part of the VM setup.
    • Before finishing the creation wizard, check the box for “Customize configuration before install.”
    • In the hardware details screen, add a second Network Adapter.
    • Configure the first network adapter to connect to your WAN bridge (br-wan).
    • Configure the second network adapter to connect to your LAN bridge (br-lan).
    • Important: For both network adapters, set the Device model to virtio. VirtIO drivers provide significantly better performance than emulated network cards.

Once configured, begin the installation.

Step 3: Installing pfSense

The pfSense installation process is text-based but very direct.

  1. Boot the VM from the ISO.
  2. Accept the copyright and distribution notice.
  3. Select Install from the welcome screen.
  4. Proceed with the default keymap.
  5. For partitioning, choose Auto (ZFS). This is the modern, recommended filesystem for its robustness and features.
  6. Proceed through the ZFS configuration options (defaults are generally fine).
  7. Select your virtual disk (vtbd0) as the installation target and confirm the installation.
  8. Once the installation is complete, the installer will ask if you want to open a shell. Choose No.
  9. Finally, select Reboot. Be sure to disconnect the ISO image from the virtual CD-ROM drive in your virt-manager settings so it boots from the virtual disk.

Step 4: Initial Console Configuration

After rebooting, pfSense will boot to a console menu. The first task is to tell pfSense which virtual network card is for the WAN and which is for the LAN.

  1. pfSense will likely prompt you about setting up VLANs first. Unless you need them, type n and press Enter.
  2. Next, it will ask you to identify the WAN interface. It will show you the names of your VirtIO network adapters (e.g., vtnet0, vtnet1). Enter the name of the adapter connected to your WAN bridge (likely vtnet0) and press Enter.
  3. It will then ask for the LAN interface. Enter the name of the other adapter (vtnet1) and press Enter.
  4. Confirm your assignments.

After assigning interfaces, the console menu will appear. Now, let’s set the LAN IP address so you can access the web interface.

  1. Select option 2) Set interface(s) IP address.
  2. Choose the LAN interface (likely option 2).
  3. Enter the desired IPv4 address for your firewall’s LAN interface (e.g., 192.168.1.1).
  4. Enter the subnet mask (e.g., 24).
  5. Press Enter when asked for an upstream gateway, as this is the LAN interface.
  6. You can skip the IPv6 configuration for now by pressing Enter.
  7. When asked to enable the DHCP server on LAN, type y and press Enter.
  8. Define the IP range for your DHCP clients (e.g., start: 192.168.1.100, end: 192.168.1.200).
  9. Finally, confirm reverting to HTTP for the web configurator.

You can now access the pfSense WebGUI from any other machine or VM connected to your LAN bridge.

Step 5: The Web Setup Wizard and Best Practices

Open a web browser on a client machine connected to the LAN network and navigate to the IP address you just configured (e.g., http://192.168.1.1).

  • Default Credentials:
    • Username: admin
    • Password: pfsense

You will be greeted with the setup wizard. Follow the prompts to set essential parameters like hostname, domain, primary DNS servers, and time zone.

Most importantly, you will be prompted to change the default admin password. Do this immediately.

Security and Performance Tips for Virtualized pfSense

  • Use VirtIO Drivers: Always use virtio for both network and block devices in KVM for near-native performance.
  • Isolate Your KVM Host: Ensure the management interface for your KVM host is on a separate, secure network and is not accessible from the WAN.
  • Backup and Snapshot: Take advantage of virtualization by taking regular backups or snapshots of your pfSense VM, especially before making major configuration changes.
  • Resource Management: Monitor the CPU and RAM usage of your pfSense VM. While it is lightweight, heavy use of packages like Suricata or pfBlockerNG may require you to allocate more resources.
  • Keep Everything Updated: Regularly update both your KVM host operating system and your pfSense software to protect against security vulnerabilities.

By following this guide, you have successfully deployed a powerful, enterprise-grade firewall as a virtual machine, providing a secure and flexible foundation for your entire network.

Source: https://kifarunix.com/install-pfsense-firewall-on-kvm/

900*80 ad

Related Articles
      1080*80 ad
      About Hosterdojo

      Hosterdojo reviews server performance, network capabilities, and other related benchmarks. If you are a provider interested in submitting your VPS products, feel free to reach out to me.

      Email: [email protected]
      Telegram Channel: https://t.me/hosterdojo

      Follow

      Useful Link

      Girl in a jacket