pfSense as a VM

Create a new vm with 2 interfaces:

sudo virt-install --connect qemu:///system \
     --network=bridge:virbr0 \
     --network=bridge:VMnetwork \
     -n router \
     -f /home/imgs/router.img \
     -r 1024 \
     -s 12 \
     --cdrom=/home/isos/pfSense-CE-2.4.5-RELEASE-p1-amd64.iso \
     --os-type=freebsd11.3 \
     --accelerate --hvm --graphics vnc

Initial configuration

Because the graphics specified will be vnc, this particular method requires some sort of graphical viewer at least for the initial install. For this guide, all install methods were left as default and the machine simply rebooted after install.

Some guessing needed to be involved, but for now WAN and LAN was set as follows:

WAN -> vtnet0
LAN -> vtnet1

Allow changes from WAN interface

Run the following commands to disable the packet filter (and allow changes to be made from the "WAN" side):

8
# starts access to the shell
pfctl -d
# disables packet filter

Log into WAN interface from home LAN

Now log into the WAN interface using the default username and password of pfsense:

admin
pfsense

Hostname and domain

Then enter the following for hostname and domain:

hostname: router
domain: internal.virtnet

WAN configuration

Set the WAN interface to static:

IP Address: 192.168.86.4
Subnet Mask: 24
Upstream Gateway: 192.168.86.1

Turn off RF1918: Block RFC1918 Private Networks

Make sure to uncheck "Block private networks from entering via WAN", as the WAN interface is within a LAN.

LAN configuration

IP: 172.16.0.2
Subnet Mask: 16

Then set the admin password.

It may be necessary to go back to the console and disable the packet filter again.

pfctl -d

Allow access to the web console via WAN interface

Then sign back into the router via the web gui. Finally, allow open access to the gui:

1. System -> Rules -> WAN -> Add
2. Action: Pass
3. Interface: WAN
4. Protocol: TCP
5. Source: Network - 192.168.86.0 /24
6. Destination: WAN Address
7. Destination port range: HTTPS
8. Description (optional): Allow remote management from home LAN
9. Save
10. Apply Changes

note

Because the WAN interface is actually within a WAN, thus behind a firewall/router, the above steps were not of a concern. If however this is created with a public IP interface, then an alternative method should be sought.

Reenable the packet filter back in the VM console if it hasn't been already:

pfctl -e

Add a rule - port 22

Add a rule to allow port 22 from the WAN net to the LAN net. This will allow a device from the WAN network to connect to any server within the LAN via ssh.

Disable DHCP

Go to Services -> DHCP Server -> LAN, and uncheck Enable DHCP server on LAN interface

Disable Hardware Checksum Offloading

note

This step is necessary in order to use the virtio network driver.

Go to System -> Advanced -> Networking, and check "Disable hardware checksum offload". Then reboot the router.

Sources

• Using the shell to open pfsense ^archive
• Default username and password for pfsense
• Expose pfsense GUI on WAN
• Disable Hardware Checksum Offloading