In this blog, we will cover how you can install pfSense on a virtual box hypervisor. Since Oracle VirtualBox is free and supports Windows, MAC, and Linux operating systems, it is a great choice for someone who wanted to start with pfSense. However, if you want a good performance, I recommend you to try Pfsense on either in KVM if you are a Linux user or a VMware workstation if you are windows or MAC user.
Can I install pfSense on VirtualBox to replace my home router?
Though it can do it, it’s not the recommended method, as you would virtualize the network stack, and you won’t get good throughput. Moreover, it adds more latency to the network. If you are still planning to virtualize the PfSense to replace your home router, then the recommended method is to use KVM with a PCI passthrough to give a good performance as we connect the network interface directly to the VM that is running in the KVM hypervisor. And we will not be virtualizing the network.
How To Configure Port Forwarding in pfSense?
How To Configure OpenVPN On PfSense?
How To Configure IPsec Site To Site Tunnel In PfSense?
How to Setup IPsec Tunnel between Paloalto and PFsense?
How Do I Turn My Old Computer Into A Firewall?
Below is the topology that we will work on. First, we will install the pfSense firewall on the Virtualbox and configure it with WAN and LAN interfaces. After Pfsense is connected to the internet, we can then go ahead and simulate the end-user machine by using the Linux mint and the Ubuntu on the LAN side and test the connectivity further.
- Download and install the latest Oracle VirtualBox software.
- pfSense image, you can download it here.
Note: While downloading, make sure to select DVD Image (ISO) Installer and the mirror nearest to you.
Steps to install pfSense on VirtualBox.
I will install pfSense on VirtualBox in Windows 10. However, the steps mentioned here are similar to other operating systems, such as MAC or Linux, just that you will have to download and install the respective Virtualbox software packages.
- Setup the pfSense VM in VirtualBox.
- Configure the pfSense Memory.
- Setup the hard disk.
- Set up the Network.
- Attach the PfSense ISO image.
- Start the pfSense VM instance.
- Initiate the pfSense installation.
- Detach the pfSense disk image.
- Validate the configuration.
- Access the pfSense web GUI in VirtualBox.
- Finish the initial setup wizard.
- Test the connectivity with the end-user machine.
- Verify the DHCP lease.
1. Setup the pfSense VM in VirtualBox.
Open VirtualBox software and click on New to create new virtual machine.
A new window will pop up. You will have to define the name of the VM, for example, pfSense-fw. Also, choose the location where you wanted to save the pfSense virtual hard disk files.
In the Type, you need to make sure that you select BSD as the type and FreeBSD (64bit) as the version.
Click on Next.
2. Configure the pfSense Memory.
You need to define the memory for the pfSense virtual machine here, I am giving 2GB.
The 1GB would work just fine as well. Once you defined the memory click on Next.
3. Setup the hard disk.
Next, we are going to configure the Hard Disk for the VM, choose Create a virtual hard disk now and click on Create.
By default, VirtualBox should pick up VDI as the hard disk, you can still choose the VDI, but I wanted this VM hard disk to be used by other hypervisors such as VMware workstation in the future; hence I selected VMDK and as the hard disk file type and click on Next.
In the Storage on Physical hard disk, choose Dynamically allocated option.
You now need to define the hard disk storage size; I choose 20GB as the storage; you may choose the same or different size depending on your usage and click on Create.
4. Set up the Network.
Before you start the VM, you need to configure the Pfsense Network adapter in VirtualBox to use for the pfSense VM.
Does pfsense need two nics?
The Pfsense firewall has two interfaces: the outside interface that connects to the internet, and another is the LAN side interface that connects to the inside users. So you must use two NICs (network interface cards) while deploying the pfSense.
If you use a physical machine with a single NIC, you will have to split the interface and create VLANs to separate the traffic. Alternatively, use the USB to ethernet adapter along with the RJ45.
Things are very easy in a virtualized environment; those two NICs will act as a vnic (virtualnic) on the VirtualBox helps us connect the pfsense WAN and the LAN interfaces virtually.
As we would require two interfaces, one for the WAN and another for the LAN. Select the pfSense VM and click on Settings.
The internet connection is through the WAN link, and you can either configure the WAN interface as NAT or a Bridged interface.
If you choose the NAT interface, then the VirtualBox NAT engine has to translate the WAN IP address to the Host machine IP, which adds more overhead on the packet.
And if you choose the Bridge interface, it acts as a switch between the local network and the Virtualbox bridge interface; since your local router act as a DHCP server, it also gets an IP address from the DHCP server. With that IP, the pfsense can go out to the internet.
Choose the first adapter as Bridge Adapter which is the WAN interface.
and second adapter as VirtualBox Internal Network, that will act as a LAN adapter.
As the name suggests, the internal Network creates an internal network where only the VM’s that are part of the network can talk to each other, and it isolates from the Host machine.
So basically, the only way the host machine or anyone on the local network can talk to the LAN side of the pfsense has to come via the pfsense WAN interface.
5. Attach the PfSense ISO image.
While you are on the settings, let’s go ahead and add the ISO image that we have downloaded earlier.
- Click on Storage.
- Under storage devices, choose Empty Disk file.
- Click on the Disk icon and click on Choose a disk file to attach the ISO file that we had downloaded.
And Click on OK.
6. Start the pfSense VM instance.
Our prerequisite configuration has been completed now; let’s go ahead and start the VM by selecting the VM and click on Start.
As soon as the VM instance boots up, it would prompt you to choose the ISO bootable image, and since we already attached the Pfsense ISO image to the VirtualBox, it would ask you to choose an image.
Select PfSense image from the list and click on continue.
7. Initiate the pfSense installation.
After few seconds, you will get a pfSense installer prompt, you may click on Accept to begin the installation.
Click on install now to begin the installation.
On the Keymap choose the default one or choose based on your language.
In the partitioning wizard, choose Auto (UFS) BIOS and click on Ok.
The installation will now proceed automatically and will finish in few seconds. Once completed, it would ask you whether you want to get into the shell to make further changes or not. Click on No.
8. Detach the pfSense disk image.
Eventually, you will be asked to reboot the pfSense; before you proceed with the reboot, you need to remove the ISO image that we have added earlier.
- Click on Devices.
- Under Optical Drives, choose Remove disk from the virtual drive.
You will get a security warning, click on Force Unmount.
9. Validate the configuration.
Once rebooted the pfsense firewall would get an IP address from the local internet router.
As you can see, I got the IP address 192.168.1.28 from my wifi router. But the other problem is that both the WAN side and the LAN are in the same network; we will go ahead and change that now.
Type 2 to change the IP address of the LAN side.
After choosing 2, you will get a prompt to choose the interface for which the IP address needs to be changed. Press 2 again as the LAN side represents 2.
Enter the IP address, which is a default gateway for the LAN users; I choose 10.1.1.1; you may choose whatever network you want to.
Subsequently the subnet mask and hit enter when you finish.
I am not configuring the ipv6 hence I choose no.
We also need to configure the DHCP address for the LAN side, press ‘y’ for the prompt.
Enter the start of the DHCP address and the end of the address and hit enter.
You will also get a prompt that says, do you want to change the web gui protocol, say no to that.
After you configured everything, you will have the WAN address from your local network, and the LAN side address specified a minute ago, which is 10.1.1.1/24.
Basically, we have configured the pfSense on the VirtualBox successfully. One advantage of pfSense is that it is very easy to configure, and you don’t need to configure any policies or Nat if you want to access the internet. It will automatically take it once you have the WAN and the LAN IP address gets configured.
Let’s try to ping the internet IP address by pressing the 7, and as you can see, I can reach the internet IP just fine.
10. Access the pfSense web GUI in VirtualBox.
Post installation of the PfSense for any other configurations you will have do via the Web GUI.
So how do we access the pfSense web GUI in VirtualBox.
We have already configured the Linux Mint operating system on the VirtualBox, and I will use the same virtual machine to access the pfSense web GUI.
Connect the Linux mint to the PfSense LAN side.
Right click on the Linux mint, and click on settings.
By default, the Network is configured with the NAT; you must change that to the internal network where we have connected the Pfsense LAN adapter.
This will bring both the pfsense LAN side and the VirtualBox VM on the same network.
Verify the IP address.
First you need to make sure you got the IP address from the Pfsense DHCP service.
Start the VM, and open the terminal and type ip addr to see the IP address configuration. As you can see, I got the first IP address from the range.
Open Firefox and access the pfSense web GUI by typing https://10.1.1.1
You may ignore the security warning and you will get the login prompt.
Enter the username as admin and password as admin and click on Sign in.
11. Finish the initial setup wizard.
The initial setup wizard page will open, and the default settings will remain as it is. Only, In step 6, to configure the admin password, you may set your own admin password.
Note: Though I left the default settings in the setup wizard, you may change it if needed.
At the end of the wizard, you will get a message that says the pfSense installed successfully.
Click on Finish on the screen.
We have now successfully installed the pfSense firewall in the VirtualBox; you can now start making configuration changes using the web GUI; let’s go ahead and do one more test to make sure everything is working fine.
12. Test the connectivity with the end-user machine.
To test the connectivity, I will use Linux mint and Ubuntu desktop as end-user hosts that I have deployed previously on the VirtualBox.
Like Linux mint, I have also changed the Ubuntu desktop network configuration to be part of the VirtualBox internal network configured on the pfSense LAN side.
- Check the IP configuration.
As you can see, I have got the first IP from the pfSense DHCP server to the Linux mint, and I can also ping the public IP address.
And we can also browse the internet on the Linux mint box.
Similarly, on the Ubuntu desktop, I have already got the IP address 10.1.1.11 from the pfSense DHCP server, which is the second IP from the subnet.
I can also ping the internet Public IP.
I can ping the internet IP to make sure it is taking the correct path, you can do a traceroute on the Ubuntu machine, and it will show you the path that the packet is taking.
You can type the command
mtr 188.8.131.52 to see the traceroute in Ubuntu.
And the traceroute shows it is going via pfSense firewall.
Also, I can browse the internet using the Firefox browser.
13. Verify the DHCP lease.
When we setup the VM’s it automatically got the IP address right?
The pfSense assigned that on the LAN side of the firewall; The same can be verified using the DHCP lease on the PfSense firewall by clicking on the status > DHCP leases; as you can see, I have two IP’s that I received from the DHCP server.
If you want to connect more VM’s to the firewall, all you got to do is deploy the VM in VirtualBox and change it’s the adapter to the internal network, and the host will become part of the network by getting an IP address from the pfsense firewall.