In this blog, we will cover how you can install pfSense on a virtual box hypervisor. Since Oracle VirtualBox is free and supports Windows, MAC, and Linux operating systems, it is a great choice for someone who wanted to start with pfSense. However, if you want a good performance, I recommend you to try Pfsense on either in KVM if you are a Linux user or a VMware workstation if you are a windows or MAC user.
I have also covered how you can get started with pfsense using labs with different scenarios here, I highly recommend checking out the article if you are new to pfsense and wanted to learn more.
Can I install pfSense on VirtualBox to replace my home router?
Though it can be done, it’s not the recommended method, as you would virtualize the network stack, and you won’t get good throughput. Moreover, it adds more latency to the network. If you are still planning to virtualize the PfSense to replace your home router, then the recommended method is to use KVM with a PCI passthrough to give a good performance as we connect the network interface directly to the VM that is running in the KVM hypervisor. And we will not be virtualizing the network.
How To Configure Port Forwarding in pfSense?
How To Configure OpenVPN On PfSense?
How to Install PfSense on VMware ESXi? – Step by Step Guide.
How to Setup IPsec Tunnel between Paloalto and PFsense?
How to Install PfSense on Proxmox? | Step by Step.
Below is the topology that we will work on. First, we will install the pfSense firewall on the Virtualbox and configure it with WAN and LAN interfaces. After Pfsense is connected to the internet, we can then go ahead and simulate the end-user machine by using the Linux mint and the Ubuntu on the LAN side and test the connectivity further.
- Download and install the latest Oracle VirtualBox software.
- pfSense image, you can download it here.
Note: While downloading, make sure to select DVD Image (ISO) Installer and the mirror nearest to you.
Steps to install pfSense on VirtualBox.
I will install pfSense on VirtualBox in Windows 10. However, the steps mentioned here are similar to other operating systems, such as MAC or Linux, just that you will have to download and install the respective Virtualbox software packages.
1. Setup the pfSense VM in VirtualBox.
Open VirtualBox software and click on New to create new virtual machine.
A new window will pop up. You will have to define the name of the VM, for example, pfSense-fw. Also, choose the location where you wanted to save the pfSense virtual hard disk files.
In the Type, you need to make sure that you select BSD as the type and FreeBSD (64bit) as the version.
Click on Next.
2. Configure the pfSense Memory.
You need to define the memory for the pfSense virtual machine here, I am giving 2GB.
The 1GB would work just fine as well. Once you defined the memory click on Next.
3. Setup the hard disk.
Next, we are going to configure the Hard Disk for the VM, choose Create a virtual hard disk now and click on Create.
By default, VirtualBox should pick up VDI as the hard disk, you can still choose the VDI, but I wanted this VM hard disk to be used by other hypervisors such as VMware workstation in the future; hence I selected VMDK and as the hard disk file type and click on Next.
In the Storage on Physical hard disk, choose Dynamically allocated option.
You now need to define the hard disk storage size; I choose 20GB as the storage; you may choose the same or different size depending on your usage and click on Create.
4. Set up the Network.
Before you start the VM, you need to configure the Pfsense Network adapter in VirtualBox to use for the pfSense VM.
Does pfsense need two nics?
The Pfsense firewall has two interfaces: the outside interface that connects to the internet, and another is the LAN side interface that connects to the inside users. So you must use two NICs (network interface cards) while deploying the pfSense.
If you use a physical machine with a single NIC, you will have to split the interface and create VLANs to separate the traffic. Alternatively, use the USB to ethernet adapter along with the RJ45.
Things are very easy in a virtualized environment; those two NICs will act as a vnic (virtualnic) on the VirtualBox helps us connect the pfsense WAN and the LAN interfaces virtually.
As we would require two interfaces, one for the WAN and another for the LAN. Select the pfSense VM and click on Settings.
The internet connection is through the WAN link, and you can either configure the WAN interface as NAT or a Bridged interface.
If you choose the NAT interface, then the VirtualBox NAT engine has to translate the WAN IP address to the Host machine IP, which adds more overhead on the packet.
And if you choose the Bridge interface, it acts as a switch between the local network and the Virtualbox bridge interface; since your local router act as a DHCP server, it also gets an IP address from the DHCP server. With that IP, the pfsense can go out to the internet.
You can learn more about VirtualBox Networking here with examples. So you should be able to make the right choice based on your requirement.
Connect the WAN interface.
Choose the first adapter as Bridge Adapter which is the WAN interface.
Note: Under name ensure you choose the right physical interface that you are using it to connect to the LAN network on the Host machine.
Connect the LAN interface.
The second adapter is VirtualBox Internal Network, which will act as a LAN adapter.
As the name suggests, the internal Network creates an internal network where only the VMs that are part of the network can talk to each other, and it isolates from the Host machine.
In the name, I changed to Pfsense-LAN so it is easy to identify.
So basically, the only way the host machine or anyone on the physical local network can talk to the internal network has to come via the pfsense WAN interface.
5. Attach the PfSense ISO image.
While you are on the settings, let’s go ahead and add the ISO image that we have downloaded earlier.
- Click on Storage.
- Under storage devices, choose Empty Disk file.
- Click on the Disk icon and click on Choose a disk file to attach the ISO file that we had downloaded.
Do not click on OK YET!
6. Change the Boot Order.
Click on System and check out the boot order.
As you can see, Floppy is the primary boot device, CD Drive is the secondary, and Virtual hard disk is tertiary.
When you boot the Pfsense VM, Virtualbox will try to boot from the Floppy disk. Since it is empty, it will then choose the CD Drive, which has Pfsense iso, it will load the pfsense installer. All good.
However, there is a problem. After the installation, it will follow the same sequence, and we would end up getting into a loop where we are going back to the pfsense installation screen again and again.
Note: You can remove the pfsense cd image right after the installation, but you might get an error message. And the step we are going to do here is the easiest.
We will make the virtual hard disk the primary boot device, CD as the secondary boot device.
When the VirtualBox starts the pfsense firewall VM, it will first boot from the virtual hard disk. It will then boot to the CD drive and proceed with the installation as it is empty.
After the installation, the virtual hard disk becomes bootable, and being the primary device, when you reboot the pfsense, it will always load from the virtual hard disk.
Change the boot order to the following.
Unselect the Floppy, move the Hard disk as primary and Optical as secondary.
Click on OK.
7. Start the pfSense VM instance.
Our prerequisite configuration has been completed now; let’s go ahead and start the VM by selecting the VM and clicking on Start.
8. Initiate the pfSense installation.
After a few seconds, you will get a pfSense installer prompt, you may click on Accept to begin the installation.
Click on install now to begin the installation.
On the Keymap choose the default one or choose based on your language.
In the partitioning wizard, choose Auto (ZFS)and click on Ok.
- Hit enter on Install.
- Choose Stripe.
- Select the virtual hard disk by pressing the spacebar.
- In the ZFS configuration warning, say yes.
It basically tells you that it’s going to format the virtual hard disk.
The installation will now proceed automatically and will finish in a few seconds. Once completed, it would ask you whether you want to get into the shell to make further changes or not. Click on No.
On the next screen, choose Reboot.
This will reboot the pfsense VM, and boot into the virtual hard disk where we have installed the firewall.
9. Validate the configuration.
Once rebooted the pfsense firewall would get an IP address from the local internet router.
As you can see, I got the IP address 192.168.1.28 from my wifi router. But the other problem is that both the WAN side and the LAN are in the same network; we will go ahead and change that now.
Type 2 to change the IP address of the LAN side.
After choosing 2, you will get a prompt to choose the interface for which the IP address needs to be changed. Press 2 again as the LAN side represents 2.
Enter the IP address, which is a default gateway for the LAN users; I choose 10.1.1.1; you may choose whatever network you want to.
Subsequently, the subnet mask and hit enter when you finish.
I am not configuring the ipv6 hence I choose no.
We also need to configure the DHCP address for the LAN side, press ‘y’ for the prompt.
Enter the start of the DHCP address and the end of the address and hit enter.
You will also get a prompt that says, do you want to change the web gui protocol, say no to that.
After you configured everything, you will have the WAN address from your local network, and the LAN side address specified a minute ago, which is 10.1.1.1/24.
Basically, we have configured the pfSense on the VirtualBox successfully. One advantage of pfSense is that it is very easy to configure, and you don’t need to configure any policies or Nat if you want to access the internet. The NAT and the security policy to allow traffic from LAN to WAN are already pre-configured out of the box.
Let’s try to ping the internet IP address by pressing the 7, and as you can see, I can reach the internet IP just fine.
10. Access the pfSense web GUI in VirtualBox.
Post-installation of the PfSense for any other configurations you will have to do via the Web GUI.
So how do we access the pfSense web GUI in VirtualBox?
We have already configured the Linux Mint operating system on the VirtualBox, and I will use the same virtual machine to access the pfSense web GUI.
Connect the Linux mint to the PfSense LAN side.
Right-click on the Linux mint, and click on settings.
By default, the Network is configured with the NAT; you must change that to the internal network where we have connected the Pfsense LAN adapter.
This will bring both the pfsense LAN side and the VirtualBox VM on the same network.
Verify the IP address.
First, you need to make sure you got the IP address from the Pfsense DHCP service.
Start the VM, open the terminal, and type ip addr to see the IP address configuration. As you can see, I got the first IP address from the range.
Open Firefox and access the pfSense web GUI by typing https://10.1.1.1
You may ignore the security warning and you will get the login prompt.
Enter the username as admin and password as admin and click on Sign in.
11. Finish the initial setup wizard.
The initial setup wizard page will open, and the default settings will remain as it is. Only, In step 6, to configure the admin password, you may set your own admin password.
Note: Though I left the default settings in the setup wizard, you may change it if needed.
At the end of the wizard, you will get a message that says the pfSense installed successfully.
Click on Finish on the screen.
We have now successfully installed the pfSense firewall in the VirtualBox; you can now start making configuration changes using the web GUI; let’s go ahead and do one more test to make sure everything is working fine.
12. Test the connectivity with the end-user machine.
To test the connectivity, I will use Linux mint and Ubuntu desktop as end-user hosts that I have deployed previously on the VirtualBox.
Like Linux mint, I have also changed the Ubuntu desktop network configuration to be part of the VirtualBox internal network configured on the pfSense LAN side.
- Check the IP configuration.
As you can see, I have got the first IP from the pfSense DHCP server to the Linux mint, and I can also ping the public IP address.
And we can also browse the internet on the Linux mint box.
Similarly, on the Ubuntu desktop, I have already got the IP address 10.1.1.11 from the pfSense DHCP server, which is the second IP from the subnet.
I can also ping the internet Public IP.
I can ping the internet IP to make sure it is taking the correct path, you can do a traceroute on the Ubuntu machine, and it will show you the path that the packet is taking.
You can type the command
mtr 126.96.36.199 to see the traceroute in Ubuntu.
And the traceroute shows it is going via pfSense firewall.
Also, I can browse the internet using the Firefox browser.
13. Verify the DHCP lease.
When we set up the VMs it automatically got the IP address right?
The pfSense assigned that on the LAN side of the firewall; The same can be verified using the DHCP lease on the PfSense firewall by clicking on the status > DHCP leases; as you can see, I have two IP’s that I received from the DHCP server.
If you want to connect more VMs to the firewall, all you got to do is deploy the VM in VirtualBox and change its the adapter to the internal network, and the host will become part of the network by getting an IP address from the pfsense firewall.