I have been running pfSense as my home firewall for quite some time now, setting up for the first time would be the difficult part for many. But once you make it up and running, it works just great. Since it is open-source there is no cost associated with it, and you can build a zero-dollar firewall setup by using the old computer as the firewall.
However, some of you out there, may not have an old PC lying around, and if that’s the case and you wanted to start the pfSense firewall journey, the option you have is by virtualizing them. If you are using Linux, you can prefer the KVM method to virtualize the PfSense in your environment.
What if you have windows or a MAC machine, how do you virtualize PfSense on them?
There are multiple ways you can virtualize PfSense on windows, you can use VMware workstation pro, VirtualBox, or a Hyper-V.
If it is MAC, then VMware fusion or VirtualBox.
In this blog, we are going to install the pfSense firewall on a VMware workstation. Since the VMware fusion works the same way as the workstation the steps performed here are the identical for MAC machine as well.
Does PfSense work well with VMware workstation?
In VMware, you can pretty much run any operating system virtually. And the pfSense is based on FreeBSD operating system and free BSD is the supported operating system by the VMware workstation. The pfSense firewall will work just fine with the VMware workstation pro.
We will install the pfSense with WAN and the LAN interface and connect two boxes on the LAN side of the firewall and validate the internet connectivity from both. Once verified the internet access, block internet access from one of the LAN hosts, so let’s begin.
- You need to have VMware workstation pro.
Any version of the VMware workstation will work; however, I am using VMware workstation 16.
- PfSense ISO image.
Configure VMware workstation network for pfSense
We require two interfaces for pfSense, one for the WAN and the other for the LAN, we need to configure these two interfaces on the VMware workstation first.
We are going to configure as follows.
- WAN- We will be using the NAT interface as we require internet access.
Open VMware Workstation and click on Edit and click on Virtual Network editor.
By default, VMware workstation uses the interface VMnet8 for the NAT.
Here is my virtual adapter configuration, we will configure VMnet3 for the LAN as the second adapter. As you can see, I have the DHCP configuration disabled on this adapter.
Alright, we just configured the network for the PfSense firewall in VMware workstation, let’s go ahead and install pfSense on VMware workstation.
Steps to install pfSense on VMware workstation.
- Configure the VM.
- Setup the pfSense VM hard disk.
- Assign the VM resources.
- PfSense installation.
- Setup the client machine.
- pfSense initial setup.
- Install VMware tools in pfSense.
- Access the internet on Pfsense LAN side.
- Block the internet traffic on the Centos Machine.
1. Configure the VM.
Click on File and new virtual machine.
In the New virtual machine wizard choose Typical.
In the installer disk file image, choose the PfSense image that you have downloaded earlier and click on Next.
By default, VMware workstation would pick up the location where you wanted to install the pfSense as well as the name, you may leave the default location or choose a different one. And you may name the VM of your choice.
Maybe you will have a dedicated drive just for the VM installation, so you need to make sure you choose that specific drive here, otherwise, it is okay to leave the default.
2. Setup the pfSense VM hard disk.
Since I would be using pfSense firewall VM for the LAB purpose, I am going to configure the Hard Disk as the default value 20GB and choose split virtual disk into multiple files and click on Next.
3. Assign the VM resources.
Before you click on next, you need to click on the customize hardware option here.
First change the default RAM size to 2048MB.
CPU – 2
Connect two network interfaces that you configured earlier.
I configure the RAM and the CPU next lets go ahead and add the Network interfaces.
The first interface is already configured as NAT which we will use to connect to the WAN and I am going to add the second interface which for the LAN. On the same window click on Add.
Choose network adapter and Finish.
For the Network adapter two (LAN), I have selected the interface VMnet3 and click on Close.
Make sure you check the option which says, power on this Virtual machine after creation. Click on Finish on the New virtual machine wizard.
4. PfSense installation.
The pfsense installation now will begin. You can accept the copyright notice.
Click on Install on the pfSense installer welcome screen.
You may choose the keymap of your choice, I am leaving the default one.
In the partitioning step, select Auto (ZFS) and click on OK.
You may go ahead and proceed with the installation.
Since there is no redundancy you can click on Stripe – no redundancy.
Select the hard disk de0 by using the space key and click ok.
You will get a warning for the formatting of the device, click on Yes here.
There is nothing much here, you can click on No.
And go ahead and reboot the firewall.
After the reboot you will be presented with the below screen, as you can see below the WAN interface got the DHCP IP address from NAT and the LAN is configured with the default IP 192.168.1.1.
Let me ping the internet to see, whether I can reach the internet or not, so type the key 7 and enter the IP address that wanted to ping.
And we can reach the internet VIA the WAN interface.
5. Setup the client machine.
I have a Centos 8 and Linux mint configured in the VMware workstation; I will be using it as a client machine to test the end user connectivity on the PfSense LAN side.
Remember we have configured PfSense LAN side interface as VMNet2, go to the client operating system in VMware workstation and right click on it and click on settings, add them to be part of VMnet3.
Once the LAN side of the PfSense connected to the client operating systems, it should start getting IP addresses from the PfSense DHCP server on the LAN.
As you can see, the Centos machine got the IP address 192.168.1.101
Live mint got the first IP from the range 192.168.1.100.
6. pfSense initial setup.
As we have the IP address on both the Centos and the Linux mint, you now should be able to access the pfSense web GUI from either of the machine by typing the URL https://192.168.1.1
You would get a security warning, ignore that and click on continue.
You will be prompted to enter the credentials; the username is admin and the password is pfsense and click on Sign in.
You will be taken to the initial setup wizard, since this is going to be the lab, I would choose the default options and eventually on the step 6 I would set the password for the web GUI.
Once reloaded you will be able to see the message Congratulations! pfSense is now configured. Click on Finish.
7. Install VMware tools in pfSense.
When you are using the any operating system on VMware workstation, it is recomeded that you install VMware tools to get best performance. It is no different for the pfsense.
Click on system and package manager.
In the package manager, click on Available packages and search for VMware.
You should be able to see Open-VM-Tools appeared, click on Install.
When you get a prompt click on confirm under package installer.
You will get a message that says, VMware tools package was successfully installed.
8. Access the internet on Pfsense LAN side.
Let’s try to access the internet on the machine that is connected to the pfSense LAN side.
To test the internet connectivity, I am going to ping the google DNS IP 126.96.36.199.
As you can see, I can reach the internet, and when I try to do the traceroute it shows the internet is via the pfSense firewall.
The output is same on the Centos side as well.
9. Block the internet traffic on the Centos Machine
Let’s do one thing, block internet on the Centos machine alone using pfSense. In normal scenario, you block DNS, http and https access in order to block the internet. If you wanted to achieve the same on the pfSense you can use firewall alias.
But here I am going to block only the https traffic, so that end users will not be able to access any site with https traffic.
Open pfSense, on the firewall click on Rules.
Choose the option Reject.
Since the https is a TCP protocol, select that one.
In the source IP, put the IP address of Centos VM which is 192.168.1.101.
And the destination port that we are going to block is https.
You can log the packet if you want.
As you can see below, I have a rule in pfSense.
Now go back to Centos and Linux mint and try to browse the internet.
Note: you should be able to ping the public IP from both the machines.
As you can see, it is kept loading, but the page never comes up on the Centos.
To verify the https traffic is blocked by the firewall, you can go to status logs, and click on firewall logs, and you should be able to see the Centos IP (192.168.1.101) is getting denied.
But when I tried the same from Linux mint, I can access the internet, which is the expected result.