The pfSense is one of my favorite firewalls, I use it at home and in some of my POC labs, and it works great in pretty much all the environments. Some companies use Pfsense firewall as their edge firewall, which proves that it is an excellent product. I have covered plenty of blogs related to pfsense in my blog. However, I still get questions about how someone can be good at pfSense firewall, learn more about it and use that knowledge in their career or network domain. I would say, I get that and see where you are coming from. The only way you can be good at pfsense or any networking area is by playing with the software again and again. And get your hands dirty. I know it sounds difficult for some people to set up a lab and spend time with it, and when things don’t work out, they just give up. But I would say when things don’t work, that’s when the real learning begins.
So in this blog article, I want to dedicate some time for the folks out there who don’t know where to begin to build their pfsense home lab and start working on it. By the end of it, I hope you will know where to start.
Is pfsense software free?
Before I get started, I wanted to let you know a few things you need to keep in mind. The pfsense is an open-source project backed by netgate software ltd. And suppose you are wondering how netgate makes money out of these open source projects. That is by developing their own hardware with pfsense software in it and providing pfsense as a subscription model to the cloud. Also for those who want to get technical support, you get that from netgate.
When it comes to pfSense software, there are two types: the one which comes with the pfSense hardware and the cloud is called pfSense plus The other one is available for anyone to use for free is called pfSense community addition. Most of the development happens on the pfSense plus software, but some of the features will still make their way through to the community additions, so if you want to get the greatest and latest product from netgate, then pfsense plus is the way to go.
So if you want to start building your own home lab, you can either choose the pfSense plus or pfsense community additions. Pfsense community edition is free to use for home and lab purposes; however, for commercial use, you should use only pfSense plus as per the netgate terms and conditions.
For commercial use, You could use another alternate called opnsense firewall which uses a similar code as the pfsense, but there are some differences here and there.
And the pfSense plus is only available for those who get the hardware from netgate or using any cloud provider, such as AWS or azure.
Since pfSense plus and community editions are mostly identical, I would say for lab purposes better not spend money on hardware or even on the cloud. You better stick with community editions and set up your lab. If you would like to build your pfsense lab in AWS, you can follow the guide here where I covered how I set up pfsense lab using AWS cloud and configured private EC2 instance traffic to go through the pfsense firewall.
Now you decided which software you would want to use. So how do you set up a lab with pfSense community editions?
Since it is available as an ISO image based on FreeBSD, you can set up the lab in any hardware that supports FreeBSD OS or in a virtualization environment. So let’s look at different ways you can set up a pfSense lab.
Use Pfnsese in GNS3.
GNS3 is a network simulation software that you can use to build network diagrams and create POC labs inside it. With gns3, you can virtualize the pfnsese and use other hardware devices along with it and create your own topology and play with it. Moreover, when there is an issue with traffic or network, you can start digging more with the Wireshark packet capture utility that is built-in within the GNS3 software. So if you are a network engineer and want to learn more about the pfSense I would recommend starting with GNS3. I have covered here how I have set up my GNS3 in my lab. You may check out that article to set up your GNS3.
There is a GNS3 alternate software called EVN-G. You could use that as well to build the lab.
Install pfsnense in VMware workstation.
Not everyone who wanted to learn about the pfsense is from the network background. They just wanted to spin up the lab up and run in a virtualized environment to test their setup. In that case, my first recommendation would be the pfsense deployment on VMWare Workstation. I have covered here How you can set up a pfsense firewall in VMWare workstation with multiple VMs connected to the LAN side of the pfSense firewall.
As the VMWare workstation supports various virtual network types, you can set up a lab in different ways that you like.
You can also use the VMware ESXi as another virtualization platform. If you have that option, I have covered that down below.
Install pfnsense in Virtualbox.
The VirtualBox is the popular open-source freely available hypervisor out there, which you can compare with the VMware workstation. When you don’t want to set up a GNS3 and purchase the license for VMWare workstation software, the next goto and available option is the VirtualBox software. It works almost similar to VMware workstation, and you can take advantage of the different virtual networks available moreover, it is free for anyone to use it.
Install pfsense in Hyper-v.
There are times you may not have the option to install the VMware workstation or VirtualBox software on your windows machine due to the lack of administrative privilege. Or maybe you want to stick with the Microsoft environment. At that time, you can rely on the native hypervisor from Microsoft available in almost all the windows operating systems called Hyper-V. However, you need to keep in mind that you will require administrative privilege to activate the hyper-v feature. Follow the article here to learn more about enabling hyper-v feature on the Windows operating system.
Install pfsense in KVM.
Another issue with some users is that they got only a Linux machine, and they wanted to install pfsense in the Linux operating system. So how do you achieve that? Though you can install GNS3, VMware workstation, and even VirtualBox in Linux, the best option is to use the native virtualization platform from Linux known as KVM – Kernalbased Virtual Machine.
KVM might not be an easy option for those who initially start with virtualization, but it can pretty much run almost all operating systems. If you are new to KVM, start with GUI and then learn about the CLI. It is not so difficult to learn about the KVM and I have covered important KVM virtualization command known as virsh commands over here. You may take a look at that.
I even replaced my LAN router with pfsense running in KVM, and I got good performance. You may check out the article here to learn more about that.
Pfsense on VMware ESXI
We have covered the option to use pfsense on the VMWare workstation, but sometimes you might have a server running with ESXi and want to take advantage of the setup and install the pfSense on ESXi or you are not a Linux guy and don’t want to use KVM, then you could use pfsense in a VMware ESXi. You can set up a network so that all the traffic from the virtual machines to the internet should go via a pfsense firewall, and you could further extend the network to your local area network.
Turn old PC into Pfsense firewall.
If you want to use physical form factor of pfsense instead of virtalisation you could use two options.
You could get a small form factor pfsense box from netgate, which will be good enough for the home lab purposes, and more importantly, you would get pfSense plus pre-installed. That way instead of having pfsense community edditions you get the advantage of building the lab with pfsense plus. However, that will incur some cost if you take that route. So what should you do?
Then you can use the second option which is turning an old PC into pfSense firewall. I had a great time doing that project. It is the best alternate for virtualization if you want to use the pfSense physical form factor.
I have been using the old PC as my firewall for a long time now and it works great, Initially I setup with a laptop with a single interface that support 100Mbps bandwidth, later I upgraded the laptop that support 1Gbps speed.
And If you are worried about how you would route the traffic between WAN, LAN, and the DMZ with a single interface, we should use something called VLAN, which will help us split the interface into multiple networks. Here, you can learn more about creating pfSense VLAN and Pfsense VLAN to VLAN routing.
How to Configure PfSense DMZ Setup? | Step by Step
But still, it will add some cost if you don’t have old hardware. Suppose you don’t have an old PC, then you need to get one, and you also need to get a one-managed switch that supports VLAN traffic. I was able to configure the pfsense hardware using that.
At the time of this writing, pfsense + doesn’t support custom hardware, but you never know when the license model change from netgate, and you might get pfsense + for homelab with a nominal cost, only time will tell.
I hope you now get a clear idea of the options you have if you would like to build a pfsense lab yourself. Some require some hardware expenditure, some you could use your own laptop/desktop and build the lab using hypervisors.