When utilizing virtualization, it is common to start hearing about pfSense? What is it and what can it do for you within Proxmox
, especially with Hetzner?
pfSense is an open source firewall/router computer software distribution based on FreeBSD. It is installed on a physical computer or a virtual machine to make a dedicated firewall/router for a network. It can be configured and upgraded through a web-based interface, and requires no knowledge of the underlying FreeBSD system to manage
In general, pfSense provides firewall and routing capabilities within your network. This will enable the following:
- Provides a layer of security between the open internet and your virtual machines
- Provides routing capabilities (as such with home-router such as assigning ip address such as 192.168.0.100 to a VM)
- Saves a user money due to not having to purchase a public ip address for each virtual machine
- Build an entire virtual computer network behind a routed-firewall (pfSense)
Keep in mind that by deploying pfSense, you are basically replicating a general network that you have within your home. That means that a VM that has an ip address of 192.168.0.100 cannot be directly accessed on the Internet. Through Proxmox
, you can access any machine via the provided VNC console that is built within. Is it possible to access the machine using a protocol such as RDP? Yes, but you have to figure out how to reach it through your firewall.
- Obtain a dedicated IP address for pfSense
- The dedicated IP acts as a WAN (as such with a main ip address dedicated to your home) that filter incoming and outgoing traffic.
Case for Security
Lets assume that you love Proxmox
and you wish to utilizing and deploy a Windows 10 machine so that you can access it through your browser interface at work. In general, Windows 10 is not a safe machine to assign a dedicated IP and place openly on the internet. This can also apply to any other virtual machines that you have placed on your network.
By deploying pfSense, your Windows 10 machine can sit behind a virtual router/firewall that provides an additional layer of protection.
Downloading pfSense for Proxmox
First, you must obtain the image and store it in a proper location within your Proxmox
machine. Utilizing the following commands to obtain pfSense. To view the latest updates, visit -
and make sure to change the links below accordingly if you want to obtain the latest release. It's possible to utilizing the version below and update it from there.
cd /var/lib/vz/template/iso && ls
Verify that you image has download and that you can see pfSense (the iso.gz). Next, we have to unzip to obtain the iso directly for Proxmox
mv pfSense-CE-2.4.5-RELEASE-amd64.iso.gz /var/lib/vz/template/iso/
gunzip pfSense-CE-2.4.5-RELEASE-amd64.iso.gz && ls
Now you should see the extension by itself with the iso. If so, you are ready to install pfSense for Proxmox.
pfSense Network Setup
Within the promox server itself, add the following configuration to your
Add the dedicated IP address that was stated in the beginning.
In addition, place this at the bottom of your file.
iface eth1.303 inet manual
iface vmbr303 inet manual
Save & Reboot
Now save your configuration by pressing
Prior to deploying pfSense, we should ensure that what we added has shown up correctly. You should see
eth1, eth1.303, vmbr303
must say that it's
Creating a New Virtual Machine
Create a new virtual machine and make the following changes:
- Name: pfsense
- Start at boot: [Checked]
- Use DVD ~ ISO: Select the pfSense ISO
- Hard Dsik
- Size (GB): Users choice (Min. 15GB)
- Cores: Users choice (Min. 2 Cores)
- Size (GB): Users choice (Min. 2GB)
- Bridge: vmbr0
- MAC Address: The one assigned by Hetzer, the exact MAC Address signed via IP. This will fail if not correct!
- Yes, but do not start it yet.
There is one final part to add. Remember from the network configurations we added
? We need to add it to the virtual machine that was creating. This will serve as your LAN port, which is how your virtual machines talk to pfSense (such as pluging up your desktop computer to your home router).
- Select the pfSense virtual machine
- Select Hardware
- Select Add ~ Network Device
- Change Model to VirtIO (paravirtualized)
That is it! Now start the virtual machine and select
and lets view the pfSense interface!
pfSense Software Configurations
This portion is easy. You should see the following screen once pfSense is loaded up.
Now following the instructions as shown below
- Install pfSense
- Continue with Default Key Map (unless this has to be changed)
- Auto - UFS (if you select something different, you're on your own)
From there, pfSense will install
- Manual Configuration - No
- Complete - Select Reboot
Follow the guide for the rest of the pfSense setup. You should be starting at this prompt:
Setup the WAN interface to be
Setup the LAN interface to be
Confirm the interface
Now PFSense is ready to be configured. Before you are able to use it we need to change a few settings. Firstly, we have to enable the management over the WAN port which is disabled by default. So open the console in Promox and press 8 to enter the shell:
After this, you can access the PFSense web interface on your WAN IP.
Follow the basic wizard, and when you're done, we'll change a few more settings.
First, go to System -> Advanced -> Networking, scroll down and make sure these are ticked:
Because PFSense is running in a VM these need to be ticked.
After that go to Interfaces -> WAN.
Set your IPv4 configuration type to static IPv4:
Then go to Static IPv4 Configuration (below the General Configuration)
And enter your WAN IP address and add a new gateway with the gateway from the Hetzner IP which you can find in Robot.
After this, reboot PFSense, and you're able to create VM's. Use VMBR303 as network interface for your VM's.