Pfsense in a virtual machine

[lowfat]

I am trying to setup a network w/ the VM of pfsense as my main router. My computer has 2 NICs. One as my WAN and the other as my LAN. Now the question is; Is it possible for the host machine to be behind the pfsense firewall? Which once again is a virtual machine.

 

[botat29]

you will be better with 3 NICs and bridge 1 nic of the VM to the LAN and bridge the second to the WAN , third one will be the host , if you use 2, I'm pretty sure the only one you can NAT is the WAN , not to good.

 

[lowfat]

Hmm. Not sure what you are saying there.

Maybe I'll make my goal clearer. I want my entire network to be behind the pfsense firewall including the PC that the VM of pfsense is running off. Is this possible? My CPU does not have Vt-d, would a Vt-d CPU help?

I'd rather buy a new CPU than buy an entirely new rig to use as pfsense machine. So using the virtual machine would be the better solution if possible.

 

[BlueByte]

I don't know what you are using for your VM software but yes you should be able to. If you view your NICs are ports on a router with the ability to plug into ether side of the router virtually then it might make it clearer.

Internet-->PC NIC1(disable iptcp4 on host)-->pfsense VM with two NICs-->PC NIC2(keep host settings normal, gateway, dhcp etc)-->home switch

this will have your host PC go out onto your home switch and then do a 180(might be smart enough never to actually hit the switch but think of it this way) and came back through for the bridged pfsense router connection. VMware is pretty easy to do this with, I assume the others would be equally easy. if you use vmware, I would use the workstation or player over the windows vmware server.... it is garbage imho. If you really want to do it right use ESX and vm your current server with a separate vm for pfsense.

 

[Squeetard]

Seems simple to me. Connect the pfsense vm to the wan nic and point your other vm's at it as the gateway.

 

[botat29]

Hmm. Not sure what you are saying there.

.

When you use VM, you have 3 choices for your virtual network,

NAT; it will share the same NIC as the HOST PC,
Bridged ; the NIC will be use only by the VM
Internal: not usefull here

NIC 1 ( bridge ) ; use by PFsence in the VM to connect to the WAN, example a cable modem
NIC 2 ( bridge) ; use by PFsence to connect to your switch
NIC 3 ; use to connect the host to the switch



with this setup it's like if you are using PfSense in a dedicated PC , depending o the VM hypervisor it can be very hard to make your PCs on the network communicate with Pfsense if you are using NAT


here a small drawing, the VM is represented as a smaller pc inside the host

 

[3.0charlie]

I don't know what you are using for your VM software but yes you should be able to. If you view your NICs are ports on a router with the ability to plug into ether side of the router virtually then it might make it clearer.

Internet-->PC NIC1(disable iptcp4 on host)-->pfsense VM with two NICs-->PC NIC2(keep host settings normal, gateway, dhcp etc)-->home switch

this will have your host PC go out onto your home switch and then do a 180(might be smart enough never to actually hit the switch but think of it this way) and came back through for the bridged pfsense router connection. VMware is pretty easy to do this with, I assume the others would be equally easy. if you use vmware, I would use the workstation or player over the windows vmware server.... it is garbage imho. If you really want to do it right use ESX and vm your current server with a separate vm for pfsense.

That's exactly my own setup, using ESXi as the back end and VMSphere as the front end, with the Autostart feature enabled in both BIOS and VMSphere. Hardware is Asus M3A78-EM + AMD 920BE + Intel Gbit PCI NIC + 2Gb DDR2. ESXi is loaded on a USB stick, with a duplicate back-up inside the case if it ever dies. Secondary HDD is an old Hitachi 500Gb.

Now if you have a more powerful rig, you can easily add other VMs using VMSphere. I run W8, Ubuntu and OSX alongside PfSense.

 

[Ardric]

Seems pretty straightforward. NIC #1 is assigned exclusively to the pfsense VM and is used as the WAN connection to the cable modem. NIC #2 is bridged with the pfsense VM and this bridge is the LAN. pfsense can number itself as the gateway IP on the LAN bridge, and the host can number itself on the "physical" NIC #2 as another LAN host. NIC #2 is then connected to a LAN switch for any other LAN clients that want to join in. There's no need for a 3rd NIC at all. Just a software-only bridge on the LAN side.

 

[botat29]

There's no need for a 3rd NIC at all. Just a software-only bridge on the LAN side.

We don't know what lowfat use as hyper-visor, if he NAT the second NIC with the host, the host and the rest of PCs may not see the Internet, it's why I suggest a third NIC as it will work in any case.

 

[Ardric]

We don't know what lowfat use as hyper-visor, if he NAT the second NIC with the host, the host and the rest of PCs may not see the Internet, it's why I suggest a third NIC as it will work in any case.

But he wouldn't run NAT on the host or the windows guest at all. That job is assigned to the pfsense guest. All we need is for the hypervisor to create a bridge group and attach both the physical NIC #2 and the guest virtual LAN NICs to the bridge. Unless I'm not understanding what you mean... ?