| title | excerpt | updated |
|---|---|---|
Tutorial - Configuring pfSense network bridge (EN) |
This guide will show you how to do IP bridging on a pfSense virtual machine |
2022-12-20 |
Bridged networking can be used to configure your pfSense virtual machine to be a NAT firewall for other virtual machines on the same host or could even be used as an extra filter for a web server for example. Specific steps and configurations are needed to allow the pfSense router to work on our network and this guide will show you how a basic pfSense NAT configuration is done.
- A dedicated server with a hypervisor installed (e.g. VMware ESXi{.external}, Citrix Xenserver{.external}, Proxmox{.external}, etc.)
- At least one Additional IP address attached to the server
- Access to the OVHcloud Control Panel
- A dedicated server with the AES instruction set{.external}
- 2 virtual cores for the virtual machine
- 2GB(2048MB) of RAM for the virtual machine
- Hypervisor with console access to virtual machines
Warning
This tutorial will show you how to use one or more OVHcloud solutions with external tools, and will describe the actions to be carried out in a specific context. Please remember to adapt these actions to fit your situation.
If you encounter any difficulties performing these actions, please contact a specialist service provider and/or discuss the issue with our community on https://community.ovh.com/en/. OVHcloud cannot provide you with technical support in this regard.
For the pfSense virtual machines network configuration, we will use the following values which should be replaced with your own values:
- ADDITIONAL_IP = The address of your Additional IP
- Virtual MAC address = The MAC address created in the OVHcloud Control Panel
- GATEWAY_IP = The address of your default gateway
In the OVHcloud Control Panel, go to the Bare Metal Cloud{.action} section and click on Network{.action}. Next, open the IP{.action} menu.
Click the Additional IP{.action} tab.
{.thumbnail}
Next, locate your Additional IP address in the table and click the ...{.action} button to open the menu. Select Add a virtual MAC{.action}.
{.thumbnail}
Select ovh{.action} from the Type{.action} dropdown box, type a name in the Name of virtual machine{.action} field, and then confirm your options.
{.thumbnail}
To configure your virtual machines for internet access, you will need to know the gateway of your host machine (i.e. your dedicated server). The gateway address is made up of the first three octets of your server’s main IP address, with 254 as the last octet. For example, if your server’s main IP address is:
- 123.456.789.012
Your gateway address would therefore be:
- 123.456.789.254
[!primary]
Concerning external software, please note that the proper procedure to configure your services may be subject to change. We recommend to consult the manuals and knowledge resources of the respective software if you experience any issues.
When you’re setting up pfSense on our network, the usual place to start would be the console of pfSense. Because our network does require the public IP to be using a /32(255.255.255.255) subnet mask plus gateway is outside the scope of the public IP, the console will in fact not allow you to do this. To do this, you are going to have to start by setting up the LAN side first.
Since pfSense or most routers require two network interfaces to separate the public and private network, it’ll be necessary to have two bridge interfaces on your hypervisor. In this demonstration we’re using Proxmox VE 6.
In this example, we have two interfaces enp1s0 and enp2s0 but the interface enp1s0 is already bridged with the interface with vmbr0. So we will need to make an additional bridge interface vmbr1 with enp2s0:
{.thumbnail}
{.thumbnail}
Note that if your server doesn’t have a second network interface, it’s not necessary to bridge it to an interface, the bridge will work fine but would only be able to route internally on the server. Using an interface on a network bridge can allow you to route to other virtual machines, dedicated servers, Public Cloud instances and even Hosted Private Cloud infrastructures using vRack.
Now we’re going to start creating the pfSense virtual machine,
- Under the OS tab, choose: Other OS type
- Under the Hard Disk tab, Bus/Device should be: VirtIO
- First item under the Network tab, make sure the bridge is vmbr0
- Second item under the Network tab, Model should be: VirtIO (paravirtualized)
- If your CPU has the AES instruction set, this should be enabled
{.thumbnail}
If your CPU has the AES instruction set, it must be enabled (from the CPU{.action} tab)
{.thumbnail}
When you’re at the Network tab of creating the virtual machine, make sure you enter the Virtual MAC address that is created in the OVHcloud Control Panel.
{.thumbnail}
After creating the virtual machine, you’ll need to make sure that a second network interface is created on your second bridge interface:
{.thumbnail}
{.thumbnail}
Since some of the settings on pfSense are accessible using its web GUI, the easy way would be to set up a virtual desktop. In this demonstration, we’re using an Ubuntu 20.04 ISO. When creating the virtual desktop, make sure the bridge interface being chosen is the secondary one and not the bridge interface to your public network.
{.thumbnail}
We’ll be starting the virtual desktop before starting up the pfSense virtual machine. For the demonstration, we’ll just select Try Ubuntu{.action} just to start working on pfSense, might install later.
{.thumbnail}
We’ll now be starting the pfSense virtual machine and proceeding with the OS installation.
{.thumbnail}
After the OS installation is completed, first thing pfSense will ask is setting up VLANs. Since pfSense is being installed into a hypervisor, we wouldn’t suggest configuring it on the virtual machine but if you need VLANs, this should be done on the virtual interface at the hypervisor level.
{.thumbnail}
Next step is choosing which interface will be your WAN and which will be your LAN. We’ll be able to see which should be the WAN by seeing that it has the virtual MAC address that was created in the OVHcloud Control Panel.
{.thumbnail}
{.thumbnail}
This example we chose vtnet0 as our WAN and vtnet1 as our LAN. After this step, pfSense will ask if you’d like to proceed and confirm which interface is WAN and LAN. After confirming, it’ll automatically configure 192.168.1.1 on its LAN interface.
Now that there’s a private IP assigned to the LAN interface of our pfSense virtual machine, we’re going to go ahead and make a DHCP request so we can access the pfSense web GUI.
Go to the Wired settings on the Ubuntu VM.
{.thumbnail}
Now we enable the network, if it was already enabled simple disable then enable it again.
{.thumbnail}
Open a web browser and enter 192.168.1.1{.action} into the URL, there will be a security warning about the interface but it’s not something to be concerned about. Be sure to open advanced select Accept and Continue{.action}.
{.thumbnail}
{.thumbnail}
Default username and password should be admin as the username and pfsense as the password, be sure to login. We’ll now be going through the general setup, the important thing to do would be to set SelectedType as Static under Configure WAN Interface, this would be at step 4 of 9. All the other settings shouldn’t be changed with the exception of the DNS can be up to you but in this use case we had put 213.186.33.99 since it’s our resolver within our network.
{.thumbnail}
At the stage, the pfSense VM doesn’t have a public IP. Click on the menu icon on the top right corner, under Interfaces{.action} select WAN{.action}.
{.thumbnail}
Make sure the settings are matching from what is shown in the below screenshots and enter your Additional IP. The IPv4 Upstream gateway will be configured later.
{.thumbnail}
{.thumbnail}
Now that we have a public IP on the interface, we’ll need to make sure it’ll route correctly on our network. Click on the menu icon on the top right corner, under System{.action} select Routing{.action}.
{.thumbnail}
Make sure the settings are matching from what is shown in the below screenshot, then select the Add{.action} icon to create our gateway.
{.thumbnail}
{.thumbnail}
Make sure the settings are matching from what is shown in the below screenshots and enter your Gateway IP. Make sure to open the advanced settings.
{.thumbnail}
{.thumbnail}
{.thumbnail}
{.thumbnail}
Now that we have an Upstream gateway, we’ll need to assign the gateway to the WAN interface. Again we click on the menu icon on the top right corner, under Interfaces{.action} select WAN{.action}.
{.thumbnail}
{.thumbnail}
Since we’re running pfSense as a virtual machine and it doesn’t have it’s own dedicated network card, some changes should be done. Click on the menu icon on the top right corner, under System{.action} select Advanced{.action}.
{.thumbnail}
In this menu, select the Networking{.action} tab. At the bottom of this menu, make sure the settings are matching from what is shown in the below screenshots.
{.thumbnail}
{.thumbnail}
Now we should be done! You should see that web browsing can be done just like a desktop behind a NAT firewall.
For choosing the correct virtual interfaces, OS type, etc. for Proxmox, we were following Netgate’s recommendations. If you’re not going to be using Proxmox, we’d suggest to review the following links to their documentation on the subject.
https://docs.netgate.com/pfsense/en/latest/recipes/virtualize-proxmox.html{.external}
https://docs.netgate.com/pfsense/en/latest/recipes/virtualize-hyper-v.html{.external}
Join our community of users.