[Solved] Virtualizing PfSense

Hey all,

So here is my setup. I have PfSense virtualized in KVM on Debian 9. I have 3 NICs bridged and given to PfSense (WAN, LAN, OPT1). I have this tested and working behind my current router from my ISP. Now, when I want to roll this out, I will have my ISP router simply forward all traffic to my host machine, which in turn should forward it to my PfSense box. Am I able to guarantee that my PfSense VM takes priority over it’s host? Is that possible? Can I force my host machine to NOT take DHCP from my ISP, send the DHCP address to my WAN PfSense port and then have my host machine take only a static IP from PfSense? It seems pointless to have my host machine open to the world when I want all the security features of PfSense to apply to the host machine as well.

I have configured it to where my host machine gets an IP from PfSense, and from within my PfSense LAN, I can access my host fine. For security reasons, I would like to know if I can force the situation above. One idea I had was to PCIe passthrough NICs and assign it as WAN and LAN, hook the host machine up to a switch connected to LAN, and have it take the IP from there, however, my computer doesn’t support VT-d for passthrough.

I get it, this is more complicated than running PfSense on bare metal. I will do that if I have to, but first I want to know if I have to.

You just need to set the bridge interface for the WAN NIC to have no IP or DHCP on the host machine. Something like this in /etc/network/interfaces:

auto br0
    iface br0 inet manual
    bridge_ports whatever
    other options etc...

Where br0 is the bridge interface for the WAN NIC.

Ideally you will connect the modem directly to the WAN NIC without another router in between. If you have a router/modem combo then try to put it in to bridge mode if you can. If not then you can set the pfsense WAN interface as the DMZ or otherwise forward all traffic to the pfsense WAN address. Do not set it to the host address (the host shouldn’t have an address anyway) set it to the pfsense WAN address.

1 Like

Ah this is what I was looking for! I wasn’t aware of the manual configuration, only inet static and inet dhcp. I wanted to be sure I could do this before setting the router/modem in bridge mode because I do indeed have said combo. You have filled in my gaps, thank you very much!

1 Like