This article series is going to cover the steps to deploy pfSense in a VMware homelab. pfSense is one of the most powerful and popular firewall well known not just to the Community but also to the Corporations. It comes in a large variety of installation types including a software only version. The software version runs perfectly on virtualised environments like VMware and also makes it a no-brainer for homelab configurations too.
What can I use the pfSense for?
pfSense provides access to a plethora of functionalities to a point where listing all of them will take a long time! Generally speaking it is a firewall which can be even further extended with additional packages touching different areas. An official list of supported packages is available here. Available with both a commercial and community license it makes the perfect companion for homelab environments also considering that pfSense router is very lightweight. In reality this article series complements a number of previous ones showing an example on how to build a VMware homelab with VLANs and sample TPlink and Netgear switches.
In this article series the steps to deploy pfSense from the ground up in a virtual homelab and serve as the main router with access and firewall policies to govern several VLANs like:
- Management Network
- vMotion and Provisioning separate VLANs
- VM Traffic for Production, Dev and Nested VMs on multiple VLANs
- VSAN traffic on a dedicated VLAN
- iSCSI storage
These are only a few examples on the flexibility both VMware and pfSense provide together. There are plenty of other use cases for example covering Load Balancing, Proxy, AV integrated configurations and a lot more. As per usual there is an initial list of articles covering the basic steps to get more in higher details with advanced configurations. The list of topics is open and can be extended at any time:
- Deploy pfSense in VMware (this article)
- Install pfSense virtual router
- pfSense setup
- First time pfSense configuration
- pfSense interface assignments
- Squid and pfSense install
- Sample pfSense firewall configuration for a homelab
- pfSense Backup
- pfSense upgrade
First step is to prepare a VMware virtual machine to accommodate and deploy pfSense virtual router install.
How to deploy pfSense virtual router in VMware
As per usual from the VMware vSphere Client the option to create a new Virtual Machine. The process is straight forward and is important to select some key components helping with the rest of the install later on.
Next is to provide a name and the Data Center location where to deploy pfSense virtual router.
Next is to choose a vSphere ESXi Host that has access to the physical network switches. This is important as it will carry VLAN tagged traffic. So it is important the connected physical switch supports the same VLAN configurations. Computing wise the pfSense router does not require massive specs at all for the type of operations that firewalls generally do. Of course when pfSense is extended with extra packages covering AV scanning for example it is a good idea to be more generous on the specs or even reserve some.
Like from a storage perspective the initial requirements to deploy pfSense firewall are not expensive at all. Also this can be accommodated on lower specs datastores sitting on HDD for example. When enabling the Web Proxy or other functionalities it is a food idea to factor these at the beginning and maybe add other disks dedicated to the temp or extra content. For example when using the Web Proxy function it is possible to enable a caching option for files accessed more often. This will help saving the bandwidth rather than downloading the same files again. An example are the Windows Update files. More on this topic later with a dedicated article.
At the time this screenshots were taken these were based on the VMware 6.7 u2 which is shipping with version 15 of the virtual Hardware. The recommendation is to go with the latest available as it allows for greater expansion if required later on.
Next step is to define the guest OS family and type. As per screenshot below this will be Other and FreeBSD 11. This is really important for two main reasons: helps VMware VCSA to identify compatible VMware tools (when available) and also keeps consistent and clean the inventory of actual virtual machines types in the environment. For this particular distribution instead of installing the VMware tools, the open-vm tools will be installed instead.
This is an important point as this one will dictate the available resources for the pfSense router. Indeed these can be changed at any time and some of them require a restart of the of pfSense router to be effective. As per screenshot below a machine with 1 CPU and 2 GB of RAM of memory is sufficient to run all the conventional firewall configurations including several VLANs and routing between these as well. So at the moment these will be the initial configuration. About the storage, a single disk of 20 GB has enough space to accommodate the install, swap and system files. The rest of the space can be used for example to configure the cache of the most frequent files downloaded from the internet.
More importantly is the network configuration. In particular the idea is to have at least 2 network interfaces. One is connected to the Management Port Group. This Port Group has access to the internet. The other is connected to a special Port Group that supports VLANs in trunking mode. In this environment the Port Group is called “0-4094 LAN Trunk” This Port Group supports all VLANs and none of them as direct access to the internet. This is granted trough specific pfSense firewall rules. More on this Port Group configuration is covered in this article.
Another important tip at this point is to take note of the MAC addresses of the network interfaces associated to the VMware virtual switch Port Groups. It can be easily done from the properties of the network cards in this screen. These will be handy with the next article steps. In addition, it is recommended to change the interface type to “VMXNET 3” while creating / adding the network interfaces instead of standard e1000. VMXNET 3 allows far more flexibility, better performances and best of all the open-vm tools already include the drivers.
At this point a final screen to review the main setting before amending changes. The final screen will look something similar to this.