Setup pfSense follows the article series dedicated on how to install a virtual router on VMware. Stages are really simple but essential for the configuration from the Web GUI. Right after first boot there is one more step to before setup pfSense for the the first time. The install wizard in fact is booting with a new script which will guide for the main configuration of at least one WAN and LAN interfaces.
Of course the pfSense can be equipped with one interface only and this will provide different options for the built-in firewall setup. This is when comparing on having multiple interfaces available. Generally speaking a pfSense router with 2 or 3 separate network interfaces is suitable for the majority of scenarios including homelab setup. In this context the aim is to setup pfSense with at least 2 network interfaces. The first one will be used to connect to the Management network or WAN. Essentially the closest point to the internet gateway. The second one will be used instead to support all the VLANs to support the different VMware Port Groups using separate VLAN tags to separate the traffic.
A previous article covered in more details a sample VLAN configuration leveraging VMware virtual Distributed Switches (vDS). In addition also a quick look at the physical VLAN topology using a combination of TPlink network switches and Intel NUC. These are just a few ideas based on desired configurations. Combinations are countless. Would be great to hear more in the comments about other scenarios too.
Setup pfSense for VMware homelab
The important thing to check upon the first boot with setup pfSense either on physical and virtual hardware is that all the “physical” network cards are recognized. With VMware virtual machines the compatibility is ensured by specifying either the legacy Intel based network cards or even better the latest VMXNET 3. The great news is pfSense is so popular as a virtual router for VMware that the pfSense Community also provides open-vm-tools to increase the overall performance of the pfSense virtual machine and the required device drivers.
This is an important step as it pretty much dictates the available configurations and support from the Community. As per screenshot below the pfSense installer recognized two network cards (vmx0, vmx1). Both are working and ready to be associated to a network (eg. WAN, LAN) or a number of VLANs. Just for reference it is a good idea to keep track of the MAC address. It will be handy later on.
The first question from the install wizard is to setup VLANs. Personally the preference is to use this wizard only for the first basic setup and then move to the Web GUI. One important choice at this point is to decide which network interface will be used for the WAN link. Now not necessarily the vmx numbering follows the sequence of virtual network cards as part of the VM hardware configuration.
Before making any choice it is a good idea to open the pfSense virtual machine settings and verify the MAC address associated to the virtual network card.
As per screenshot above now it is easier to choose which network card is associated to the WAN and LAN networks. The reason why this will become handy it is covered later on when creating pfSense VLANs.
At this point it is just a matter to verify the configuration and proceed with the setup wizard.
Configuration is saved and a few moment later the main menu from the text console is presented.
Now that the networks zones have been defined, next step is to assign interfaces, assign IP addresses and modify other settings as required. So next is option “1” to verify or change network card associated to zone.
Option “2” now creates the type of network (manual, DHCP) for each interface starting from the WAN network or the “external” interface.
Same concept is now available also for the “LAN” network or internal interface. If IPv6 is not in use the recommendation is to disable this one. IPv6 should be enabled (but not preferred over IPv4 configuration) when configuring the Microsoft DNS Server, for example when integrated with Microsoft Active Directory. In the case of pfSense IPv6 can be safely disable if not in use. Next option is the ability to use a default HTTP or HTTPS URL address to access the pfSense Web GUI. Reverting to HTTP gives the option to create a self-signed certificate or even import a custom one to sigh the SSL connection to the pfSense virtual router. Maybe a good idea is to match this one with Let’s Encrypt certificates.
At this point pfSense will save info and reload the configuration. Enter will bring the main text console back.
The text console provides quick and handy commands for the most important routines especially during troubleshooting scenarios. Including the ability to launch a command shell. Now there might be situations where based on the WAN/LAN configuration and from where the pfSense is accessed, the actual pfSense firewall is blocking connection (PING) and browsing the pfSense Web GUI. Temporarily it is possible to disable the firewall and carry on with the rest of the configuration just using the Web console.
This is simply accomplished by enabling the shell with option “8” and by issuing the “pfctl” command to disable the pfSense firewall daemon. Careful here, operations are run under the “root” context:
At the reboot the pfSense firewall will restart by default and it is also possible to enable the service with a “pfctl -e”.
Now the Web interface is available from any location.