How to Virtualize Your Home Router / Firewall Using pfSense

Which firewall / router are you running at home? If you can't remember, maybe it's time to SWITCH ;)
By the way, if you're new here, welcome! Please remember to ✨subscribe✨ for more content like this!

Always log on with the new account before disabling the old account.

I have an identical setup. One thing to consider depending on how many cores you have on the host, is to make the CPU type 'host' and pass through 1 or 2 physical cores. This should ( depending on your CPU ) enable the AES-NI CPU crypto which can be useful if you use OpenVPN and want faster throughput over encrypted connections. Awesome guides by the way, I wish these vids were around years ago!

Incredible quality, easy to understand, as always fantastic! Thanks for your videos Tim, keep doing them please.

Tim, your videos are invaluable. Thanks for the amazing work, you TRULY deserve like 1 MLN subscribers already.

Seriously the most helpful tutorials on CZcams, thank you!

I went through the same research journey around the same time. I also seriously thought about putting pfSense on virtual machine. Eventually I decided to purchase a dedicated hardware for pfSense because of all the reasons people talked about on the internet. I probably would try to visualize it if I saw your video earlier. Now my whole set up is already completed, and it's very stable. I don't want to mess with it.

Such a great idea for those tech heads that want to do something more than what those basic modem routers.. Just a note for those with different NBN connections that you may still need the netgear/gateway/modem from your ISP but simply put it into bridge mode then pass that to the WAN interface as per TechnoTim's guide!! (suit most Australian NBN type of setups) As I am and Aussie viewer also!!!

Even though I have a PCI network card with two ports, adding them as PCI cards in Proxmox did not work for but instead as NICs, the rest was flawless, thanks for the video man, I dropped a sub as well.

I really enjoy watching these videos, it is your relaxed way to present the topics and nice background music ! Keep up the great work

just fantastic. I have been prepping my own home server and was sweating because I wasn't sure what to do to isolate it from the network.
"Is it safe to host?"
"whats pfsense even do"
"should i buy dedicated hardware"
"where WAS that lasagna!?!"
and this video made it so clear. Thank You

Love playing around with Proxmox at home, it really impresses my boss when I talk above his head with tech stuff lol. Thanks!

Outstanding!!!! Thank you for this!
What is cool, is since the host os is debian based, you can install and run netstat which gives MUCH more information about thruput on the nics

That took some effort, but I got my NICs on the Dell R710 passed-thru and my network is up! I learned a heckuva lot along the way. Thanks Tim!

Heyo Tim, you have greatly helped me get into the Homelab scene, and I appreciate it. With that said, you really should consider revisiting this video with a 2022/2023 edition. Reason why I say this is because passing my NIC down to the OPNSense VM in Proxmox (and even Pfsense) straight up did not work. I almost gave up, until I talked to someone that had a workaround: by creating a Linux bridge with the NIC as an alternative way. Passing the NICs down did not work but creating a bridge did. I had other people express their grievance about following your video and having it not work. And from what I heard, when it comes to virtualizing routers/firewalls, passing down NICs is a huge NoNo for this reason. I have no doubt this worked for some people, but I feel like there is a higher chance of success with an updated video by using the create Linux bridge method. Just my 2 cents!

Techno Tim Rocks!!! Awesome content and delivery. Thank you.

the production quality of your videos is excellent. Tutorials are short and helpful - no wasted time. Subscribed!

Great stuff Tim. Subscribed!!!

Great tutorial. I really like how well you laid out this content. I'm a network engineer and while I knew how to do all of this networking, I wanted to see how you explained it for laymen. Fantastic stuff. I also completely muffed my own proxmox setup, I didn't realize you could pass through NIC's so easily. I made an OVS bridge for the WAN, I don't want to talk about it :( One little change I would make is on the LAN gateway address. While you can always make the gateway whatever IP you want on the subnet, I really like to keep it to either the first address in the subnet, or the last address in the subnet. Remembering a random address is difficult years down the line and if you ever need to add a statically configured network device, its easier to remember first address or last address. Anyway, just my $0.02.

Nice! I’m a big pfSense advocate. Subscribed!

Thank you for doing this, and the education, I appreciate it, it worked great.

I had no idea before now I Know, Thanks for your video.

This was so helpful, thank you

No. 600 - excellent video and now you given me an excuse to do what you done VM of pfsense 👍🏼

I guess it's time to smash my buggy tplink router and say hello to virtual router. Cool tutorial as always. Keep it up man 👍

Thanks for this Video.

Thank you for this video! Regarding CPU settings. To have AES-NI CPU Crypto: Yes, I selected Type: host (if the host CPU supports AES-NI, of course). And adding PCI nics (in my case Intel) didn't work with "All Functions" enabled. Maybe it doesn't work with this particular board. So I cleared this box.

This is the best guide

Great stuff!!
Any chance you could do a video on how to create an AP too using the integrated wifi adapter many repurposed homelab computers have? :)

I like your videos!! Very good youtuber!

Perhaps good thing to mention in a comment is that you need IOMMU enabled. I went and watched your "before I do anything" video and you explained it great there. Quick reference would be nice because I got stuck when I wanted to start the VM.

Like the explanation.

Hi Tim fantastic video!
I'm just getting started with Proxmox but so far I am digging it, I want to set up a virtual PFsense instance but not to act as my real firewall in my office, I just want to be able to join other VM’s within Proxmox to the LAN network that PFsense is creating.
That way I could test VPN solutions like Wireguard, Zerotier and Open VPN from one VM to another that are on different networks.
My Proxmox box does have 2 NICS, actually 3, what would be the best way to go about this?
I feel like I can basically follow your tutorial except for on the LAN NIC for PF sense I don't need to connect it to a switch I just need it to broadcast to the other VMS in Proxmox, just not quite sure how to do that.
Thanks !

Good video!

Wow great, please more pfSense tutorials!

Thank you for your video

Awesome video and tutorial! Thank you Tim! During this lock down, it was a great time to get something like this set up and your video was a huge help.

Proxmox is great, and I have a whole lot of virtualized gear, but my router isn't one of them. I tried it, and quickly figured out why a router should be on its own hardware. The first time my power blinked - I was ordering hardware to run pfsense on the next day.

implementing this today

Hi Tim,thanks for your great videos, I m interested to see how you implement vdi infrastructure solution with proxmox and open source tech you prefer to do that

Thanks for the video! Really clear explanations. Question: in choosing all of your cores under the CPU tab, does that mean that there will no cores available for other VMs? If you have more than one VM, should you divide the cores between them?

fantastic video, however on the pfsense installation guide for PVE it mentions the creation of vmbr1 and vmbr2 and assign them to eth1 and eth2 assuming vmbr0 and eth0 are reserved for managing PVE. So did you that step here?

i got further with 8.0 then others version with this guide ty i have an older intel dual 100 nic that i may use as new is not in the cards yet lol.

Hi Tim. You need to put a space before 'Techno' for the link to the HP Dual Gigabit NIC so the link works.

This video was awesome. While we are on the subject of virtualizing firewall: Can you add a third NIC to the PFsense VM that is also on the LAN side but its inside the Proxmox virtual environment? What I mean is, for physical devices on the LAN side you would connect it to the LAN physical port (maybe add a switch first), but for the other VMs that live on the same Proxmox host as the Pfsense, it would be a waste to send their traffic out a phisical port then back on the LAN port. Is my assumption correct that all you would have to do is create a new linux bridge in proxmox (vmbr2 maybe) and just add that as a third adapter to pfsense and configure it as LAN. Then from there just add that bridge as an adapter to all your VMs?

two things....why did you add pci device and not network device card as i've seen in all other similar vids?....secondly, as feedback - thanks for posting. apart from knowledgeable and simple to follow, it's calm and easy to listen to...

Very helpful video, thanks! I have a question though if you don’t mind! Say i create a linux bridge to the passed-trough LAN port to allow connectivity between my other VMs and the physical switch managed by pfsense. Will the VMs bypass the pfsense firewall? Or will they be routed trough it? Thanks!

@Techno Tim Thank you for the great video! I'm just scoping out the work I have a head of me, and want to know, can you access the proxmox UI via web from an IP dealt by the pfsense VM? Ideally i would like proxmox to be accessible from the virtual router, instead of the physically accessing the proxmox service with a keyboard and mouse. So my usecase is simple: access proxmox from my desktop that is connected to my virtual pfsense router.

Great Video - first TechnoTim I have seen. Great job explaining and sharing. I have been using pfSense about 2 years now on an HP t620+ ThinClient with an added 2-port Intel i350-T2 card. Been working great, but I have this awesome Workstation class machine I want to use for ProxMox. I have 8.0.9 installed there, and I am just beginning. I purchased a 4-port i350-T4V2 for this box, and it is working fine. In the t620+ I had disabled the on-board NIC as was not using it.
I know that ProxMox requires a NIC for accessing the host/dashboard, but can it be one of the 2-ports I will use on the i350-T4? I have a cable from Cable modem to port 0 on the 4-port and cable from port 1 to the Netgear Orbi (wifi AP)...as it has a satellite in the other end of the house where the office is - so that I have Wired (per se) access back there and wifi is stronger. From the Orbi (at the ProxMox box & modem - there is a cable into the on-board NIC of the ProxMox host). If I unplug this, I lose access to the host dashboard.

PFsense has gotten so much better looking

Might be late to the party, followed your video and worked perfectly (thank you) only thing is if I reboot the vm (for pfsense) I don't get a WAN ip back, only way to get it is to reboot the Proxmox server, can't find anything to point me to the correct direction

Fantastic tutorial @Techno Tim, I just have a question that I am struggling with this setup... Let's say you've dedicated both the PCI LAN/WAN NIC cards to the PfSense VM. Is it still possible/recommended to bridge your proxmox node to the same LAN NIC which is now dedicated directly to the VM? Or will I need a 3rd NIC for the proxmox node as well? I'd prefer to only have a single NIC for LAN and proxmox host for simplicity's sake.

Hi Tim, great tut. Had to do some IOMMU separation to get it to work but finally did it and working. Now, I have PFsense running inside vm giving its own network and dhcp to everything comming out through the lan port. So far so good. I want now to place the proxmox host behind pfsense as well and leave the primary modem only passing traffic to pfsense with DMZ. I just need to plug the nic (using proxmox) to the switch but before change de ip address? I'm not sure how to do this.

Thank you very much for so incredible manual! is it correct if I have two inbuilt NIC in my motherboard then in my case will be better use two bridges in Proxmox instead of PCI-passthrough?

If your CPU supports AES-NI and you like to use it in your pfSense/OPNsense VM for OpenVPN etc. you can change processor type to "host"

Just recently found the videos and am enjoying them very much, but, I have a question...
I think you mentioned this pass-through was done on a R710 (I could be mistaken)? If so, how did you get it to work? There seems to be Dell related laziness keeping an IOMMU/pass-through setup from working properly due to some unpatched Intel screwup.
I usually just bridge interfaces on VMs when needed, but decided to try this out. Nothing has worked. I have a R610 and R710 here along with dual and quad port Intel Pros.
Did you end up having to use the "Allow Unsafe Interrupts" option?

Hi Tim, awesome video.
I opted for OPNSense.
I added 2 x NICS to proxmox and struggled getting them in different groups
This is how I resolved that:
In proxmox shell...
>> lspci | grep Ethernet
03:00.0 Ethernet controller: Realtek Semiconductor Co., Ltd. Device 8161 (rev 15)
06:00.0 Ethernet controller: Realtek Semiconductor Co., Ltd. Device 8161 (rev 15)
>> find /sys/kernel/iommu_groups/ -type l | grep 03
Showed both nics in group 7
/sys/kernel/iommu_groups/7/devices/0000:03:00.0
/sys/kernel/iommu_groups/7/devices/0000:06:00.0
Edited grub as follows:
>> nano /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet amd_iommu=on pcie_acs_override=downstream,multifunction"
>> update-grub
>> shutdown -h now
and switched the server on again. I could then add the NICs to my VM.
Noob dilemma. Please help me getting to my VM
-- Laptop connected via router (192.168.21.1) to proxmox host (192.168.21.10)
How can I connect to the host as well (or interchangeably) to the OPNSense VM?

Thank you for this video. I have one “noob”question. Using a physical machine that has 6 network ports, running ProxMox and a pfSense VM...how can I access ProxMox web control panel from my network that is being served by pfSense? Do I just need to ensure ProxMox is on the same subnet as my LAN? Thank you kindly for helping.

Thank you for this video, and for your channel. I do have a question. I have a similar setup as seen in the 2:22 mark of this video (onboard NIC and dual NIC card). My onboard NIC is attached to my switch via a green cable. My WAN port is plugged into my provider's cable modem via a white cable and my LAN port is plugged into my switch via a black cable (BTW, same switch that the onboard NIC is plugged into so that I can go to Proxmox web UI). pfsense seems to be working with this setup, but how do my Proxmox VMs get their Internet? Since the dual NIC card is being passed through to the pfsense VM, and other VM will not see this card. Is there something I need to do in Proxmox or pfsense to bridge the two?

Hello, nice video ! How do you connect other physical PCs to that virtualized router ?

Hi TechnoTim, this was a great tutorial. I followed it almost successfully, all my LAN client are getting IP addresses except for the guest VMs that rely on the vmbr NIC. Did you come across this and if so how did you resolve it? Many thanks

don't forget to enable IOMMU. The version of Proxmox 6.1-7 didn't enable it by default.

Nice!

please make video about openmediavault with proxmox, how the right way we do the config,
for share storage, and storage for CCTV using FTP/SFTP protocol and others what that openmediavault can do,
by the way, thanks for explaining clearly, i like a way you explain

Great Video ...I am new to networking ... If we virtualize the router given by ISP, how would we create a wireless network for this ? ..I suppose the NIC adapter will create only ethernet network ?

Hey, great video! Can you speak to theb tradeoffs in virtualizing and running pfSense through proxmox vs pfSense on bare metal? While this seems really cool, I do wonder about the overhead in virtualizing and what benefits I'd gain. The main one I see is in essentially being able to overprovision a server and essentially create "multiple" servers, though with a potential performance hit. Also possibly easier for backup and recovery?
Also, related to above, would I be able to run a proxmox box with pfSense in 1 vm and e.g. Postgres in another all with 1 nic, or would I need multiple? It seems like I'd need 1 for wan and 1 for lan, plus ANOTHER for Postgres or any other servers. If I can do it all with one, is it even recommended? Feels like a security risk with possible performance issues also, intermingling all that traffic.
Sorry for the wall of text!

a little update for all , you can get a pfsense + home subscrition now so more features for free ! btw great video(all of them that i saw ) mister tim

Maybe you should do a video on setting up Vlans on proxmox?

Dude thank you that's awesome. Where would you save the ISP account details though? Do you use a switch for extra ports?

Is no one going to mention how much you look like Johnny Depp?
Never the less, i love your tutorials. Easy to understand.

Hi Tim. The guide is nice and clear- but can you make a guide for people that want to utilize current equipment? Like old laptop with proxmox and pfsense (so one nic) and tp-link vlan switch. I tried to made such setup work with this guide combined with some router on a stick but I've failed:)

@Techno Tim Thank you for your video, I have used this to make a similar setup. But the nodes on the LAN are not able to connect to WAN. They can get IP addresses though. Any tips to fix this? Please let me know. Thanks in advance!

How does this work with your ubiquity gear (udm-pro)? I’m in a similar situation and just wanted your thoughts.

Thank you for great video, Tim!
Do you get good performance on your pfSense running in Proxmox? I get max 50mbps on 100mbps link with Squid and PfBlockerNG running. Have turned off hw checksum offload, played around with amount of RAM & CPU cores, but no luck. Was also running ntopng for a while, but itdecreases performance, so I removed it.
I am running it on i5-7500 CPU with host CPU type, 4 to 8 gigs of RAM. Mifro form factor Dell PC, one interfaces is usb-to-ethernet. Tried different settings for it, but no luck as well.
Do you have any ideas what can be the reason for that?

Thanks for this great video. It is a good idea to do it from security point of view to have your proxmox server open to internet if you have all other important VMs in promox itself? I had been thinking about this but was bit concerned. I am building a new proxmox server so I am thinking it again. I have unifi USG as my router now but it lacks lot of good feature other than nice graphics

1.proxmox can do hardware accelaration from pfsense through nic ?
2. there is option to define standard vSwitch in proxmox like vsphere ?

Tim, I love your videos but had a quick question. Do you have failover for your virtualized firewall? I currently have pfSense virtualized on Proxmox but every time I need to reboot Proxmox, I bring down the network.

Great tutorial as usuall from you. I have a question about the proxmox location in this infrastructure. Where is it placed in the network. I am running small server with pfsense virtualized but this server I own has only two LAN nics. One is used as a wan port and secon as a privet network. I wonder where and how to address the proxmox... I hope this question makes sense

Is it possible to utilize pfsense on proxmox using only laptop with one NIC using VLANs. I know you elaborated on these subjects but not in such combination. Thanks for you help

Found your channel awhile ago but I never had any server stuff. Your stuff is awesome.
Question about Users, if the new user added to PfSense has the same access as Admin, why create a new user? Is it because hackers will try to use admin as the username to login?

Tnks for the help, @Techni Tim!
If anyone get a error like this -> "TASK ERROR: KVM virtualisation configured, but not available. Either disable in VM configuration or enable in BIOS." - Please, follow this steps to solve!
Bye!

I fully believe this set up works. you are essentially using your proxmox as your network gateway, which is not very secure

Hi TechnoTim, I hope you are able to answer one silly question about this setup: When experimenting with different virtualised router OSes I find the default LAN networks vary from product to product. And I like to just use the defaults most of the time in case changing them gives unexpected problems. This gives me a quandary about where to put my PVE management interface. I prefer to put it on the LAN, but that means it invariably ends up on a network number different from whatever I'm running for a router. So I have no access unless I mess with my network settings on my PC. Then I have to change them back to test out the router behaviour. I just wondered how you manage this problem in your setup, or do you just live with it?

You don't actually have to patch the LAN port through to the Pfsense VM, you can just use the default Proxmox bridge and save a connection to your switch.

Hi Nice Vid!! At 3.48 you mention that you can pass-through of a 4 nic card only the 1/4 portion of it?? How is that possbile? I am used to Unraid on which you need to exclude the specific pci device you want to pass first and afterwards to give it to the VM.
Even more difficult if that device is a motherboard controller (usb, nic). Is it possible in Proxmox to pass-through motherboard controllers without braking things? Isn t in Proxmox mandatory the passed through device to be in its own iommu (so iommu capable motherboard needed?)
Last but not least did you have to put your isp's modem in bridged mode in order for this to work?
Thank you

Thanks for the video! If dont have a 2 port NIC can I add an additional 1 port NIC to go along with the built in one on my mobo?

Tim, how did you connect the host OS to pfsense once its setup. As you used two ports passtrhough to pfsense (physically from the quad port), the host proxmox should also be on the LAN side. Will that use a physical connection from the pfsense LAN>switch>LAN3 (cable) or something else? Secondly, do you disable firewall option in the natwork setting of proxmox VM?

Hi, thanks for the guide!, Really handy. Now, my project is Proxmox + virtual pfsense + virtual OpenMediaVault -- This will be my home server and router in one piece of hardware, at least that's my idea.
Today and for several years I have my OMV in one machine and pfsense in another, has no sense to me because I never saw that machines raise the top of resources, so I think that maybe my OMV server base hardware could be my Proxmox base. BTW my OMV have no RAID yet because I need more($') for more HDD's. So at the moment they are working on SMB share how stand alone every Storage HDD (9) + 1 nvme Intel 650x 512 or so for OS space and virtual machines. I have two gigabit nic cards so I don't know if I gonna need another card for Proxmox itself, I mean... Proxmox will be connected to my LAN, right? So my VM pfsense have to be alive to assign an IP to Proxmox right? I'm confused at this point :D Thanks in advance. Love your content.

Warning: if something goes wrong with your virtualisation platform, you lose internet access, unless you have a multi-node cluster.
In line with enterprise convention, I tend to keep critical things (which usually change rarely) separate from non-critical things (which tend to change more frequently). My NAS/virtualisation host changes far more frequently than my firewall, and I want my firewall to be up, even if my NAS is down - in fact, I need my firewall up _especially_ when my virtualisation host is down.

I think this may have solved a need for me. My home connection kinda sucks. Only 50mbt/5mbt. And during the day i'm lucky if i can hit 20mbt down. So as you can imagine limiting certain devices/users cut of that tiny pie would be helpful. For instance when i'm trying to watch a youtube video and my brother decides he wants to download something off of Steam and hogs the whole pipe. Think I'll put in an AP, connect it to a passed through dual NIC on a VM like done here, and install pfSense. I did something similar a LONG time ago(over 10 years) using a spare wireless router going through a separate box running Untangle but I think i'll revisit now that I have access to much better hardware and software and push all wireless devices through that AP instead of the Linksys WRT3200acm that i'm using now to manage it. (i'm even running the factory firmware on it. which I am ashamed of but when I've tried to install DD-WRT on it in the past it hasn't worked right and kept wanting to reboot endlessly) I think it's finally time to get that Ubiquity AP that i've been promising myself for years that I was going to buy.

nice vid

I'm sure it's been covered (in fact I know of 1 other creator that has) but running Unraid on Proxmox, I followed his skim-through and I can see it in the console but cant connect. Maybe in it elaborate on selecting network interfaces (cards) to split them among the chassis (Proxmox) and vms (PfSense, Unraid, and TrueNAS at least)
And longshot but if you have a multi-day chassis (like my sc846) how to specify specific bays to certain vms (not specific drives, that way any drive inserted into "bay 20" will be assigned to vm X.

Any chance you could do a video on how to passthrough hard disks to a VM in Proxmox for FreeNAS virtualization?

How is the hypervisor acting on the open WAN port? Thinking with regards to open ports, updating etc.

Hi Tim,
How do you connect your other virtual machine that are inside of the same physical machine you installed pfsense? And do you use a dedicated modem to connect to pfsense?
Thanks,
Eduardo

hey man thanks for the video, i have a couple of questions can i use my normal router then connect the virtual router for use the vpn service? or it needs to be directly connected to the ISP provider modem?

My concern would be latency and in particular erratic latency. My router and gateway are dedicated purpose built hardware. Clearly I'm not undermining your video or intention, just a side note. I play twitch (FPS) games where a stable low latency is king. Great video 👌

i now can run all my pfsnese on one server having over 10 ips and wanting firewall protection for all was a headache. now with all of them on one machine i can monitor them easier than before. Just a note if running nic that have 4 ports i didn't check the all function it would disable the 4 port to a 2 port for some weird reason.

would be helpful if you went through IOMMU and PCI passthrough for those NIC cards to be accessed by the VM

Great video. Thanks.
However the vm needs to be the first to hit the traffic and we need to ensure all Others vm access internet through pfsense. Can you share the iptable rules you have in place to ensure that? Thx