Virtual

pfSense

hardware

Virtual machine on the proxmox host.

Warning

Guest OS type should be set to Other !

Cores 1
storage 5 GB
memory 1024 MB
network bridge: vmbr0, card: VirtIO (paravirtualized), mac: OVH manager virtual mac

Interfaces

  WAN LAN OTP 1 OTP 2
IP 178.32.47.250 10.0.0.1 10.0.1.1 10.0.2.1
Gateway 5.135.178.254 X X X
Netmask /31 /24 /24 /24
Access X Management Sealed Public

Installation

  • Add other network interface with the same config as vmbr0 (except mac address).

  • Start VM & Install pfSense

  • Manual partitioning

    1. Create GPT
    2. Create partition with / mountpoint
    3. Allow creation of boot partition
  • Remove CD from hardware

  • Reboot

  • Initial setup

    VLAN no
    WAN vtnet0
    LAN vtnet1
  • Set interfaces IP addresses

      WAN LAN
    IP Failover IP 10.0.0.1
    Netmask 32 24
    Gateway No gateway /
    DHCP / No

Note

We don’t set the WAN gateway at installation time as pfSense doens’t allow gateway outside of the netmask via the command line wizard. When pfSense is installed we can force it via an advanced option for the WAN interface.

  • Ping pfSense from proxmox host
root@sys-2 $ ping 10.0.0.1
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data.
64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.184 ms
64 bytes from 10.0.0.1: icmp_seq=2 ttl=64 time=0.107 ms
64 bytes from 10.0.0.1: icmp_seq=3 ttl=64 time=0.121 ms

Note

Restarting the proxmox host may be necessary

  • Port forward the pfSense web GUI to localhost
$ ssh <server ip> -L 8000:10.0.0.1:443
  • Connect to the pfsense web GUI: admin/pfsense

  • Inital wizard

    Hostname pfsense
    Domain ovv.infra
    DNS 1.1.1.1 / 1.0.0.1
  • Disable hardware checksum offload: System > Advanced > Networking

  • Add a new gateway: System > Routing > Gateway

    Interface WAN
    Address family IPv4
    Name OVH
    Gateway Proxmox host gateway (x.x.x.254)
    Default Yes

    In advanced settings set non-local gateway to false.

  • Select WAN gateway: Interfaces > Wan

  • Allow ICMP ping Firewall > Rules > Wan

    Action Pass
    Interface WAN
    Address family IPv4
    Protocol ICMP

Note

After this step you should be able to ping your failover IP.