PFSense

DHCP Server

In order to auto attributes IP address to CT and VM the DHCP server need to be activated on the interfaces (OTP1 and OTP2).

Enable yes
Range x.x.x.100 to x.x.x.254

DNS Resolver

In order to resolve local hostname the DNS resolver must be enabled

Enable yes
Interface All
Outgoing All
DHCP lease yes
Static DHCP yes
OpenVPN Client yes

Once the DNS resolver is setup we need to update the host DNS setting to point to the pfsense box.

A Host Override for proxmox.ovv.infra as well as NATing the 443 port to 8006 lead to a better user experience.

OpenVPN

  • Start OpenVPN setup wizard: VPN > OpenVPN > Wizard

    Type Local server access
  • Create new certificate authority

    Name Ovv OpenVPN certificate authority
  • Create new server certificate

    Name Ovv OpenVPN server certificate
  • Server setup

    Protocol UDP on IPv4
    Port 1194
    Description Management VPN
    Tunnel network 10.0.3.0/24
    Redirect yes
    Inter-client yes
    DNS 10.0.0.1
  • Firewall Rule Configuration

    Firewall rule yes
    Openvpn rule yes
  • Install openvpn-client-export: System > Package Manager > Available Packages

  • Create VPN group: System > User Manager > Groups

  • Create users: System > User Manager > Users

    Disabled yes
    Group VPN
    Certificate yes
    CA OpenVPN
  • Export client config: System > VPN > OpenVPN > Client Export

    Block out dns yes

    For KDE laptop download Inline Configuration > Most Clients then import VPN settings and set Key direction to client(1) in the advanced configuration options.

Note

pfSense should now be accessible at https://pfsense.ovv.infra when connected to the VPN.

Virtual IPs

Warning

When dealing with firewall & NAT rules for Virtual IPs they should be set for the WAN as well as the OpenVPN interfaces.

Add virtual IPs: Firewall > Virtual IPs

Type IP Alias
Interface WAN
Address FailOver IP
Netmask /32

SSL certificates

By default pfSense comes with a self-signed certificate. In order to not have warning when connecting to internal website while still keeping HTTPS we will generate a certificate authority, trust it in our clients and sign new certificates.

Create certificate authority

Go to System > Cert Manager > CAs

Name Authority name
Method Create an internal
Key-lenght 2048
Digest algo sha256

And fill the other information with whatever you want

Create & sign certificate

Go to System > Cert Manager > Certificates

Method Create an internal certificate
Name Certificate name
Cert authority The authority that sign this certificate
Key lenght 2048
Diget algo sha256
Cert type server
Common name Main domain name for certificate
Alt name Alternative domain name for certificate

Additional interface

  • Add interface on host

  • If the host requires access to the new network: Access internal network.

  • Add interface to pfSense VM hardware & reboot VM

    Bridge new interface name
    Card model VirtIO (paravirtualized)
  • Add interface in pfSense GUI (interfaces > Assignements)

  • Configure interface

    Enable Yes
    IPv4 type static
    IPv4 address New interface IP address
    netmask New interface netmask