Skip to main content

How to Configure a pfSense Network Bridge on a Dedicated Server

Michael M.
Updated

Objective

Bridged networking can be used to configure your pfSense virtual machine as a NAT firewall for other virtual machines on the same host. It could even be used as an extra filter for a web server. Specific steps and configurations are needed to allow the pfSense router to work on the OVHcloud network and this article will show you how a basic pfSense NAT configuration is done.

Requirements

Recommendations for your pfSense virtual machine

  • A dedicated server with the AES instruction set
  • 2 virtual cores for the virtual machine
  • 2GB(2048MB) of RAM for the virtual machine
  • Hypervisor with console access to virtual machines

This tutorial will show you how to use one or more OVHcloud solutions with external tools, and will describe the actions to be carried out in a specific context. Please remember to adapt these actions to fit your situation.

Instructions

First steps

For the pfSense virtual machines network configuration, we will use the following values which should be replaced with your own values:

  • ADDITIONAL_IP = The address of your additional IP
  • Virtual MAC address = The MAC address created in the OVHcloud Control Panel
  • GATEWAY_IP = The address of your default gateway

Assigning a virtual MAC address

In the OVHcloud Control Panel, go to the Bare Metal Cloud section and open the IP menu.

The “Service” drop-down menu allows you to filter for additional IPs.

pfsense1.png

Next, locate your additional IP address in the table and click on the three dots to open the Context menu. Select Add a virtual MAC.

pfsense2.png

Select ovh from the Type dropdown box, type a name in the Name of virtual machine field, and then confirm your options.

pfsense3.png

Determining the gateway address

To configure your virtual machines for internet access, you will need to know the gateway of your host machine (i.e. your dedicated server). The gateway address is made up of the first three octets of your server’s main IP address, with 254 as the last octet. For example, if your server’s main IP address is:

  • 123.456.789.012

Your gateway address would therefore be:

  • 123.456.789.254

Configuring pfSense

Concerning external software, please note that the proper procedure to configure your services may be subject to change. We recommend to consult the manuals and knowledge resources of the respective software if you experience any issues.

When you’re setting up pfSense on our network, the usual place to start would be the console of pfSense. Because our network does require the public IP to be using a /32(255.255.255.255) subnet mask plus gateway is outside the scope of the public IP, the console will in fact not allow you to do this. To do this, you are going to have to start by setting up the LAN side first.

The hypervisor

Since pfSense or most routers require two network interfaces to separate the public and private network, it’ll be necessary to have two bridge interfaces on your hypervisor. In this demonstration we’re using Proxmox VE 6.

In this example, we have two interfaces enp1s0 and enp2s0 but the interface enp1s0 is already bridged with the interface with vmbr0. So we will need to make an additional bridge interface vmbr1 with enp2s0:

pfsense4.png

pfsense5.png

Note that if your server doesn’t have a second network interface, it’s not necessary to bridge it to an interface, the bridge will work fine but would only be able to route internally on the server. Using an interface on a network bridge can allow you to route to other virtual machines, dedicated servers, Public Cloud instances and even Hosted Private Cloud infrastructures using vRack.

Creating the virtual machines: pfSense

Now we’re going to start creating the pfSense virtual machine,

  • Under the OS tab, choose: Other OS type
  • Under the Hard Disk tab, Bus/Device should be: VirtIO
  • First item under the Network tab,
  • Second item under the Network tab, Model should be: VirtIO (paravirtualized)
  • If your CPU has the AES instruction set, this should be enabled

pfsense6.png

pfsense7.png

When you’re at the Network tab of creating the virtual machine, make sure you enter the Virtual MAC address that is created in the OVHcloud Control Panel.

pfsense8.png

After creating the virtual machine, you’ll need to make sure that a second network interface is created on your second bridge interface:

pfsense9.png

pfsense10.png

Creating the virtual machines: Virtual desktop

Since some of the settings on pfSense are accessible using its web GUI, the easy way would be to set up a virtual desktop. In this demonstration, we’re using an Ubuntu 20.04 ISO. When creating the virtual desktop, make sure the bridge interface being chosen is the secondary one and not the bridge interface to your public network.

pfsense11.png

We will be starting the virtual desktop before starting up the pfSense virtual machine. For the demonstration, we’ll just select Try Ubuntu just to start working on pfSense.

pfsense12.png

The pfSense console

We’ll now be starting the pfSense virtual machine and proceeding with the OS installation.

pfsense13.png

After the OS installation is completed, first thing pfSense will ask is setting up VLANs. Since pfSense is being installed into a hypervisor, we wouldn’t suggest configuring it on the virtual machine but if you need VLANs, this should be done on the virtual interface at the hypervisor level.

pfsense14.png

Next step is choosing which interface will be your WAN and which will be your LAN. We’ll be able to see which should be the WAN by seeing that it has the virtual MAC address that was created in the OVHcloud Control Panel.

pfsense15.png

pfsense16.png

This example we chose vtnet0 as our WAN and vtnet1 as our LAN. After this step, pfSense will ask if you’d like to proceed and confirm which interface is WAN and LAN. After confirming, it’ll automatically configure 192.168.1.1 on its LAN interface.

The pfSense web GUI

Now that there’s a private IP assigned to the LAN interface of our pfSense virtual machine, we’re going to go ahead and make a DHCP request so we can access the pfSense web GUI.

Go to the Wired settings on the Ubuntu VM.

pfsense17.png

Now we enable the network, if it was already enabled simple disable then enable it again.

pfsense18.png

Open a web browser and enter 192.168.1.1 into the URL, there will be a security warning about the interface but it’s not something to be concerned about. Be sure to open advanced select Accept and Continue.

pfsense19.png

pfsense20.png

Default username and password should be admin as the username and pfsense as the password, be sure to login. We’ll now be going through the general setup, the important thing to do would be to set SelectedType as Static under Configure WAN Interface, this would be at step 4 of 9. All the other settings shouldn’t be changed with the exception of the DNS can be up to you but in this use case we had put 213.186.33.99 since it’s our resolver within our network.

pfsense21.png

At the stage, the pfSense VM doesn’t have a public IP. Click on the menu icon on the top right corner, under Interfaces select WAN.

pfsense22.png

Make sure the settings are matching from what is shown in the below screenshots and enter your Additional IP. The IPv4 Upstream gateway will be configured later.

pfsense23.png

pfsense24.png

Now that we have a public IP on the interface, we’ll need to make sure it’ll route correctly on our network. Click on the menu icon on the top right corner, under System select Routing.

pfsense25.png

Make sure the settings are matching from what is shown in the below screenshot, then select the Add icon to create our gateway.

pfsense26.png

pfsense27.png

Make sure the settings are matching from what is shown in the below screenshots and enter your Gateway IP. Make sure to open the advanced settings.

pfsense28.png

pfsense29.png

pfsense30.png

pfsense31.png

Now that we have an Upstream gateway, we’ll need to assign the gateway to the WAN interface. Again we click on the menu icon on the top right corner, under Interfaces select WAN.

pfsense32.png

pfsense33.png

Since we’re running pfSense as a virtual machine and it doesn’t have it’s own dedicated network card, some changes should be done. Click on the menu icon on the top right corner, under System select Advanced.

pfsense34.png

In this menu, select the Networking tab. At the bottom of this menu, make sure the settings are matching from what is shown in the below screenshots.

pfsense35.png

pfsense36.png

Now we should be done! You should see that web browsing can be done just like a desktop behind a NAT firewall.

External resources

For choosing the correct virtual interfaces, OS type, etc. for Proxmox, we were following Netgate’s recommendations. If you’re not going to be using Proxmox, we’d suggest to review the following links to their documentation on the subject.

https://docs.netgate.com/pfsense/en/latest/recipes/virtualize-proxmox.html

https://docs.netgate.com/pfsense/en/latest/recipes/virtualize-esxi.html#installing-pfsense-software-on-vsphere-6-x-using-vsphere-web-client

https://docs.netgate.com/pfsense/en/latest/recipes/virtualize-hyper-v.html

Related articles