Objective
Bridged networking can be used to configure your pfSense virtual machine as a NAT firewall for other virtual machines on the same host. It could even be used as an extra filter for a web server. Specific steps and configurations are needed to allow the pfSense router to work on the OVHcloud network and this article will show you how a basic pfSense NAT configuration is done.
Requirements
- A dedicated server with a hypervisor installed (e.g. VMware ESXi, Citrix Xenserver, Proxmox, etc.)
- At least one additional IP address attached to the server
- Access to the OVHcloud Control Panel
Recommendations for your pfSense virtual machine
- A dedicated server with the AES instruction set
- 2 virtual cores for the virtual machine
- 2GB(2048MB) of RAM for the virtual machine
- Hypervisor with console access to virtual machines
This tutorial will show you how to use one or more OVHcloud solutions with external tools, and will describe the actions to be carried out in a specific context. Please remember to adapt these actions to fit your situation.
Instructions
First steps
For the pfSense virtual machines network configuration, we will use the following values which should be replaced with your own values:
- ADDITIONAL_IP = The address of your additional IP
- Virtual MAC address = The MAC address created in the OVHcloud Control Panel
- GATEWAY_IP = The address of your default gateway
Assigning a virtual MAC address
In the OVHcloud Control Panel, go to the Bare Metal Cloud
section and open the IP
menu.
The “Service” drop-down menu allows you to filter for additional IPs.
Next, locate your additional IP address in the table and click on the three dots to open the Context
menu. Select Add a virtual MAC
.
Select ovh
from the Type
dropdown box, type a name in the Name of virtual machine
field, and then confirm your options.
Determining the gateway address
To configure your virtual machines for internet access, you will need to know the gateway of your host machine (i.e. your dedicated server). The gateway address is made up of the first three octets of your server’s main IP address, with 254 as the last octet. For example, if your server’s main IP address is:
- 123.456.789.012
Your gateway address would therefore be:
- 123.456.789.254
Configuring pfSense
Concerning external software, please note that the proper procedure to configure your services may be subject to change. We recommend to consult the manuals and knowledge resources of the respective software if you experience any issues.
When you’re setting up pfSense on our network, the usual place to start would be the console of pfSense. Because our network does require the public IP to be using a /32(255.255.255.255) subnet mask plus gateway is outside the scope of the public IP, the console will in fact not allow you to do this. To do this, you are going to have to start by setting up the LAN side first.
The hypervisor
Since pfSense or most routers require two network interfaces to separate the public and private network, it’ll be necessary to have two bridge interfaces on your hypervisor. In this demonstration we’re using Proxmox VE 6.
In this example, we have two interfaces enp1s0
and enp2s0
but the interface enp1s0
is already bridged with the interface with vmbr0
. So we will need to make an additional bridge interface vmbr1
with enp2s0
:
Note that if your server doesn’t have a second network interface, it’s not necessary to bridge it to an interface, the bridge will work fine but would only be able to route internally on the server. Using an interface on a network bridge can allow you to route to other virtual machines, dedicated servers, Public Cloud instances and even Hosted Private Cloud infrastructures using vRack.
Creating the virtual machines: pfSense
Now we’re going to start creating the pfSense virtual machine,
- Under the OS tab, choose: Other OS type
- Under the Hard Disk tab, Bus/Device should be: VirtIO
- First item under the Network tab,
- Second item under the Network tab, Model should be: VirtIO (paravirtualized)
- If your CPU has the AES instruction set, this should be enabled
When you’re at the Network tab of creating the virtual machine, make sure you enter the Virtual MAC
address that is created in the OVHcloud Control Panel.
After creating the virtual machine, you’ll need to make sure that a second network interface is created on your second bridge interface:
Creating the virtual machines: Virtual desktop
Since some of the settings on pfSense are accessible using its web GUI, the easy way would be to set up a virtual desktop. In this demonstration, we’re using an Ubuntu 20.04 ISO. When creating the virtual desktop, make sure the bridge interface being chosen is the secondary one and not the bridge interface to your public network.
We will be starting the virtual desktop before starting up the pfSense virtual machine. For the demonstration, we’ll just select Try Ubuntu
just to start working on pfSense.
The pfSense console
We’ll now be starting the pfSense virtual machine and proceeding with the OS installation.
After the OS installation is completed, first thing pfSense will ask is setting up VLANs. Since pfSense is being installed into a hypervisor, we wouldn’t suggest configuring it on the virtual machine but if you need VLANs, this should be done on the virtual interface at the hypervisor level.
Next step is choosing which interface will be your WAN
and which will be your LAN
. We’ll be able to see which should be the WAN
by seeing that it has the virtual MAC address
that was created in the OVHcloud Control Panel.
This example we chose vtnet0
as our WAN
and vtnet1
as our LAN
. After this step, pfSense will ask if you’d like to proceed and confirm which interface is WAN
and LAN.
After confirming, it’ll automatically configure 192.168.1.1
on its LAN
interface.
The pfSense web GUI
Now that there’s a private IP assigned to the LAN
interface of our pfSense virtual machine, we’re going to go ahead and make a DHCP request so we can access the pfSense web GUI.
Go to the Wired settings on the Ubuntu VM.
Now we enable the network, if it was already enabled simple disable then enable it again.
Open a web browser and enter 192.168.1.1
into the URL, there will be a security warning about the interface but it’s not something to be concerned about. Be sure to open advanced select Accept and Continue
.
Default username and password should be admin
as the username and pfsense
as the password, be sure to login. We’ll now be going through the general setup, the important thing to do would be to set SelectedType
as Static
under Configure WAN Interface
, this would be at step 4 of 9. All the other settings shouldn’t be changed with the exception of the DNS can be up to you but in this use case we had put 213.186.33.99
since it’s our resolver within our network.
At the stage, the pfSense VM doesn’t have a public IP. Click on the menu icon on the top right corner, under Interfaces
select WAN
.
Make sure the settings are matching from what is shown in the below screenshots and enter your Additional IP
. The IPv4 Upstream gateway
will be configured later.
Now that we have a public IP on the interface, we’ll need to make sure it’ll route correctly on our network. Click on the menu icon on the top right corner, under System
select Routing
.
Make sure the settings are matching from what is shown in the below screenshot, then select the Add
icon to create our gateway.
Make sure the settings are matching from what is shown in the below screenshots and enter your Gateway IP
. Make sure to open the advanced settings.
Now that we have an Upstream gateway, we’ll need to assign the gateway to the WAN
interface. Again we click on the menu icon on the top right corner, under Interfaces
select WAN
.
Since we’re running pfSense as a virtual machine and it doesn’t have it’s own dedicated network card, some changes should be done. Click on the menu icon on the top right corner, under System
select Advanced
.
In this menu, select the Networking
tab. At the bottom of this menu, make sure the settings are matching from what is shown in the below screenshots.
Now we should be done! You should see that web browsing can be done just like a desktop behind a NAT firewall.
External resources
For choosing the correct virtual interfaces, OS type, etc. for Proxmox, we were following Netgate’s recommendations. If you’re not going to be using Proxmox, we’d suggest to review the following links to their documentation on the subject.
https://docs.netgate.com/pfsense/en/latest/recipes/virtualize-proxmox.html
https://docs.netgate.com/pfsense/en/latest/recipes/virtualize-hyper-v.html