Tutorial - Configuring pfSense network bridge

In the OVHcloud Control Panel, open the Network menu in the left-hand sidebar and click IP.

Use the filters to limit the results to All Additional IPs and locate your additional IP address.

Click the more options ⋮ button and select Add a virtual MAC.

Select ovh from the Type dropdown box, type a name in the Virtual machine name field, and then Confirm your options.

To configure your virtual machines for internet access, you will need to know the gateway of your host machine (i.e., your dedicated server). The gateway address is made up of the first three octets of your server’s main IP address, with 254 as the last octet. For example, if your server’s main IP address is:

• 123.456.789.012

Your gateway address would therefore be:

• 123.456.789.254

Since pfSense or most routers require two network interfaces to separate the public and private networks, it’ll be necessary to have two bridge interfaces on your hypervisor. In this demonstration, we’re using Proxmox VE 6.

In this example, we have two interfaces (enp1s0 and enp2s0), but the interface enp1s0 is already bridged with the interface vmbr0. So we will need to make an additional bridge interface vmbr1 with enp2s0:

Note that if your server doesn’t have a second network interface, it’s not necessary to bridge it to an interface; the bridge will work fine, but it will only be able to route internally on the server. Using an interface on a network bridge can allow you to route to other virtual machines, dedicated servers, Public Cloud instances, and even Hosted Private Cloud infrastructures using vRack.

Now we’re going to start creating the pfSense virtual machine,

• Under the OS tab, choose: Other OS type
• Under the Hard Disk tab, Bus/Device should be: VirtIO
• First item under the Network tab, make sure the bridge is vmbr0
• Second item under the Network tab, Model should be: VirtIO (paravirtualized)
• If your CPU has the AES instruction set, this should be enabled

If your CPU has the AES instruction set, it must be enabled (from the CPU tab).

When you’re at the Network tab of creating the virtual machine, make sure you enter the Virtual MAC address that is created in the OVHcloud Control Panel.

After creating the virtual machine, you’ll need to make sure that a second network interface is created on your second bridge interface:

Since some of the settings on pfSense are accessible using its web GUI, the easy way would be to set up a virtual desktop. In this demonstration, we’re using an Ubuntu 20.04 ISO. When creating the virtual desktop, make sure the bridge interface being chosen is the secondary one and not the bridge interface to your public network.

We will be starting the virtual desktop before starting up the pfSense virtual machine. For the demonstration, we’ll just select Try Ubuntu, just to start working on pfSense.

We’ll now be starting the pfSense virtual machine and proceeding with the OS installation.

After the OS installation is completed, the first thing pfSense will ask is to set up VLANs. Since pfSense is being installed into a hypervisor, we wouldn’t suggest configuring it on the virtual machine, but if you need VLANs, this should be done on the virtual interface at the hypervisor level.

Next step is choosing which interface will be your WAN and which will be your LAN. We’ll be able to see which should be the WAN by seeing that it has the virtual MAC address that was created in the OVHcloud Control Panel.

In this example, we chose vtnet0 as our WAN and vtnet1 as our LAN. After this step, pfSense will ask if you’d like to proceed and confirm which interface is WAN and LAN. After confirming, it’ll automatically configure 192.168.1.1 on its LAN interface.

Now that there’s a private IP assigned to the LAN interface of our pfSense virtual machine, we’re going to go ahead and make a DHCP request so we can access the pfSense web GUI.

Go to the Wired settings on the Ubuntu VM.

Now we enable the network, if it was already enabled, simply disable then enable it again.

Open a web browser and enter 192.168.1.1 into the URL. There will be a security warning about the interface, but it’s not something to be concerned about. Be sure to open Advanced... and select Accept the Risk and Continue.

The default username and password should be admin as the username and pfsense as the password. We’ll now be going through the general setup. The important thing to do would be to set SelectedType as Static under Configure WAN Interface, this would be at step 4 of 9. All the other settings shouldn’t be changed, except that the DNS can be up to you , but in this use case, we had put 213.186.33.99 since it’s our resolver within our network.

At this stage, the pfSense VM doesn’t have a public IP. Click on the menu icon on the top right corner, under Interface, select WAN.

Make sure the settings match what is shown in the screenshots below, and enter your Additional IP.

The IPv4 Upstream gateway will be configured later.

Now that we have a public IP on the interface, we’ll need to make sure it routes correctly on our network. Click on the menu icon on the top right corner, under System, and select Routing.

Make sure the settings match what is shown in the screenshots below, then select the Add icon to create our gateway.

Make sure the settings match what is shown in the screenshots below and enter your Gateway IP.

Make sure to open the advanced settings.

Select the Use non-local gateway through interface specific route box and Save your settings.

Select your default gateway and Save your settings.

Now that we have an Upstream gateway, we’ll need to assign the gateway to the WAN interface. Again, we click on the menu icon on the top right corner and, under Interfaces, select WAN.

Make sure the settings match what is shown in the screenshots below.

Since we’re running pfSense as a virtual machine and it doesn’t have its own dedicated network card, some changes should be made. Click on the menu icon on the top right corner and, under System, select Advanced.

In this menu, select the Networking tab. At the bottom of this menu, make sure the settings match what is shown in the screenshots below.

Now we should be done! You should see that web browsing can be done just like a desktop behind a NAT firewall.