How to Virtualize Your Home Router / Firewall Using pfSense

Which firewall / router are you running at home? If you can't remember, maybe it's time to SWITCH ;)
By the way, if you're new here, welcome! Please remember to ✨subscribe✨ for more content like this!

Always log on with the new account before disabling the old account.

I have an identical setup. One thing to consider depending on how many cores you have on the host, is to make the CPU type 'host' and pass through 1 or 2 physical cores. This should ( depending on your CPU ) enable the AES-NI CPU crypto which can be useful if you use OpenVPN and want faster throughput over encrypted connections. Awesome guides by the way, I wish these vids were around years ago!

Incredible quality, easy to understand, as always fantastic! Thanks for your videos Tim, keep doing them please.

Tim, your videos are invaluable. Thanks for the amazing work, you TRULY deserve like 1 MLN subscribers already.

Seriously the most helpful tutorials on TH-cam, thank you!

Such a great idea for those tech heads that want to do something more than what those basic modem routers.. Just a note for those with different NBN connections that you may still need the netgear/gateway/modem from your ISP but simply put it into bridge mode then pass that to the WAN interface as per TechnoTim's guide!! (suit most Australian NBN type of setups) As I am and Aussie viewer also!!!

Love playing around with Proxmox at home, it really impresses my boss when I talk above his head with tech stuff lol. Thanks!

Even though I have a PCI network card with two ports, adding them as PCI cards in Proxmox did not work for but instead as NICs, the rest was flawless, thanks for the video man, I dropped a sub as well.

I really enjoy watching these videos, it is your relaxed way to present the topics and nice background music ! Keep up the great work

I went through the same research journey around the same time. I also seriously thought about putting pfSense on virtual machine. Eventually I decided to purchase a dedicated hardware for pfSense because of all the reasons people talked about on the internet. I probably would try to visualize it if I saw your video earlier. Now my whole set up is already completed, and it's very stable. I don't want to mess with it.

just fantastic. I have been prepping my own home server and was sweating because I wasn't sure what to do to isolate it from the network.
"Is it safe to host?"
"whats pfsense even do"
"should i buy dedicated hardware"
"where WAS that lasagna!?!"
and this video made it so clear. Thank You

Outstanding!!!! Thank you for this!
What is cool, is since the host os is debian based, you can install and run netstat which gives MUCH more information about thruput on the nics

That took some effort, but I got my NICs on the Dell R710 passed-thru and my network is up! I learned a heckuva lot along the way. Thanks Tim!

Techno Tim Rocks!!! Awesome content and delivery. Thank you.

the production quality of your videos is excellent. Tutorials are short and helpful - no wasted time. Subscribed!

Great stuff Tim. Subscribed!!!

Heyo Tim, you have greatly helped me get into the Homelab scene, and I appreciate it. With that said, you really should consider revisiting this video with a 2022/2023 edition. Reason why I say this is because passing my NIC down to the OPNSense VM in Proxmox (and even Pfsense) straight up did not work. I almost gave up, until I talked to someone that had a workaround: by creating a Linux bridge with the NIC as an alternative way. Passing the NICs down did not work but creating a bridge did. I had other people express their grievance about following your video and having it not work. And from what I heard, when it comes to virtualizing routers/firewalls, passing down NICs is a huge NoNo for this reason. I have no doubt this worked for some people, but I feel like there is a higher chance of success with an updated video by using the create Linux bridge method. Just my 2 cents!

Nice! I’m a big pfSense advocate. Subscribed!

Thank you for doing this, and the education, I appreciate it, it worked great.

I had no idea before now I Know, Thanks for your video.

This was so helpful, thank you

No. 600 - excellent video and now you given me an excuse to do what you done VM of pfsense 👍🏼

Great tutorial. I really like how well you laid out this content. I'm a network engineer and while I knew how to do all of this networking, I wanted to see how you explained it for laymen. Fantastic stuff. I also completely muffed my own proxmox setup, I didn't realize you could pass through NIC's so easily. I made an OVS bridge for the WAN, I don't want to talk about it :( One little change I would make is on the LAN gateway address. While you can always make the gateway whatever IP you want on the subnet, I really like to keep it to either the first address in the subnet, or the last address in the subnet. Remembering a random address is difficult years down the line and if you ever need to add a statically configured network device, its easier to remember first address or last address. Anyway, just my $0.02.

Thank you for this video! Regarding CPU settings. To have AES-NI CPU Crypto: Yes, I selected Type: host (if the host CPU supports AES-NI, of course). And adding PCI nics (in my case Intel) didn't work with "All Functions" enabled. Maybe it doesn't work with this particular board. So I cleared this box.

I guess it's time to smash my buggy tplink router and say hello to virtual router. Cool tutorial as always. Keep it up man 👍

Thanks for this Video.

This is the best guide

Hi Tim fantastic video!
I'm just getting started with Proxmox but so far I am digging it, I want to set up a virtual PFsense instance but not to act as my real firewall in my office, I just want to be able to join other VM’s within Proxmox to the LAN network that PFsense is creating.
That way I could test VPN solutions like Wireguard, Zerotier and Open VPN from one VM to another that are on different networks.
My Proxmox box does have 2 NICS, actually 3, what would be the best way to go about this?
I feel like I can basically follow your tutorial except for on the LAN NIC for PF sense I don't need to connect it to a switch I just need it to broadcast to the other VMS in Proxmox, just not quite sure how to do that.
Thanks !

Awesome video and tutorial! Thank you Tim! During this lock down, it was a great time to get something like this set up and your video was a huge help.

Proxmox is great, and I have a whole lot of virtualized gear, but my router isn't one of them. I tried it, and quickly figured out why a router should be on its own hardware. The first time my power blinked - I was ordering hardware to run pfsense on the next day.

Perhaps good thing to mention in a comment is that you need IOMMU enabled. I went and watched your "before I do anything" video and you explained it great there. Quick reference would be nice because I got stuck when I wanted to start the VM.

Wow great, please more pfSense tutorials!

PFsense has gotten so much better looking

Very helpful video, thanks! I have a question though if you don’t mind! Say i create a linux bridge to the passed-trough LAN port to allow connectivity between my other VMs and the physical switch managed by pfsense. Will the VMs bypass the pfsense firewall? Or will they be routed trough it? Thanks!

Tnks for the help, @Techni Tim!
If anyone get a error like this -> "TASK ERROR: KVM virtualisation configured, but not available. Either disable in VM configuration or enable in BIOS." - Please, follow this steps to solve!
Bye!

Like the explanation.

I like your videos!! Very good youtuber!

If your CPU supports AES-NI and you like to use it in your pfSense/OPNsense VM for OpenVPN etc. you can change processor type to "host"

Great stuff!!
Any chance you could do a video on how to create an AP too using the integrated wifi adapter many repurposed homelab computers have? :)

fantastic video, however on the pfsense installation guide for PVE it mentions the creation of vmbr1 and vmbr2 and assign them to eth1 and eth2 assuming vmbr0 and eth0 are reserved for managing PVE. So did you that step here?

Thanks for the video! Really clear explanations. Question: in choosing all of your cores under the CPU tab, does that mean that there will no cores available for other VMs? If you have more than one VM, should you divide the cores between them?

@Techno Tim Thank you for the great video! I'm just scoping out the work I have a head of me, and want to know, can you access the proxmox UI via web from an IP dealt by the pfsense VM? Ideally i would like proxmox to be accessible from the virtual router, instead of the physically accessing the proxmox service with a keyboard and mouse. So my usecase is simple: access proxmox from my desktop that is connected to my virtual pfsense router.

Hi Tim. You need to put a space before 'Techno' for the link to the HP Dual Gigabit NIC so the link works.

1.proxmox can do hardware accelaration from pfsense through nic ?
2. there is option to define standard vSwitch in proxmox like vsphere ?

This video was awesome. While we are on the subject of virtualizing firewall: Can you add a third NIC to the PFsense VM that is also on the LAN side but its inside the Proxmox virtual environment? What I mean is, for physical devices on the LAN side you would connect it to the LAN physical port (maybe add a switch first), but for the other VMs that live on the same Proxmox host as the Pfsense, it would be a waste to send their traffic out a phisical port then back on the LAN port. Is my assumption correct that all you would have to do is create a new linux bridge in proxmox (vmbr2 maybe) and just add that as a third adapter to pfsense and configure it as LAN. Then from there just add that bridge as an adapter to all your VMs?

Good video!

Fantastic tutorial @Techno Tim, I just have a question that I am struggling with this setup... Let's say you've dedicated both the PCI LAN/WAN NIC cards to the PfSense VM. Is it still possible/recommended to bridge your proxmox node to the same LAN NIC which is now dedicated directly to the VM? Or will I need a 3rd NIC for the proxmox node as well? I'd prefer to only have a single NIC for LAN and proxmox host for simplicity's sake.

Just recently found the videos and am enjoying them very much, but, I have a question...
I think you mentioned this pass-through was done on a R710 (I could be mistaken)? If so, how did you get it to work? There seems to be Dell related laziness keeping an IOMMU/pass-through setup from working properly due to some unpatched Intel screwup.
I usually just bridge interfaces on VMs when needed, but decided to try this out. Nothing has worked. I have a R610 and R710 here along with dual and quad port Intel Pros.
Did you end up having to use the "Allow Unsafe Interrupts" option?

@Techno Tim Thank you for your video, I have used this to make a similar setup. But the nodes on the LAN are not able to connect to WAN. They can get IP addresses though. Any tips to fix this? Please let me know. Thanks in advance!

Hi Tim,thanks for your great videos, I m interested to see how you implement vdi infrastructure solution with proxmox and open source tech you prefer to do that

How does this work with your ubiquity gear (udm-pro)? I’m in a similar situation and just wanted your thoughts.

Thank you very much for so incredible manual! is it correct if I have two inbuilt NIC in my motherboard then in my case will be better use two bridges in Proxmox instead of PCI-passthrough?

implementing this today

Thank you for this video. I have one “noob”question. Using a physical machine that has 6 network ports, running ProxMox and a pfSense VM...how can I access ProxMox web control panel from my network that is being served by pfSense? Do I just need to ensure ProxMox is on the same subnet as my LAN? Thank you kindly for helping.

i got further with 8.0 then others version with this guide ty i have an older intel dual 100 nic that i may use as new is not in the cards yet lol.

Might be late to the party, followed your video and worked perfectly (thank you) only thing is if I reboot the vm (for pfsense) I don't get a WAN ip back, only way to get it is to reboot the Proxmox server, can't find anything to point me to the correct direction

Thank you for your video

Hello, nice video ! How do you connect other physical PCs to that virtualized router ?

Hi Tim, awesome video.
I opted for OPNSense.
I added 2 x NICS to proxmox and struggled getting them in different groups
This is how I resolved that:
In proxmox shell...
>> lspci | grep Ethernet
03:00.0 Ethernet controller: Realtek Semiconductor Co., Ltd. Device 8161 (rev 15)
06:00.0 Ethernet controller: Realtek Semiconductor Co., Ltd. Device 8161 (rev 15)
>> find /sys/kernel/iommu_groups/ -type l | grep 03
Showed both nics in group 7
/sys/kernel/iommu_groups/7/devices/0000:03:00.0
/sys/kernel/iommu_groups/7/devices/0000:06:00.0
Edited grub as follows:
>> nano /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet amd_iommu=on pcie_acs_override=downstream,multifunction"
>> update-grub
>> shutdown -h now
and switched the server on again. I could then add the NICs to my VM.
Noob dilemma. Please help me getting to my VM
-- Laptop connected via router (192.168.21.1) to proxmox host (192.168.21.10)
How can I connect to the host as well (or interchangeably) to the OPNSense VM?

two things....why did you add pci device and not network device card as i've seen in all other similar vids?....secondly, as feedback - thanks for posting. apart from knowledgeable and simple to follow, it's calm and easy to listen to...

Thank you for great video, Tim!
Do you get good performance on your pfSense running in Proxmox? I get max 50mbps on 100mbps link with Squid and PfBlockerNG running. Have turned off hw checksum offload, played around with amount of RAM & CPU cores, but no luck. Was also running ntopng for a while, but itdecreases performance, so I removed it.
I am running it on i5-7500 CPU with host CPU type, 4 to 8 gigs of RAM. Mifro form factor Dell PC, one interfaces is usb-to-ethernet. Tried different settings for it, but no luck as well.
Do you have any ideas what can be the reason for that?

Is it possible to utilize pfsense on proxmox using only laptop with one NIC using VLANs. I know you elaborated on these subjects but not in such combination. Thanks for you help

Great Video - first TechnoTim I have seen. Great job explaining and sharing. I have been using pfSense about 2 years now on an HP t620+ ThinClient with an added 2-port Intel i350-T2 card. Been working great, but I have this awesome Workstation class machine I want to use for ProxMox. I have 8.0.9 installed there, and I am just beginning. I purchased a 4-port i350-T4V2 for this box, and it is working fine. In the t620+ I had disabled the on-board NIC as was not using it.
I know that ProxMox requires a NIC for accessing the host/dashboard, but can it be one of the 2-ports I will use on the i350-T4? I have a cable from Cable modem to port 0 on the 4-port and cable from port 1 to the Netgear Orbi (wifi AP)...as it has a satellite in the other end of the house where the office is - so that I have Wired (per se) access back there and wifi is stronger. From the Orbi (at the ProxMox box & modem - there is a cable into the on-board NIC of the ProxMox host). If I unplug this, I lose access to the host dashboard.

Hi Tim, great tut. Had to do some IOMMU separation to get it to work but finally did it and working. Now, I have PFsense running inside vm giving its own network and dhcp to everything comming out through the lan port. So far so good. I want now to place the proxmox host behind pfsense as well and leave the primary modem only passing traffic to pfsense with DMZ. I just need to plug the nic (using proxmox) to the switch but before change de ip address? I'm not sure how to do this.

a little update for all , you can get a pfsense + home subscrition now so more features for free ! btw great video(all of them that i saw ) mister tim

How is the hypervisor acting on the open WAN port? Thinking with regards to open ports, updating etc.

Thank you for this video, and for your channel. I do have a question. I have a similar setup as seen in the 2:22 mark of this video (onboard NIC and dual NIC card). My onboard NIC is attached to my switch via a green cable. My WAN port is plugged into my provider's cable modem via a white cable and my LAN port is plugged into my switch via a black cable (BTW, same switch that the onboard NIC is plugged into so that I can go to Proxmox web UI). pfsense seems to be working with this setup, but how do my Proxmox VMs get their Internet? Since the dual NIC card is being passed through to the pfsense VM, and other VM will not see this card. Is there something I need to do in Proxmox or pfsense to bridge the two?

Thanks for this great video. It is a good idea to do it from security point of view to have your proxmox server open to internet if you have all other important VMs in promox itself? I had been thinking about this but was bit concerned. I am building a new proxmox server so I am thinking it again. I have unifi USG as my router now but it lacks lot of good feature other than nice graphics

Hey, great video! Can you speak to theb tradeoffs in virtualizing and running pfSense through proxmox vs pfSense on bare metal? While this seems really cool, I do wonder about the overhead in virtualizing and what benefits I'd gain. The main one I see is in essentially being able to overprovision a server and essentially create "multiple" servers, though with a potential performance hit. Also possibly easier for backup and recovery?
Also, related to above, would I be able to run a proxmox box with pfSense in 1 vm and e.g. Postgres in another all with 1 nic, or would I need multiple? It seems like I'd need 1 for wan and 1 for lan, plus ANOTHER for Postgres or any other servers. If I can do it all with one, is it even recommended? Feels like a security risk with possible performance issues also, intermingling all that traffic.
Sorry for the wall of text!

don't forget to enable IOMMU. The version of Proxmox 6.1-7 didn't enable it by default.

Tim, I love your videos but had a quick question. Do you have failover for your virtualized firewall? I currently have pfSense virtualized on Proxmox but every time I need to reboot Proxmox, I bring down the network.

Is this possible to do with only 2 ethernet ports? I have a pcie card with 1 ethernet port, and I also have the standard one on the motherboard. In 2:22 I can see that the red wire is probably connected to whatever computer is used to connect to the proxmox web interface.
Trying it out for myself with just 2 ports made my setup, as expected, go down :)
I will try again with a USB-ethernet dongle or the onboard wifi (if I can get it to work) so I can access the web-interface..

is there a way to make segmentized network inside of virtualized firewall? i mean to deliver tagged vlans to pfsense or in my case Sophos XG Home firewall, through truenas (in my case Scale) thanks :)

Hi TechnoTim, I hope you are able to answer one silly question about this setup: When experimenting with different virtualised router OSes I find the default LAN networks vary from product to product. And I like to just use the defaults most of the time in case changing them gives unexpected problems. This gives me a quandary about where to put my PVE management interface. I prefer to put it on the LAN, but that means it invariably ends up on a network number different from whatever I'm running for a router. So I have no access unless I mess with my network settings on my PC. Then I have to change them back to test out the router behaviour. I just wondered how you manage this problem in your setup, or do you just live with it?

Hello, my networking setup at home are ONT and a openwrt router.
Can i set the pfsense on the midle of the ont and router

Dude thank you that's awesome. Where would you save the ISP account details though? Do you use a switch for extra ports?

Any thoughts on installing with zfs? Seems to be the default these days

Can you use SRIOV instead of passing the whole nic? So you still can have some VFs for your other VMs.

Is it possible to route traffic from your proxmox hypervisor out through the pfsense vm? Without having to use an additional port to connect the hypervisor box to the switch?

Tim, how did you connect the host OS to pfsense once its setup. As you used two ports passtrhough to pfsense (physically from the quad port), the host proxmox should also be on the LAN side. Will that use a physical connection from the pfsense LAN>switch>LAN3 (cable) or something else? Secondly, do you disable firewall option in the natwork setting of proxmox VM?

This may be a stupid question, but I'm trying to install pfSense on a VM on my Proxmox server where I just installed a new dual Ethernet port card. However, it's currently plugged in via the Ethernet port that came with the server. It sounds like in order to complete the pfSense install, both WAN and LAN ports must be plugged in and link must be up. Should I plug one of the ports on the new card to the WAN port on the carrier's modem and the other port on the new card on the Ethernet switch I have? If I do this, I would lose internet access momentarily, until the installation and configuration is finished. I guess I would need to access the shell directly on the server, not the web GUI. Also my Proxmox currently has vmbr0 Linux Bridge set up. I suppose I would keep that for the VMs I've been running on it but for the pfSense VM should I create a new Linux Bridge? Thanks in advance.

Could I use the motherboard NIC as WAN and the PCIE NIC as LAN? Made the mistake of buying a single port NIC

hey man thanks for the video, i have a couple of questions can i use my normal router then connect the virtual router for use the vpn service? or it needs to be directly connected to the ISP provider modem?

I'm sure it's been covered (in fact I know of 1 other creator that has) but running Unraid on Proxmox, I followed his skim-through and I can see it in the console but cant connect. Maybe in it elaborate on selecting network interfaces (cards) to split them among the chassis (Proxmox) and vms (PfSense, Unraid, and TrueNAS at least)
And longshot but if you have a multi-day chassis (like my sc846) how to specify specific bays to certain vms (not specific drives, that way any drive inserted into "bay 20" will be assigned to vm X.

Great video. Thanks.
However the vm needs to be the first to hit the traffic and we need to ensure all Others vm access internet through pfsense. Can you share the iptable rules you have in place to ensure that? Thx

Great Video ...I am new to networking ... If we virtualize the router given by ISP, how would we create a wireless network for this ? ..I suppose the NIC adapter will create only ethernet network ?

So all other vms and the host should use the vmbr u mapped to lan right?

Could I connect a switch from NIC to add more physical devices ?

Hi TechnoTim, this was a great tutorial. I followed it almost successfully, all my LAN client are getting IP addresses except for the guest VMs that rely on the vmbr NIC. Did you come across this and if so how did you resolve it? Many thanks

I am wondering how you interact with Proxmox after you virtualize your network as a VM through Proxmox... I am wondering how the system determines an IP through a VM that hasn't booted yet. After it boots, how does it get an IP from the VM?

Is no one going to mention how much you look like Johnny Depp?
Never the less, i love your tutorials. Easy to understand.

question how can include proxmox web on same network as you pass hardware pci direct to pfsense im trying to acess proxmox direct from pfsense network ?

I fully believe this set up works. you are essentially using your proxmox as your network gateway, which is not very secure

Hi, Do you know how I could enable my computers that obtains network access from the virtual pfsense to be able to reach the proxmox servers webinterface? So for example if I have a virtual PC hosted on proxmox and its network is obtained from the virtual pfsense, how would I then allow for that virtual PC to be able to reach the proxmox interface?

Hi Nice Vid!! At 3.48 you mention that you can pass-through of a 4 nic card only the 1/4 portion of it?? How is that possbile? I am used to Unraid on which you need to exclude the specific pci device you want to pass first and afterwards to give it to the VM.
Even more difficult if that device is a motherboard controller (usb, nic). Is it possible in Proxmox to pass-through motherboard controllers without braking things? Isn t in Proxmox mandatory the passed through device to be in its own iommu (so iommu capable motherboard needed?)
Last but not least did you have to put your isp's modem in bridged mode in order for this to work?
Thank you

Thanks for the video! If dont have a 2 port NIC can I add an additional 1 port NIC to go along with the built in one on my mobo?

Maybe you should do a video on setting up Vlans on proxmox?

Hi Tim,
How do you connect your other virtual machine that are inside of the same physical machine you installed pfsense? And do you use a dedicated modem to connect to pfsense?
Thanks,
Eduardo

Can I do it with Proxmox Virtual Network? I don't have a network card to add extra. Thanks for the video