How to Virtualize Your Home Router / Firewall Using pfSense

Which firewall / router are you running at home? If you can't remember, maybe it's time to SWITCH ;)
By the way, if you're new here, welcome! Please remember to ✨subscribe✨ for more content like this!

Always log on with the new account before disabling the old account.

I have an identical setup. One thing to consider depending on how many cores you have on the host, is to make the CPU type 'host' and pass through 1 or 2 physical cores. This should ( depending on your CPU ) enable the AES-NI CPU crypto which can be useful if you use OpenVPN and want faster throughput over encrypted connections. Awesome guides by the way, I wish these vids were around years ago!

Incredible quality, easy to understand, as always fantastic! Thanks for your videos Tim, keep doing them please.

Tim, your videos are invaluable. Thanks for the amazing work, you TRULY deserve like 1 MLN subscribers already.

just fantastic. I have been prepping my own home server and was sweating because I wasn't sure what to do to isolate it from the network.
"Is it safe to host?"
"whats pfsense even do"
"should i buy dedicated hardware"
"where WAS that lasagna!?!"
and this video made it so clear. Thank You

I went through the same research journey around the same time. I also seriously thought about putting pfSense on virtual machine. Eventually I decided to purchase a dedicated hardware for pfSense because of all the reasons people talked about on the internet. I probably would try to visualize it if I saw your video earlier. Now my whole set up is already completed, and it's very stable. I don't want to mess with it.

Seriously the most helpful tutorials on UA-cam, thank you!

Such a great idea for those tech heads that want to do something more than what those basic modem routers.. Just a note for those with different NBN connections that you may still need the netgear/gateway/modem from your ISP but simply put it into bridge mode then pass that to the WAN interface as per TechnoTim's guide!! (suit most Australian NBN type of setups) As I am and Aussie viewer also!!!

Even though I have a PCI network card with two ports, adding them as PCI cards in Proxmox did not work for but instead as NICs, the rest was flawless, thanks for the video man, I dropped a sub as well.

Love playing around with Proxmox at home, it really impresses my boss when I talk above his head with tech stuff lol. Thanks!

I really enjoy watching these videos, it is your relaxed way to present the topics and nice background music ! Keep up the great work

Techno Tim Rocks!!! Awesome content and delivery. Thank you.

Outstanding!!!! Thank you for this!
What is cool, is since the host os is debian based, you can install and run netstat which gives MUCH more information about thruput on the nics

Heyo Tim, you have greatly helped me get into the Homelab scene, and I appreciate it. With that said, you really should consider revisiting this video with a 2022/2023 edition. Reason why I say this is because passing my NIC down to the OPNSense VM in Proxmox (and even Pfsense) straight up did not work. I almost gave up, until I talked to someone that had a workaround: by creating a Linux bridge with the NIC as an alternative way. Passing the NICs down did not work but creating a bridge did. I had other people express their grievance about following your video and having it not work. And from what I heard, when it comes to virtualizing routers/firewalls, passing down NICs is a huge NoNo for this reason. I have no doubt this worked for some people, but I feel like there is a higher chance of success with an updated video by using the create Linux bridge method. Just my 2 cents!

Great stuff Tim. Subscribed!!!

the production quality of your videos is excellent. Tutorials are short and helpful - no wasted time. Subscribed!

That took some effort, but I got my NICs on the Dell R710 passed-thru and my network is up! I learned a heckuva lot along the way. Thanks Tim!

Nice! I’m a big pfSense advocate. Subscribed!

Thank you for doing this, and the education, I appreciate it, it worked great.

I had no idea before now I Know, Thanks for your video.

This was so helpful, thank you

No. 600 - excellent video and now you given me an excuse to do what you done VM of pfsense 👍🏼

Thanks for this Video.

Great tutorial. I really like how well you laid out this content. I'm a network engineer and while I knew how to do all of this networking, I wanted to see how you explained it for laymen. Fantastic stuff. I also completely muffed my own proxmox setup, I didn't realize you could pass through NIC's so easily. I made an OVS bridge for the WAN, I don't want to talk about it :( One little change I would make is on the LAN gateway address. While you can always make the gateway whatever IP you want on the subnet, I really like to keep it to either the first address in the subnet, or the last address in the subnet. Remembering a random address is difficult years down the line and if you ever need to add a statically configured network device, its easier to remember first address or last address. Anyway, just my $0.02.

I guess it's time to smash my buggy tplink router and say hello to virtual router. Cool tutorial as always. Keep it up man 👍

Great stuff!!
Any chance you could do a video on how to create an AP too using the integrated wifi adapter many repurposed homelab computers have? :)

This is the best guide

Thank you for this video! Regarding CPU settings. To have AES-NI CPU Crypto: Yes, I selected Type: host (if the host CPU supports AES-NI, of course). And adding PCI nics (in my case Intel) didn't work with "All Functions" enabled. Maybe it doesn't work with this particular board. So I cleared this box.

Hi Tim fantastic video!
I'm just getting started with Proxmox but so far I am digging it, I want to set up a virtual PFsense instance but not to act as my real firewall in my office, I just want to be able to join other VM’s within Proxmox to the LAN network that PFsense is creating.
That way I could test VPN solutions like Wireguard, Zerotier and Open VPN from one VM to another that are on different networks.
My Proxmox box does have 2 NICS, actually 3, what would be the best way to go about this?
I feel like I can basically follow your tutorial except for on the LAN NIC for PF sense I don't need to connect it to a switch I just need it to broadcast to the other VMS in Proxmox, just not quite sure how to do that.
Thanks !

Proxmox is great, and I have a whole lot of virtualized gear, but my router isn't one of them. I tried it, and quickly figured out why a router should be on its own hardware. The first time my power blinked - I was ordering hardware to run pfsense on the next day.

I like your videos!! Very good youtuber!

Thanks for the video! Really clear explanations. Question: in choosing all of your cores under the CPU tab, does that mean that there will no cores available for other VMs? If you have more than one VM, should you divide the cores between them?

Like the explanation.

Wow great, please more pfSense tutorials!

Perhaps good thing to mention in a comment is that you need IOMMU enabled. I went and watched your "before I do anything" video and you explained it great there. Quick reference would be nice because I got stuck when I wanted to start the VM.

Hi Tim,thanks for your great videos, I m interested to see how you implement vdi infrastructure solution with proxmox and open source tech you prefer to do that

Awesome video and tutorial! Thank you Tim! During this lock down, it was a great time to get something like this set up and your video was a huge help.

fantastic video, however on the pfsense installation guide for PVE it mentions the creation of vmbr1 and vmbr2 and assign them to eth1 and eth2 assuming vmbr0 and eth0 are reserved for managing PVE. So did you that step here?

Thank you for your video

@Techno Tim Thank you for the great video! I'm just scoping out the work I have a head of me, and want to know, can you access the proxmox UI via web from an IP dealt by the pfsense VM? Ideally i would like proxmox to be accessible from the virtual router, instead of the physically accessing the proxmox service with a keyboard and mouse. So my usecase is simple: access proxmox from my desktop that is connected to my virtual pfsense router.

PFsense has gotten so much better looking

implementing this today

Fantastic tutorial @Techno Tim, I just have a question that I am struggling with this setup... Let's say you've dedicated both the PCI LAN/WAN NIC cards to the PfSense VM. Is it still possible/recommended to bridge your proxmox node to the same LAN NIC which is now dedicated directly to the VM? Or will I need a 3rd NIC for the proxmox node as well? I'd prefer to only have a single NIC for LAN and proxmox host for simplicity's sake.

If your CPU supports AES-NI and you like to use it in your pfSense/OPNsense VM for OpenVPN etc. you can change processor type to "host"

This video was awesome. While we are on the subject of virtualizing firewall: Can you add a third NIC to the PFsense VM that is also on the LAN side but its inside the Proxmox virtual environment? What I mean is, for physical devices on the LAN side you would connect it to the LAN physical port (maybe add a switch first), but for the other VMs that live on the same Proxmox host as the Pfsense, it would be a waste to send their traffic out a phisical port then back on the LAN port. Is my assumption correct that all you would have to do is create a new linux bridge in proxmox (vmbr2 maybe) and just add that as a third adapter to pfsense and configure it as LAN. Then from there just add that bridge as an adapter to all your VMs?

Very helpful video, thanks! I have a question though if you don’t mind! Say i create a linux bridge to the passed-trough LAN port to allow connectivity between my other VMs and the physical switch managed by pfsense. Will the VMs bypass the pfsense firewall? Or will they be routed trough it? Thanks!

don't forget to enable IOMMU. The version of Proxmox 6.1-7 didn't enable it by default.

Hi Tim, great tut. Had to do some IOMMU separation to get it to work but finally did it and working. Now, I have PFsense running inside vm giving its own network and dhcp to everything comming out through the lan port. So far so good. I want now to place the proxmox host behind pfsense as well and leave the primary modem only passing traffic to pfsense with DMZ. I just need to plug the nic (using proxmox) to the switch but before change de ip address? I'm not sure how to do this.

@Techno Tim Thank you for your video, I have used this to make a similar setup. But the nodes on the LAN are not able to connect to WAN. They can get IP addresses though. Any tips to fix this? Please let me know. Thanks in advance!

Just recently found the videos and am enjoying them very much, but, I have a question...
I think you mentioned this pass-through was done on a R710 (I could be mistaken)? If so, how did you get it to work? There seems to be Dell related laziness keeping an IOMMU/pass-through setup from working properly due to some unpatched Intel screwup.
I usually just bridge interfaces on VMs when needed, but decided to try this out. Nothing has worked. I have a R610 and R710 here along with dual and quad port Intel Pros.
Did you end up having to use the "Allow Unsafe Interrupts" option?

Thank you very much for so incredible manual! is it correct if I have two inbuilt NIC in my motherboard then in my case will be better use two bridges in Proxmox instead of PCI-passthrough?

1.proxmox can do hardware accelaration from pfsense through nic ?
2. there is option to define standard vSwitch in proxmox like vsphere ?

Maybe you should do a video on setting up Vlans on proxmox?

Good video!

Hi Tim. You need to put a space before 'Techno' for the link to the HP Dual Gigabit NIC so the link works.

Might be late to the party, followed your video and worked perfectly (thank you) only thing is if I reboot the vm (for pfsense) I don't get a WAN ip back, only way to get it is to reboot the Proxmox server, can't find anything to point me to the correct direction

How is the hypervisor acting on the open WAN port? Thinking with regards to open ports, updating etc.

two things....why did you add pci device and not network device card as i've seen in all other similar vids?....secondly, as feedback - thanks for posting. apart from knowledgeable and simple to follow, it's calm and easy to listen to...

Thanks for this great video. It is a good idea to do it from security point of view to have your proxmox server open to internet if you have all other important VMs in promox itself? I had been thinking about this but was bit concerned. I am building a new proxmox server so I am thinking it again. I have unifi USG as my router now but it lacks lot of good feature other than nice graphics

Hey, great video! Can you speak to theb tradeoffs in virtualizing and running pfSense through proxmox vs pfSense on bare metal? While this seems really cool, I do wonder about the overhead in virtualizing and what benefits I'd gain. The main one I see is in essentially being able to overprovision a server and essentially create "multiple" servers, though with a potential performance hit. Also possibly easier for backup and recovery?
Also, related to above, would I be able to run a proxmox box with pfSense in 1 vm and e.g. Postgres in another all with 1 nic, or would I need multiple? It seems like I'd need 1 for wan and 1 for lan, plus ANOTHER for Postgres or any other servers. If I can do it all with one, is it even recommended? Feels like a security risk with possible performance issues also, intermingling all that traffic.
Sorry for the wall of text!

Great Video ...I am new to networking ... If we virtualize the router given by ISP, how would we create a wireless network for this ? ..I suppose the NIC adapter will create only ethernet network ?

i got further with 8.0 then others version with this guide ty i have an older intel dual 100 nic that i may use as new is not in the cards yet lol.

Hi Tim, awesome video.
I opted for OPNSense.
I added 2 x NICS to proxmox and struggled getting them in different groups
This is how I resolved that:
In proxmox shell...
>> lspci | grep Ethernet
03:00.0 Ethernet controller: Realtek Semiconductor Co., Ltd. Device 8161 (rev 15)
06:00.0 Ethernet controller: Realtek Semiconductor Co., Ltd. Device 8161 (rev 15)
>> find /sys/kernel/iommu_groups/ -type l | grep 03
Showed both nics in group 7
/sys/kernel/iommu_groups/7/devices/0000:03:00.0
/sys/kernel/iommu_groups/7/devices/0000:06:00.0
Edited grub as follows:
>> nano /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet amd_iommu=on pcie_acs_override=downstream,multifunction"
>> update-grub
>> shutdown -h now
and switched the server on again. I could then add the NICs to my VM.
Noob dilemma. Please help me getting to my VM
-- Laptop connected via router (192.168.21.1) to proxmox host (192.168.21.10)
How can I connect to the host as well (or interchangeably) to the OPNSense VM?

Thank you for this video, and for your channel. I do have a question. I have a similar setup as seen in the 2:22 mark of this video (onboard NIC and dual NIC card). My onboard NIC is attached to my switch via a green cable. My WAN port is plugged into my provider's cable modem via a white cable and my LAN port is plugged into my switch via a black cable (BTW, same switch that the onboard NIC is plugged into so that I can go to Proxmox web UI). pfsense seems to be working with this setup, but how do my Proxmox VMs get their Internet? Since the dual NIC card is being passed through to the pfsense VM, and other VM will not see this card. Is there something I need to do in Proxmox or pfsense to bridge the two?

Hello, nice video ! How do you connect other physical PCs to that virtualized router ?

Great Video - first TechnoTim I have seen. Great job explaining and sharing. I have been using pfSense about 2 years now on an HP t620+ ThinClient with an added 2-port Intel i350-T2 card. Been working great, but I have this awesome Workstation class machine I want to use for ProxMox. I have 8.0.9 installed there, and I am just beginning. I purchased a 4-port i350-T4V2 for this box, and it is working fine. In the t620+ I had disabled the on-board NIC as was not using it.
I know that ProxMox requires a NIC for accessing the host/dashboard, but can it be one of the 2-ports I will use on the i350-T4? I have a cable from Cable modem to port 0 on the 4-port and cable from port 1 to the Netgear Orbi (wifi AP)...as it has a satellite in the other end of the house where the office is - so that I have Wired (per se) access back there and wifi is stronger. From the Orbi (at the ProxMox box & modem - there is a cable into the on-board NIC of the ProxMox host). If I unplug this, I lose access to the host dashboard.

Dude thank you that's awesome. Where would you save the ISP account details though? Do you use a switch for extra ports?

Hi Tim. The guide is nice and clear- but can you make a guide for people that want to utilize current equipment? Like old laptop with proxmox and pfsense (so one nic) and tp-link vlan switch. I tried to made such setup work with this guide combined with some router on a stick but I've failed:)

Thank you for great video, Tim!
Do you get good performance on your pfSense running in Proxmox? I get max 50mbps on 100mbps link with Squid and PfBlockerNG running. Have turned off hw checksum offload, played around with amount of RAM & CPU cores, but no luck. Was also running ntopng for a while, but itdecreases performance, so I removed it.
I am running it on i5-7500 CPU with host CPU type, 4 to 8 gigs of RAM. Mifro form factor Dell PC, one interfaces is usb-to-ethernet. Tried different settings for it, but no luck as well.
Do you have any ideas what can be the reason for that?

Is it possible to utilize pfsense on proxmox using only laptop with one NIC using VLANs. I know you elaborated on these subjects but not in such combination. Thanks for you help

Tim, I love your videos but had a quick question. Do you have failover for your virtualized firewall? I currently have pfSense virtualized on Proxmox but every time I need to reboot Proxmox, I bring down the network.

Hi TechnoTim, this was a great tutorial. I followed it almost successfully, all my LAN client are getting IP addresses except for the guest VMs that rely on the vmbr NIC. Did you come across this and if so how did you resolve it? Many thanks

Great video. Thanks.
However the vm needs to be the first to hit the traffic and we need to ensure all Others vm access internet through pfsense. Can you share the iptable rules you have in place to ensure that? Thx

Tnks for the help, @Techni Tim!
If anyone get a error like this -> "TASK ERROR: KVM virtualisation configured, but not available. Either disable in VM configuration or enable in BIOS." - Please, follow this steps to solve!
Bye!

How does this work with your ubiquity gear (udm-pro)? I’m in a similar situation and just wanted your thoughts.

Thanks for the video! If dont have a 2 port NIC can I add an additional 1 port NIC to go along with the built in one on my mobo?

would be helpful if you went through IOMMU and PCI passthrough for those NIC cards to be accessed by the VM

I fully believe this set up works. you are essentially using your proxmox as your network gateway, which is not very secure

Is no one going to mention how much you look like Johnny Depp?
Never the less, i love your tutorials. Easy to understand.

Great tutorial as usuall from you. I have a question about the proxmox location in this infrastructure. Where is it placed in the network. I am running small server with pfsense virtualized but this server I own has only two LAN nics. One is used as a wan port and secon as a privet network. I wonder where and how to address the proxmox... I hope this question makes sense

Thank you for this video. I have one “noob”question. Using a physical machine that has 6 network ports, running ProxMox and a pfSense VM...how can I access ProxMox web control panel from my network that is being served by pfSense? Do I just need to ensure ProxMox is on the same subnet as my LAN? Thank you kindly for helping.

I'm sure it's been covered (in fact I know of 1 other creator that has) but running Unraid on Proxmox, I followed his skim-through and I can see it in the console but cant connect. Maybe in it elaborate on selecting network interfaces (cards) to split them among the chassis (Proxmox) and vms (PfSense, Unraid, and TrueNAS at least)
And longshot but if you have a multi-day chassis (like my sc846) how to specify specific bays to certain vms (not specific drives, that way any drive inserted into "bay 20" will be assigned to vm X.

Hello, my networking setup at home are ONT and a openwrt router.
Can i set the pfsense on the midle of the ont and router

how about showing us how to setup pfsense in proxmox and using that vm as the router for a cluster

can you please make a video on sophos firewall? also with the dual NIC card, where do those Ethernet cables go in and out to? i assume the WAN one comes from the modem, but the output?

hey man thanks for the video, i have a couple of questions can i use my normal router then connect the virtual router for use the vpn service? or it needs to be directly connected to the ISP provider modem?

a little update for all , you can get a pfsense + home subscrition now so more features for free ! btw great video(all of them that i saw ) mister tim

Any thoughts on installing with zfs? Seems to be the default these days

Is it possible to route traffic from your proxmox hypervisor out through the pfsense vm? Without having to use an additional port to connect the hypervisor box to the switch?

Can you use SRIOV instead of passing the whole nic? So you still can have some VFs for your other VMs.

You don't actually have to patch the LAN port through to the Pfsense VM, you can just use the default Proxmox bridge and save a connection to your switch.

Thanks for the tut. Why you are the PCI device directly instood of an Linux bridge?

Found your channel awhile ago but I never had any server stuff. Your stuff is awesome.
Question about Users, if the new user added to PfSense has the same access as Admin, why create a new user? Is it because hackers will try to use admin as the username to login?

Is this possible to do with only 2 ethernet ports? I have a pcie card with 1 ethernet port, and I also have the standard one on the motherboard. In 2:22 I can see that the red wire is probably connected to whatever computer is used to connect to the proxmox web interface.
Trying it out for myself with just 2 ports made my setup, as expected, go down :)
I will try again with a USB-ethernet dongle or the onboard wifi (if I can get it to work) so I can access the web-interface..

Can you cover the switch options more? For example using physical switch or using open vswitch?

Tim, how did you connect the host OS to pfsense once its setup. As you used two ports passtrhough to pfsense (physically from the quad port), the host proxmox should also be on the LAN side. Will that use a physical connection from the pfsense LAN>switch>LAN3 (cable) or something else? Secondly, do you disable firewall option in the natwork setting of proxmox VM?

Could I connect a switch from NIC to add more physical devices ?

Any chance you could do a video on how to passthrough hard disks to a VM in Proxmox for FreeNAS virtualization?

question how can include proxmox web on same network as you pass hardware pci direct to pfsense im trying to acess proxmox direct from pfsense network ?