PfSense VirtualBox Appliance as Personal Firewall on Linux

The tutorial explains how to set up pfSense VirtualBox appliance in order to use it as a personal firewall on Linux. It shows Linux network configuration to support this scenario and provides an installation script that automatically builds a VirtualBox virtual machine ready for pfSense installation. It also describes pfSense installation and shows minimal web configuration needed for successful connection to the Internet.

pfSense Live CD ISO disk can be downloaded from here.

1. Linux Network Configuration

We are going to install pfSsense from live CD ISO image on a VirtualBox virtual machine. To do so we must reconfigure an existing network interface, create a new one and configure new static default routes. A network topology consists of Linux Fedora with installed VirtualBox virtualizer. is shown below.

Picture1-Network_Topology

Picture 1 - Network Topology

A wireless network card is installed in Linux and presented as an interface wlp3s0. The interface wlp3s0 is the interface that connects Pfsense virtual machine to the outside world. This interface will be bridged with a first network adapter (em0) of the Pfsense virtual machine. Bridging host adapter wlp3s0 with the guest adapter em0 (WAN interface of Pfsense) will be done using vboxmanage utility and shown later in the tutorial.

As the Pfsense appliance is responsible for connecting to WAN network, we should remove an IP address from the interface wlp3s0 and delete a default route pointing traffic to networks via this interface. A root account is required to do the changes.

# ifconfig wlp3s0 0.0.0.0
# route del default dev wlp3s0

Now we need a virtual tap interface that will be bridged to the second network adapter em1 of the Pfsense virtual machine. Network interface em1 represents the LAN interface of the pfSense firewall. In order to create a virtual interface a package tunctl must be installed.

# tunctl -t tap0

The next step consists of IP address configuration for the interface tap0 and configuration of a default route that routes all traffic to LAN interface - em1 of Pfsense appliance.

# ifconfig tap0 192.168.1.2 netmask 255.255.255.0
# route add default gw 192.168.1.1

Now we can replace our DNS configuration with Pfsense DNS server.

# echo "nameserver 192.168.1.1" > /etc/resolv.conf

As a last step we are going to disable iptables to avoid undesirable traffic filtering.

# service iptables stop

Every time a Pfsense appliance is started we must issue type these commands. To automate a process you can write a script that will do this job for you. I will share my own script, you just need to replace the name of the interfaces and a username 'brezular' according to your needs. A root account is needed to start a script and to let the script configure network settings. The script also starts a Pfsense VirtualBox appliance in headless mode.

You can download the script here . Download it and assign executable privileges to the script.

$ chmod +x ./start_pfsense

2. Building VirtualBox Virtual Machine for PfSsense Installation

You can either create a virtual machine using VirtualBox GUI or use my second script that automatically builds a virtual machine and starts Pfsense installation. The script creates a virtual machine with two network adapters and bridge them with the particular host interfaces that you must enter as a script arguments. It is a virtual tap interface tap0 that will be bridged to em1 (LAN) interface of the Pfsense virtual machine and the interface wlp3s0 (in my case) bridged to em0 (WAN) interface of the Pfsense appliance.

$ chmod +x ./set_pfsense

Then start the script with the required arguments but change network interfaces according to your real adapters.

$ ./set_pfsense -m 1024 -f ./pfSense-LiveCD-2.1.5-RELEASE-i386.iso -l tap0 -n Pfsense -w wlp3s0

Picture2-Script_Usage

Picture 2 - Script Usage

Once a script finishes creating a virtual machine, Pfsense installation is started.

Picture3-Pfsense_Virtual_Machine

Picture 3 - Pfsense Virtual Machine Ready for Installation

3. PfSense Installation on VirtualBox

PfSense installation is explained here in detail. Just press key I (install) once you are prompted and select an option Quick/Easy Install. Once installation is finished, you will be asked for doing reboot. Power of the virtual machine (Right Ctrl-q) and deattach Live CD ISO disk from cdrom with using the command:

$ vboxmanage storageattach Pfsense --storagectl IDE --port 0 --device 1 --type dvddrive --medium none

Note: Change the virtual machine name pfSense according to the name of your VM.

Now you can start a virtual machine to finish an installation process with the command below.

$ vboxmanage startvm Pfsense

During the boot proccess you can notice a list of detected interfaces.

Picture4-List_of_Detected_Interfaces

Picture 4 - List of Detected Interfaces

Type 'n' once you are asked to set up VLANs. Then you will be asked to enter the WAN interface name. It is an interface em0 and it was bridged with the interface wlp3s0. Installation continues with entering a name of pfSense LAN interface. It is an interface em1 and it was bridged with the interface tap0.

Hit enter when you are prompted to enter the name of Optional 1 interface name. At the end of install you should be able to see the following interfaces assignment.

Picture5-Interfaces_Assigment

Picture 5 - Interfaces Assignment

Hit the key 'y' to finish pfSense installation.

4. Minimal Pfsense Configuration

We will make a minimal Pfsense configuration that allows us to connect our Linux box to WAN network and to the Internet. For this purpose we are going to use a web browser to connect to the LAN interface  of Pfsense - IP address 192.168.1.1. Username is admin and password pfsense.

Once you are logged in, configuration wizard is started. The wizard may be stopped by clicking the logo image at the top of the screen. Just do it.

4.1 Assign IP Address to WAN Interface

According to a network diagram, WAN interface should be configured with the IP address 172.17.100.5/16. Navigate to Interfaces-> WAN and select an option IPv4 Configuration Type - Static IPv4. Type the IP address 172.17.100.5/16 for WAN interface.

Picture6-WAN_Interface_Configuration

Picture 6 - WAN Interface Configuration

As the WAN interface has IP address assigned from the space reserved for private networks RFC 1918 (10/8, 172.16/12, 192.168/16) we should uncheck the box Block private networks. Then click Save and Apply Changes button.

Picture7-WAN_Interface_Configuration

Picture 7 - WAN Interface Configuration

4.2 Create a Static Default Route to WAN and Internet

Navigate to System-> Routing. Add a new IPv4 gateway by clicking on + button. Type a name of the Gateway, IP address (172.17.100.1) and check a switch Default Gateway. Click Save and Apply Changes button.

Picture8-Default_Gateway_Configuration

Picture 8 - Default Gateway Configuration

Note: In my case, a default gateway address is the IP address configured on the LAN interfaces of my Belkin SoHO router - 172.17.100.1/16. You have to enter your own default router IP address.

At this point we should be able to ping both - the IP address of our default router and public IP addresses located in the Internet. Lets try to ping Google IP address 8.8.8.8 from the Pfsense WAN interface. Navigate to Diagnostic-> Ping and make a test.

Picture9-Pinging_Google_Public_IP_Address

Picture 9 -Pinging Google Public IP Address

Now configure DNS server to let Pfsense us names if needed. Navigate to System-> General Setup and configure an option DNS Server. I want to use DNS server configured on my home Belkin router so I will configure IP addres 172.17.100.1.

4.3 Configure Network Address Translation - NAT

We want to hide our LAN network 192.168.1.0/24 behind the IP address 172.17.100.5/24 so NAT must be put in the place. Navigate to Firewall-> NAT and select an Outbound NAT tab. Click + button and type a source network 192.168.1.0/24 for a Source option. Leave the other settings default. Then click on Save button and you will return to the Outbound tab. Check the box Manual Outbound NAT rule generation (AON - Advanced Outbound NAT) and click Save and Apply Changes button.

Picture10-NAT_Configuration

Picture 10 - NAT Configuration

4.4. Disable User Admin and Create New Admin Account

Navigate to System-> User Manager and edit settings for user admin. Change a default password for this user and check the box Disabled. Then click Save button.

Now create a new user with admin privileges. Click on + button and type a name and a password for a new user. Assign admin privileges to your new account in the Group Memberships panel.  Again, click the Save button.

Picture11-User_Configuration

Picture 11 - User Configuration

4.5 Secure Remote Access via CLI

In order to to start Pfsense appliance automatically we put the command 'runuser -l brezular -c 'vboxheadless -startvm Pfsense' in a startup script scriptstart_pfsense.txt. The script starts the Pfsense virtual machine in a headless mode. The headless mode allows to start  a virtual machine from the command line so the VirtualBox GUI is not needed for this job. A graphical popup window with the Pfsense console will not appear and the output is transferred to VirtualBox Remote Display Protocol (VRDP) server. The server is listening on a port 3389 and anyone having connectivity to a Linux host can connect to Pfsense console using remote desktop client. To do so, we can use the command:

$ rdesktop-vrdp 192.168.1.2

Picture12-Pfsense_Console

Picture 12 - Pfsense Console

If we do not need access to pfSense console we can start the virtual machine in headless mode with disabled vrde server - option --vrde off. If it is your case, replace the actual command in start_pfsense.txt script with the command:

runuser -l brezular -c 'vboxheadless -startvm Pfsense --vrde off'

In order to keep the shell access to your pfSense appliance even after you disabled VRDE server, you should enable SSH server. Navigate to System-> Advanced and check the box button Enable Secure shell.

If you insist on using console, an access should be protected with a password. Navigate to System-> Advanced-> Admin Access and check the box Password protect the console menu.  Next time you connect to console via remote desktop you will be asked to enter your credentials to log in.

5. Conclusion

We have just finished pfSense installation on VirtualBox machine and from now we can use it as a personal firewall on Linux. Adapt a first script I shared with you and use it to setup a network connection and for starting your pfSense VirtualBox appliance.

3 thoughts on “PfSense VirtualBox Appliance as Personal Firewall on Linux

  1. A minor bug with set_pfsense.txt script. Here's the patch when there space in the pathname such as "/root/VirtualBox VMs":

    95c95
    vbox_dir=$(dirname "$vbox_file")
    101c101
    vboxmanage createhd --filename "$vdi_image" --size 8192 --format VDI --variant Standard
    110c110
    vboxmanage storageattach $vm_name --storagectl IDE --port 0 --device 0 --type hdd --medium "$vdi_image"

Leave a comment

Your email address will not be published. Required fields are marked *