Virtualizing pfSense under Ubuntu Server

In this tutorial I’m going to assume that you have already installed Ubuntu Server 12.04 and are connected to the internet via a DHCP interface. If you are reading this you probably already know that pfSense is a powerful, open source, FreeBSD based router distribution which can be installed on x86 hardware.

Installing VirtualBox

Being a home user like myself, with less than a dozen LAN clients and a modest internet connection you probably do not need hardware too powerful to manage your network. By using virtualization we eliminate the need to run 2 separate machines for our router and home server. There are many paid and free solutions available for Linux and including KVM, VM Ware, Xen, and Virtuzzo. I chose to use VirtualBox because I found it was supported by a large community, and easy to manage without a GUI. Also for older hardware without support for hardware virtualization it falls back to software emulation.

The first thing we are going to do is install VirtualBox which is available in the Ubuntu repositories, so run:

sudo apt-get install virtualbox

Installing VB Extension Pack

Now we need to install the VirtualBox extension pack, this is necessary for when we want to view the screen of the VM we are installing. Go over to the VirtualBox downloads page and get the link to the latest version here. Then run the commands, of course replacing the link with the most recent one from the website.

wget http://download.virtualbox.org/virtualbox/4.1.6/Oracle_VM_VirtualBox_Extension_Pack-4.1.6-74713.vbox-extpack
VBoxManage extpack install Oracle_VM_VirtualBox_Extension_Pack-4.1.6-74713.vbox-extpack

Using phpVirtualBox

Since this is Ubuntu Server and we are not using a GUI we are going to use a browser based interface instead so we don’t have to tediously enter all the commands. phpVirtualBox uses Javascript and HTML to mimic the look and functionality of the desktop VirtualBox application. Assuming you have the Apache web server installed, all you have to do is download and extract the latest zip into the web server’s root directory using these commands.

cd /var/www
sudo wget `wget -q -O - http://phpvirtualbox.googlecode.com/files/LATEST.txt` -O phpvirtualbox-latest.zip
sudo unzip phpvirtualbox-latest.zip
sudo mv phpvirtualbox-4.1-7 phpvirtualbox
sudo rm phpvirtualbox-latest.zip

Now start the VirtualBox web service by typing,

vboxwebsrv

After all that, provided that your web server is configured properly you should able to go to http://serverip/phpvirtualbox (default login is admin/admin). Now go to the next page and I’ll talk about installing pfSense now that we have VirtualBox all setup.

Setting up the Virtual Machine

Now before we create the VM we should first download pfSense. You can close vboxwebsrv by pressing Ctrl+C and you can download pfSense by going to their downloads page, finding a mirror near you and selecting the link ending in RELEASE-i386.iso.gz then using these commands.

cd /home/yourusername
wget http://mirror.qubenet.net/mirror/pfsense/downloads/pfSense-2.0.1-RELEASE-i386.iso.gz

Once it has finished downloading, start up vboxwebsrv again and go to your browser. Other than the network adapters this process is fairly simple but I’ll walk you through it anyway with these images. Just follow along.

The disk takes a few moments to be created and formatted. After that click finish and you will be able to see your newly created virtual machine in the left sidebar. Highlight it and click settings so we can configure it to our needs. Then copy the settings in the images below. A lot of things can be disabled because they are not needed for an operating system without a graphical desktop. Then you need to add a CD-ROM to the storage controllers list and mount the install media that we downloaded earlier.

Now we want to setup 2 identical Ethernet adapters. This tutorial assumes you have 2 physical NICs in your machine and will be using one for LAN and one WAN however there are more complicated configurations that are possible but not discussed here. Then we will need to make sure remote display is enabled since we won’t be able to view the VM from the host machine since it doesn’t have a GUI.

Now you can boot the VM from phpVirtualBox and install pfSense as you would on a pure hardware installation. Make sure you are aware of which NIC is which when you set the WAN and LAN as this will come into play later on.

Configuring Host Network adapters

Now that we have configured the virtual machine the way we want we need to setup the network adapters in the host operating system. Open the network config file by using the command,

sudo nano /etc/network/interfaces

Then you can just copy my config file below. I gave the host a static IP address and set the gateway to pfSense’s LAN address, then I gave IP’s 0.0.0.0 for each interface I configured in pfSense so that way the OS recognizes them but leaves the networking to pfSense and doesn’t mess with them.

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
# The loopback network interface
auto lo
iface lo inet loopback
# Host LAN interface
auto eth0:1
iface eth0:1 inet static
address 192.168.0.2
netmask 255.255.255.0
gateway 192.168.0.1
dns-nameservers 192.168.0.1
# pfSense LAN interface
auto eth0
iface eth0 inet static
address 0.0.0.0
# pfSernse WAN interface
auto eth1
iface eth1 inet static
address 0.0.0.0

In order to use the new config you have to restart the networking service. This is done by typing,

sudo /etc/init.d/networking restart

Starting pfSense at boot

Since this is a router, I figure its safe to assume that you will want to start it up as soon as you boot your server. There a great script that I found here that will do the trick. I’ve copied the version I modified for my use below.

#! /bin/sh
# /etc/init.d/pfsense
#
#Edit these variables!
VMUSER=administrator
VMNAME=pfsense
case $1 in
  start)
    echo Starting VirtualBox VM...
    sudo -H -b -u $VMUSER /usr/bin/VBoxVRDP -s $VMNAME
    ;;
  stop)
    echo Saving state of Virtualbox VM...
    sudo -H -u  $VMUSER /usr/bin/VBoxManage controlvm $VMNAME savestate
    ;;
  *)
    echo Usage: /etc/init.d/pfsense {start|stop}
    exit 1
    ;;
esac
exit 0

From here on configuring pfSense should be just like a regular installation and can be done using the Web UI accessible through the LAN interface so just make sure your cables are plugged into the correct NIC’s and then reboot to make sure the script works. If you have any comments, questions or suggestions feel free to leave a comment and I’ll do my best to try and respond to it.

  • Dustin Rodriguez

    Thanks very much for creating this article. I had been using pfSense for several years, but on a very meager embedded system. Recently I discovered that my current network load was saturating the box, so I had to look for another solution. I decided to go with pfSense in a VirtualBox VM on my server.

    It is NEARLY working. I am using a setup pretty much identical to yours, with 2 bridged adapters on the VM. I copied your interfaces file directly, only swapping eth0 and eth1 to suit my configuration. I am left with a problem, however. When I do an nslookup from the box which hosts the VMs, it does not use the pfSense VM as the nameserver. It appears to be getting the DNS server assigned by my ISP on the WAN interface. Given that I am using the same interfaces file as you, I presume this means that pfSense is providing this. I have the feature that enables that behavior turned off, as I need to use the DNS Forwarder to resolve my local hostnames.

    In addition, pfSense seems to either not be receiving or responding to DHCP requests. The DHCP log shows no requests, and when other machines on the network are configured to use DHCP they do not receive a response. By any chance do you happen to know what I should be looking for? Most of the posts I find online are using pfSense only on VM-internal networks. I am trying to get it so that this VM looks and acts just like the physical box I had previously. Any help would be appreciated!

    • admin

      No problem I’m glad you found it useful.

      Is the problem only on the machine that is hosting the VM or across your whole network? What happens when you change the name servers in the pfSense settings? You can configure this under System > General Setup.

  • MH

    Great! thanks Erik. This is just what I need to replace my current home server/gateway. I am using ebox/Zentyal but it is more complicated than I need, and not as simple as I think it should be. I am sure I will be better off virtualizing the two or three functions I want into separate virtual machines, and starting with Ubuntu/box host and pfsense for routing, as I have used pfsense in the past with satisfaction.

    One question: my ISP provides Internet via PPPOE, and my host machine WAN on eth0 is connected to a FTTB modem. If I am to modify slightly your plan here, where do you think should I run the PPPOE client, on the host or on the pfsense machine, and what do you think the changes to etc/network/interfaces might be?

    Thanks for any suggestion.

    • eberkund

      So you are asking if you should do PPPoE on the host and THEN pass the connection to pfSense to handle the routing? I don’t see what advantage there is to doing it this way and instead of simply passing the WAN interface to pfSense and letting it do everything. I have used pfSense before with DSL with PPPoE (I’m using cable at the time of this article) and it worked fine with this setup.

      However if you have some crucial reason to do this that you aren’t mentioning perhaps try using Host-Only or NAT instead of Bridged networking mode on your WAN interface. You can read more information about VirtualBox networking modes here: http://www.virtualbox.org/manual/ch06.html#networkingmodes

      • MH

        Well, I suppose what I am asking is whether there is any advantage either way. I have no experience with virtual machines, and although the basics seem straightforward enough, the routing stuff still has me wondering, even after reading through the basics on bridging and so on. I suppose it’ll become clear enough once I jump in and give it a try.

        The whole point of this little project is to use a single piece of hardware, but to compartmentalize functionality on distinct (virtual) machines. Since the PPPOE and a NAT router/firewall are such closely related functions, I must say I like the idea of merely passing the WAN interface to pfSense and having my PPPOE client run there as well. It sounds as though you are suggesting there should be no problem with doing it this way.

        I do see one minor tricky bit, however. I won’t have Internet access until the pfSense machine with the PPPOE is up and running, so I will need to get any module downloading anticipated and done in advance. Of course there would be ways to work around this, such as setting up PPPOE on the host temporarily, but my preference would be that the host install be really clean, strictly limited to only what’s needed to run virtualbox (including phpVirtualBox) and provide the essential hardware interfaces.

        Anyway, i will give this a shot.

  • Justin

    I have my lan IP set.. I can ping it etc.. I cant access the webgui at all… tcpdump from the VM-pfsense shows it sees the traffic… what am I missing?

    • eberkund

      Ping it from where? The VM host or another computer on your network?

      If you’re trying from another computer on your network did you check to make sure that it is getting an IP from pfSense’s DHCP server? If not, try setting a static IP address (the pfSense IP will be your DNS server and gateway).

  • GeoffatMM

    Hi. Not sure if you are still responding to posts on this topic but hopefully you are. I am trying to set up pfsense on virtual box on Ubuntu BEHIND my ADSL router and not being technical, I am finding all the jargon a bit imposing.

    pfsense is working on the VM fine and I have two NICs installed and recognised as well as a wireless NIC if necessary. What I am having difficulty understanding is how do I make pfsense connect to the ADSL router to redirect traffic it manages to the internet? Eventually I will set this traffic route up as a VPN as the main reason for doing this is to direct my sky box through a VPN service and there is no way to set it on the box directly.

    Every time I try to set interfaces I lose contact with the web configurator of pfsense and have to roll back to a previous version of my settings. I have seen lots of information on setting the WAN to 0.0.0.0 as in your article but I suspect this is for situations where pfsense is managing the routing to the internet not through a separate ADSL router? I have also seen discussion on setting a separate IP address for pfsense which sort of makes sense but I do not fully understand how to achieve it.

    Currently I have my WAN set to DHCP and my LAN on a fixed address of 192.168.1.200. The ADSL router and DNS for my normal network is 192.168.1.1. If I set the pfsense LAN to a new address set of say 192.168.2.200 can I then access pfsense for some machines using the 192.168.2.x system while then at the same time access other machines not via pfsense on the initial 192.168.1.x system?

    If so, how do I set the WAN interface? I assume it must be 192.168.1.x to route pfsense traffic via the ADSL router?

    How do I then set my machine (an Apple Mac) and others to read both networks, 192.168.1.x AND 192.168.2.x as from time to time that would be useful?

    If I can achieve getting my traffic from pfsense to the ADSL router, I think I can then set the VPN up on pfsense to manage all traffic through pfsense over the VPN.

    However, I have also read that pfsense allows me to send some traffic over VPN and the rest over normal connection and again, I am unclear on how to do this.

    Any advice you (or anyone else) can give me will be most welcome.

    Geoff

    • eberkund

      Well the reason you set the WAN interface to 0.0.0.0 is so that Ubuntu does not use that interface at all (just pfSense should use it). The WAN interface should be connected directly to your ADSL router.

      Then the tricky part is that you have the LAN interface which needs to be used both by pfSense to connect to the rest of the network and by Ubuntu so that that machine is connected as well. That’s why I have eth0:1 and eth0, which basically splits the single interface in software amonst the two operating systems using it. eth0 is set to 0.0.0.0 so that it isn’t used by Ubuntu and can bet set entirely by pfSense. eth0:1 can be set with a dynamic IP or in my case, the static IP 192.168.0.2. Since the web config is accessed via the LAN, you are probably doing something wrong with this step.

    • GeoffatMM

      OK a couple of issues here. I currently have the WAN set to DHCP (read it somewhere) but when I try to change it to 0.0.0.0 it tells me I cannot have a network address on the interface, so try as I may, I cannot set it to 0.0.0.0 via pfsense.

      Secondly, my pfsense box is remote from the main router so a “direct” connection is not possible and I understood a networked connection would be OK?

      Finally, is eth:1 a virtual LAN connection or is this what I would call eth1 (as opposed to eth0)? I have not yet tried to set up any virtual LANs.

      Geoff

      • eberkund

        What do you mean by networked connection? As for the 0.0.0.0 for the WAN interface, that is only on the Ubuntu side of things. Within pfSense it should be DHCP like you said (and will receive an IP from your router).

        Yeah, that same network interface will have two IPs. One for pfSense, one for the Ubuntu server.

      • GeoffatMM

        As I said in my original request for help, I am trying to set pfsense up behind my ADSL router. The router is in my kitchen and the machine dedicated to pfsense is in an outbuilding as I understood it did not need to be co-located with the router.

        I want to be able to use pfsense to manage normal and VPN connections and to be able to segment which incoming request goes to which outlet, VPN or not.

        Am I right in assuming that I can set my pfsense machine WAN to the same network as my router (192.168.1.x) so that it gets dhcp address from there and can then act as a gateway for the remaining machines in a second network 192.168.2.x say, managed by pfsense acting as a dhcp server for the second network? If so, I think I can just about manage to set that up.

        However, I am still unclear if the above were to work, how I would then segment the various machines to go either over VPN or over the normal internet connection.

        Sorry if this is a bit basic for you but although I sort of understand how to make a home network work, some of the documentation I have been reading is beyond my current comprehension, hence my need for guidance.

        Geoff

      • eberkund

        I suppose that could work, you would have to be careful though if your ADSL router also has a firewall. That might cause some issues if applications are behind two firewalls. Is it not possible to just put the ADSL router/modem into bridge mode and use it as a modem only and then use pfSense to split up which machines you want to use the VPN?

      • GeoffatMM

        OK, I can see how to change the ADSL box to bridge although I am not using the router as a firewall. I am concerned though that if I disable the routing on the ADSL box, there may be other repercussions as for example, there are several UPnP rules set up under the NAT tab and other elements that I am not confident enough to turn of and move to pfsense without a better understanding of them. I am also still unclear on exactly how I separate the traffic between a VPN connection and a standard connection using pfsense. I guess I need to read up more on the pfsense potential but I did choose it as it describes itself as a non-technical solution!

        Thanks for your help thus far. I will try my solution first to see if I can get it going and if so, will then experiment with your suggestion as my knowledge of pfsense increases.

  • John Tyra

    Awesome guide, thank you!! :)
    FYI, the phpVirtualBox project has moved from Google code to SourceForge: http://sourceforge.net/projects/phpvirtualbox/

  • clarence

    I’ve successfully used this guide to get this set up, and network a number of physical machines behind the pfsense firewall. So thanks for writing this up.

    Now i’m trying to put another vm on the same host behind the the firewall and connect to the internet.
    I’m having trouble figuring out which interfaces/addresses to use. I originally tried a similar /etc/network/interfaces as for the host (like yours above), giving it a unique IP of course, but that did not work. I used the same ethX interface, and have the network set to Bridged Adaptor in virtualbox.

    On the host machine, virtualbox has created a virbr0 interface, with IP 192.168.122.1. Is that relevant for doing this?

    I appreciate any tips you have.

    • eberkund

      Hey there, I’m glad you found it useful.

      I think what you are trying to do is similar to what I have for my Windows VM. I actually have an extra section in my /etc/network/interfaces file with the following:

      # Winserver LAN interface
      auto eth0:2
      iface eth0:2 inet static
      address 0.0.0.0

      Also when you are configuring it in VirtualBox make sure the the network adapter for the VM is in bridged mode. Hope that helps!

  • uberbewb

    So, from what I’m seeing is the traffic still runs through an inferior router then the firewall or am I mistaken? What I’d like is my cable modem connected directly to the interface I use for Pfsense. Isn’t running through the router still kind of defeating the purpose of this firewall for a rather huge part of it? How do I know “all” traffic runs through that firewall first, unless I have to lose the other 3 ports on my router and only connect it into the WAN interface for pfsense.
    Hope this is still being responded to.

    • eberkund

      I’m not sure I follow you. I have a Motorola cable modem which is connected directly to the pfSense WAN interface. I have a couple of wireless routers also but they have DHCP disabled and are connected on the LAN side of pfSense.

      • uberbewb

        I assumed at first this was behind a router entirely. Using DHCP off of it. I scrolled below and you even mentioned using DHCP off your router. Still learning networking and stuff so needed to confirm that I could be connected directly to my modem with my pfsense install.
        Anyways, I did confirm this a while ago actually. Thanks for this!