inetknght - blog - using pfsense virtual machine as your host machine firewall, pt 1

https://knightoftheinter.net/blog/{20190204,pfsense-vm-host-firewall-pt1}{,.xhtml,.odt}

Networking Windows 7 through pfSense using a VirtualBox VM on the same host;

enabling extremely awesome (powerful and mostly intuitive) router-level firewalling and UI for any user who can run a virtual machine.

A virtual machine, used well, enables me to augment how I use my gaming/workstation. For personal fun and employment, I write a lot of software which I expect to run on virtual machines.

I’ve also found that running certain things such as Firefox inside of a virtual machine can help isolate it; I can save machine state and inspect differences between clients. It also allows me to create more browser-based client sessions as needed, for the most part. It’s handy to be able to boot up multiple different operating systems simultaneously on the same physical physical host computer.

And I could imagine how it should allow me to be able to dedicate specific hardware resources to certain tasks; to allow me to monitor, on a very fine grain level, how tasks could and do interact between each other. To connect two points; I can ensure that websites could still function, but exclude them of traffic I don’t wish to permit. It’s not perfect, but it’s a start. And since it can all be forced to go through routing and firewall software, it enables inspection of whatever data is being transmitted to ensure that data sent or received meetings what I desire for privacy.

A core piece of this is the ability to run pfSense inside of a VirtualBox virtual machine and route the host’s physical networking through it, both for Windows 7 and Linux. This is facilitating my transfer away from so much Windows and Microsoft; Windows 7 will be the last Windows OS I use. That’s worth another message at another time.

It’s important to know what you will need before you get started. You will need:

* VirtualBox successfully installed on your host OS and you can launch VMs

* pfSense installation disk image (ISO) and some GBs available for virtual disk

* ability (permission and know-how) to control the networking interfaces on your host machine (administrator or root permissions)

After you’ve installed VirtualBox, you’ll need to add or enable a host-only interface. You can create more than one if you wish; you could assign different ones to different VMs and control how they talk to each other.

Access the Host Network Manager through the main VirtualBox menu. An example of the host network manager is displayed below.

You can see that I have several host-only interfaces. I blacked-out my local IP addresses. Call me silly if you want. I have configured certain interfaces for certain applications in different VMs. Note that enabling the DHCP here will enable VirtualBox’s internal DHCP server.

There do not appear to be very many tunables to VirtualBox’s DHCP server. pfSense’s is way more powerful. So VirtualBox’s DHCP is useful for bootstrapping (such as, a management interface), but not so great if you want to enable TFTP for having VMs boot over networking (one of many ways pfSense shines).

While I won’t show how that’s done here, it’s something I can show later: booting a VM from networking is awesome, especially if you can share that across a physical network. I have multiple computers and want to boot them using a network boot.

After you have configured your host interface, you’ll should create a VM for pfSense. How you size it is up to you, but I will provide some guidance:

* you probably don’t need a lot of RAM assigned unless you have a lot of stuff; 4096GB should be plenty

* I set my virtual disk maximum size to 16GB, and fixed sized; the format doesn’t matter too terribly so I used VHD. You can probably get away with 2/3 of that:

* after you’ve created the VM, go in and:

* two cores should be plenty (maybe four if you have HyperThreading enabled; beware HyperThreading security issues)

* enable all four network adapters.

* set adapter 1 to bridged, this will be LAN

* set adapter 2 to internal network, name it firewall

* set adapter 3 to host-only adapters

* set adapter 4 to something else; in my screenshots you can see it’s bridged to a 10Gbit NIC

You can leave Promiscuous Mode off for now though it can be useful for some setups. Note that pfSense will see and display them named `em0` through `em3`.

Moving on to serial ports: pfSense has an option to allow login via serial console in addition to the VGA/keyboard. If you want to play with that, turn that on here. It’s worth noting that VirtualBox 5.x does not allow you to change what the serial port is connected to while the machine is running. Apparently that’s fixed in 6.x but I haven’t yet upgraded.

I have the serial port connected to a USB-to-serial-port device on COM19 in the screenshot below. The other end goes to my Linux machine :)

The rest is pretty uninteresting. Make sure to assign the pfSense disk image to the emulated DVD ROM and the VM will boot. So save it all and hit start.

It only does this the first time you boot though; if you nope-out of that window and come back later, it will not remind you to attach an image to the DVD-ROM and assume you are, like me, smarter than you claim. And today we’re not going to talk about network booting so let’s not prove it today.

During the installation, I used all of the defaults. It appears the only real core question it asks is about disk partitioning. Like I said, I simply used the default since I don’t need anything complex for this particular VM. You probably don’t either.

After you’ve passed the installation configuration, it will ask you to reboot.

From there, you have pfSense installed, not configured; your local machine still connects directly to the internet instead of through a VM. But this post is getting long and I spent a while writing this and I want to start fresh. So next up, bro.

Cheers,
inetknght
blogspam@knightoftheinter.net