Installing pfSense Firewall on Proxmox Hetzner root server

pfSense is a free to use and open-source software distribution based on FreeBSD to provide firewall and routing functions in your network. pfSense is known to provide many advanced functionality and firewall features often found in commercial solutions. pfSense is ideal for adoption in a home network, small to medium-sized business, and any other IT environment that needs an open source, customizable, powerful, and flexible firewall solution.

Here are the steps that you’ll use to install, configure and use pfSense in your Proxmox VE environment running in Hetzner Cloud platform. This article assumes you have the following requirements met:

• You’ve ordered a dedicated server on hetzner
• You’ve deployed Proxmox VE in your hetzner root server
• You have SSH access as root or sudo user to dedicated server
• You have login credentials for Hetzner robot web console

1. Request for Extra Public IP address

We need to request for an additional Public IP address for routing traffic from private subnet to the outside world. The main public IPv4 address provided by Hetzner does not support routing of traffic to external networks.

This is done from Server > IPs > Order Additional IPs/Nets

Choose “One additional IP” and provide description inside “Purpose of use” box to go with this request.

Once you have the additional IP address, request for the MAC address for the IP address. The generated MAC will be used by pfSense Virtual Machine in routing traffic into WAN.

Click the link to request for the MAC address.

2. Configure Proxmox VE Server Networking

Write down the following network information needed for configurations.

• Primary Public IP address assigned to your server
• Primary network CIDR block
• Secondary IP address ordered
• MAC Address of the secondary IP address you generated
• Default Gateway
• Primary Network Netmask

Open your main networking script for editing.

sudo vim /etc/network/interfaces

Here are the network configurations you can modify to suit your environment.

### Hetzner Online GmbH installimage

source /etc/network/interfaces.d/*

auto lo
iface lo inet loopback
iface lo inet6 loopback


iface <interface-name> inet manual

  up route add -net <Primary-Network> netmask <Primary-Subnet> gw <Primary-Gateway> dev  vmbr0
  up sysctl -w net.ipv4.ip_forward=1
  up sysctl -w net.ipv4.conf.<interface-name>.send_redirects=0
  up sysctl -w net.ipv6.conf.all.forwarding=1
  up ip route add 192.168.0.0/16 via <Secondary-IP> dev vmbr0
  up ip route add 172.16.0.0/12 via <Secondary-IP> dev vmbr0
  up ip route add 10.0.0.0/8 via <Secondary-IP> dev vmbr0

iface <interface-name> inet6 static
	address <IPv6-Address>
	gateway <IPv6-Gateway>


auto vmbr0
iface vmbr0 inet static
        address  <Primary-IP>
        netmask  32
        gateway  <Primary-Gateway>
        bridge-ports <interface-name>
        bridge-stp off
        bridge-fd 0
        pointopoint <Primary-Gateway>

# This serves as a virtual switch for your DMZ
# (VM instances and private DMZ hosts are connected to this network)
auto vmbr1
iface vmbr1 inet manual
        bridge_ports none
        bridge_stp off
        bridge_fd 0
#LAN0

After making the changes restart server networking service.

/etc/init.d/networking restart 

If it fails you can reboot the server.

3. Download and Install pfSense

Download the latest stable ISO image of pfSense.

wget https://atxfiles.netgate.com/mirror/downloads/pfSense-CE-2.7.2-RELEASE-amd64.iso.gz

Extract downloaded image file.

 gunzip pfSense-CE-*-RELEASE-amd64.iso.gz

Move created ISO file into /var/lib/vz/template/iso/ directory.

sudo mv pfSense-CE-*-RELEASE-amd64.iso /var/lib/vz/template/iso/

You can confirm from the web console that the image was uploaded.

Create pfSense VM from the uploaded Image

Under Network set default bridge to vmbr0. Choose “Intel E1000” for model and paste the MAC address generated from Hetzner root server console inside the “MAC address” box.

Once VM is created add the other bridge vmbr1 under Hardware > Add > Network Device.

Select bridge vmbr1 and choose “Intel E1000” for model

Begin pfSense installation process after adding the extra network interface.

Reboot when asked to do so after installation is successful.

As seen in the screenshot, the WAN interface will automatically get an IP address assigned.

The default LAN network is 192.168.1.0/24 but this can be changed using option 2. See below example.

4. Install VM on LAN Network

We can now install a Virtual Machine on LAN network. Traffic will be routed through the extra public ip address for internet access.

You can confirm the IP address is assigned via DHCP server on pfSense.

Conclusion

pfSense on Proxmox deployment enables you to have full control of the VMs networking. You can configure firewall, and install other services on pfSense that enables you have control over wha gets into and outside your IT infrastructure.

More guides on Proxmox:

• How To Upgrade To Proxmox VE 8 from Proxmox VE 7
• Backup Proxmox VMs and Containers To Proxmox Backup Server
• Secure Proxmox Mail Gateway With Let’s Encrypt SSL