How to configure pfSense on a Proxmox server on Hetzner

Introduction

This guide will go through the high-level steps involved to deploy pfSense firewall on a Hetzner root server and run virtual machines behind the firewall on a private internal network. The guide does not cover how to install pfSense or Proxmox VE, instead, it links to Hetzner and Netgate documentation.

By the end of this article you will have deployed Proxmox on a cloud provider, installed a virtual firewall appliance and configured firewall rules to allow secured virtual machines to access the Internet.

The following minimum requirements need to be in place to achieve this outcome:

  • A Hetzner root server with adequate resources to run virtual machines.
  • An IPv4 address for the Hetzner node.
  • An additional IPv4 IP and MAC address for the pfSense virtual machine.

The Hetzner node will be deployed in a Bridged network configuration where the Proxmox node is transparent to the routing. The pfSense firewall will be assigned a public IP and will communicate directly with the gateway of the assigned IP.

Installation

The basic steps to deploy a Hetzner server are documented on the Hetzner community guides https://community.hetzner.com/tutorials/install-and-configure-proxmox_ve#step-1—installation

  • Add an APT repo and update package lists.
  • Install Proxmox VE

Proxmox Network Configuration

In our example we will use an assigned subnet of 172.132.20.192 /26

  • The Proxmox node will be assigned the IP address 172.132.20.195
  • An additional IP address of 172.132.20.201 and MAC address 00:50:56:00:CA:14 have been requested from Robot for the server.
  • The subnet has a default gateway of 172.132.20.193

By default, a new Proxmox installation creates a bridge named vmbr0 in each node. After the installation of the Proxmox node, edit the network interfaces as follows:

Remove IP addresses from the main NIC

remove config from the main NIC

Add the main NIC name to the Bridge ports field in the bridge settings.

vmbr0 IP configuration

The MAC address for the bridge needs to be explicitly specified. To obtain the MAC address of vmbr0, log into the Proxmox node command line via SSH and run the following command.

ip link show dev vmbr0
vnbr0 physical address

Create a file named vmbr0-extra in the /etc/network/interfaces.d directory and add the line below, where xx:xx:xx:xx:xx:xx is the Ethernet address obtained in the step above:

iface vmbr0 inet static
        hwaddress xx:xx:xx:xx:xx:xx

The network configuration file on the Proxmox node at /etc/network/interfaces file should look as follows.

source /etc/network/interfaces.d/*
auto lo
iface lo inet loopback
iface lo inet6 loopback
iface enp35s0 inet manual

#vmbr0 IPv4 configuration 
auto vmbr0
iface vmbr0 inet static
        address 142.132.249.202/26
        gateway 142.132.249.193
        bridge-ports enp35s0
        bridge-stp off
        bridge-fd 0

#vmbr0 IPv6 configuration
iface vmbr0 inet6 static
        address xxxx:xxx:xxx:xxxx::x/128
        gateway fe80::1

Add a secondary Linux Bridge

Navigate to the Proxmox node System > Network section to create a secondary bridge interface. In this example we will create a bridge named vmbr1 and a comment to distinguish it from the primary bridge. The secondary bridge interface will not need an IP address or Bridge Ports.

bridge interface for private network

Virtual machines on the internal network will be attached to this bridge as well as the pfSense internal interface. Since vmbr1 has no physical network interface it cannot direct traffic outside the node itself. Traffic from virtual machines will only flow through the pfSense firewall.

ISO Images
Upload the pfSense ISO image to the local storage > ISO images. Upload ISO images for all other operating systems that will be deployed as virtual machines on the Proxmox node.

What is pfSense

pfSense is a free and open source firewall and router that is maintaned by Netgate. pfSense includes unified threat management, load balancing, multi WAN, VPN and many other network security features.

pfSense can be deployed as a physical appliance sold by Netgate, as a virtual machine on most of the leading virtualization platforms or cloud environments (AWS and Azure). pfSense is based on FreeBSD so it can also be deployed on consumer/server hardware that is compatible with FreeBSD.

Create a new virtual machine for pfSense firewall

A virtual machine will be deployed on the Proxmox node to run the pfSense firewall. Most settings in the virtual machine creation wizard can be left at default.

The following parameters need to be specified according to user requirements.

  • In the General section, specify a Name for the virtual machine
  • In the OS section, select an ISO image for the pfSense installation.
  • In the System section , you can choose UEFI boot by selecting the following settings on the System page of the wizard.
    • Set Machine to q35
    • Set BIOS to OVMF (UEFI)
    • Add an EFI disk when prompted
    • Pick the storage for the EFI disk.
  • In the Disk section, select a minimum of 8GB.
  • In the CPU section, select the number of cores to assign to the virtual machine.
    • Heavy VPN use on the pfSense software will increase CPU requirements. Encrypting and decrypting traffic is CPU intensive.
  • In the Memory section, select the memory size.
    • Some packages increase RAM requirements significantly. For guidance on pfSense hardware sizing consult Netgate documentation https://docs.netgate.com/pfsense/en/latest/hardware/size.html
    • Allocate adequate RAM for large environments requiring state tables. A firewall with 1 GB of RAM will default to 100,000 states which when full would use about 100 MB of RAM.
  • In the Network section, select vmbr0 in the Bridge setting. Enter the virtual MAC address that was allocated by Robot for the additional IP address.
  • Confirm all settings and check the box to start the VM after creation.

Once the virtual machine has been created, edit the virtual machine settings to add a new Network Device and attach it to vmbr1. This network interface will be the private network on the firewall.

pfSense installation

Netgate, the owner of the pfSense open-source project, maintains comprehensive documentation on every topic from basic installation to advanced configuration of the pfSense firewall. The following is an in-depth guide on the initial installation of pfSense firewall https://docs.netgate.com/pfsense/en/latest/install/install-walkthrough.html

pfSense Initial Configuration

Start the pfSense virtual machine and connect to the Console to begin initial configuration.

  • Skip VLAN assignment.
  • Assign vtnet0 to WAN interface.
  • Assign vtnet1 to LAN interface.

pfSense IP address assignment

From the pfSense console, select option 2) Set interface(s) IP address.

  • At the prompt, type 1 to configure the WAN interface.
  • At the prompt, type N to use a static IP address.
  • Enter the new IP address, for example: 172.132.20.201
  • Enter the WAN ipv4 subnet bit count: 26
  • Enter the WAN IPv4 upstream gateway address: 172.132.20.193
  • Configure the WAN IPv6 via DHCP or manually, or press Enter for none if IPv6 isn’t being used.
  • The changes will be saved. Press Enter one last time to exit.

At this point the pfSense firewall is connected to the Internet and can reach public resources using the WAN interface.

Disable Hardware Checksums for VirtIO interfaces

The pfSense virtual machine will not pass traffic properly unless hardware checksum offloading is disabled. To disable hardware offload, we need to access the pfSense Web Admin console.

By default, all access from the pfSense WAN interface is disabled. We will use a virtual machine on the internal network behind pfSense to access the pfSense Web Admin console.

Private virtual machine behind pfSense.

We will use a virtual machine on the internal network behind pfSense to access the pfSense LAN address

  • Deploy a virtual machine running a desktop operating system using the same steps as outlined above and attach it to the vmbr1 bridge.
  • Assign the virtual machine an IP address in the range of the pfSense internal interface, such as 192.168.1.10 /24
  • Open a browser and login into the pfSense internal IP address https://192.168.1.1
  • Navigate to System > Advanced on the Networking tab to change the setting and reboot the firewall.

By default, on a two-interface LAN and WAN configuration, pfSense software configures a default allow on the LAN. Everything out to the Internet from the LAN is permitted. At this point, you can change the pfSense internal interface to any RFC1918 subnet and utilize that subnet for virtual machines on the internal network. Firewall rules can now be utilized using best practices as follows.

  • Use short rulesets and utilize aliases for maintainability.
  • Review firewall & NAT rules on a regular basis.
  • Use rule descriptions and maintain a configuration document.
  • Review firewall logs at Status – System Logs, Firewall and use block rules to reduce log noise.

pfSense remote access

The safest method to access the firewall remotely is to use a VPN that will allow access to the firewall and the network it protects. VPN options available include IPsec and OpenVPN.

Once connected through a VPN, the pfSense GUI can be safely accessed using a local address on the firewall, such as the LAN IP address.

You can find out more on how to securely access the GUI from Netgate documentation at https://docs.netgate.com/pfsense/en/latest/recipes/remote-firewall-administration.html

Summary

We have gone through the high-level steps required to deploy a pfSense firewall and private network on a bare-metal server running Proxmox on the Hetzner cloud. We hope this guide has been helpful to anyone looking to deploy any of the components discussed in this article or the complete solution.

Leave a comment

Your email address will not be published. Required fields are marked *

Verified by MonsterInsights