In this manual I will explain some bugs and tricks for installing pfsense firewall.
this firewall is based FreeBSD , so some of the settings can be use for installing FreeBSD hosts as well .
we will start with creating an isolate network , this network will be use for our LAN . this step
is not mandatory but if you want to isolate your LAN from other network/bridge its recommended .
on this manual i will be using virsh command line tool because its faster and because easy to understand .
I am running KVM under Ubuntu 11.10 64bit but the idea is the same under any Host server such as CentOS .
creating a private network :
create a template file /root/privlan.xml
all we need is to tel virsh to get the next available bridge ,
no need for any other settings .
<network> <name>privlan</name> <bridge name="virbr%d" /> </network>
Now lets go into virsh and create the network
root~# virsh Welcome to virsh, the virtualization interactive terminal.Type: 'help' for help with commands 'quit' to quitvirsh # net-create /root/privlan.xml Network privlan created from /root/privlan.xmlvirsh # net-list Name State Autostart ––––––––––––––––––––––––––––––––––––––––- default active yes privlan active no
now due to some bug , the virsh doesn’t create all files needed ,
to overcome this we are going to edit the file using net-edit inside virsh.
the change can be very small like name or MAC change .
virsh # net-autostart privlan error: failed to mark network privlan as autostarted error: Requested operation is not valid: cannot set autostart for transient networkvirsh # net-edit privlan Network privlan XML configuration edited.virsh # net-autostart privlan Network privlan marked as autostarted
now we are ready to fire up the install , using virt-install we are going to create a domain called pfsense
that has 2G of memory ,2 virtual CPU and 2 network interfaces model e1000.
the first interface is the regular default and the second one is the one we just created .
note that you can change this settings as needed ,
for example some may want to use bridge interface instead of the default NAT network .
unlike Linux , FReeBSD cannot work with virtual disk caching and it does not support virtio .
best performance i tested was scassi bus .
virt-install ––connect qemu:///system -n pfsense -r 2048 ––vcpus=2 ––disk path=/var/lib/libvirt/images/pfsense.img,size=10,cache=none,bus=scsi -c /root/CD_DVD/pfSense-2.0.1-RELEASE-amd64.iso ––vnc ––os-variant=freebsd8 ––network=network:privlan,model=e1000 ––network=network:default,model=e1000
pfsense install window will come up , you can go on and install just bare in mind that em0 is your LAN .
after install pfsense allow connection only on LAN interface but we created an isolated network ,
so the trick here is to allow connection on the WAN interface .
when pfsense comes up , go into shell (8) , then edit the config.xml via “viconfig”
look for the wan interface and rewmove if needed this 2 lines :
<blockpriv> <blockbogons>
then create a new filter rule just after the any/any rule of the lan :
<rule> <type>pass</type> <descr><![CDATA[Default allow WAN to any rule]]></descr> <interface>wan</interface> <source> <any/> </source> <destination> <any/> </destination> </rule>
Now just reboot the pfsense , the new config will automatically refresh after saving but just to be sure .
after it comes up you can connect with browser to the new pfsense and just make sure to remove/set the rule
we just did to allow only trusted networks into the pfsense .