best approach for pFsense on Windows VM?

lifespeed

I'm new to virtualization, usually keeping with the "simpler is better" mantra. And, if I'm truthful, this stuff is complicated and I consider myself fortunate to have worked through some networking issues with the powerful-but-complex pFsense.

So I've got a powerful pFsense PC (Intel D-2123IT Supermicro X11SDV-4C-TP8F) in my equipment closet that only gets taxed by pFsense when I run the VPN at high bandwidth, which is rare. It's sitting there largely unused, it's performance only needed occasionally. I have some Windows home automation software (Homeseer), and am adding video surveillance. I have a Windows media server in the same closet currently running the home automation, which adds little load. Video recording from multiple cameras, however, doesn't seem like a good fit for the RAID array in the media server. Also, I would like to keep/move these always-on functions like network routing, home automation and video surveillance onto the low-power pFsense hardware. This also simplifies what must be powered to keep the house functional. Not having the big media server as part of that requirement seems appropriate.

How difficult is it to set up a Windows VM and move a working pFsense installation to the virtual machine? What is the best VM software to use? Is this a project I should even be considering, or is the complexity likely to outstrip my average home networking and operating system skills? Is there any reason to think the other network-heavy applications running in Windows on the pFsense machine, as mentioned, would cause or receive any problems in this proposed virtualized setup?

Patch

@lifespeed
Sounds like you are looking for a hypervisor. Normal choices I thought were:

Proxmox
VMware ESXI
Windows server

lifespeed

@patch yes I realize the hypervisor sofware is what I need. I'm wondering about the overall difficulty of the task moving from a working bare-metal install to running pFsense under windows in a VM. Is there a guide, FAQ or how-to for this configuration? Is one of the Hypervisor software preferable to another?

Landr5

You can easily install pfSense on a VirtualBox within Windows. Download VirtualBox: https://www.virtualbox.org/
Download pfSense iso: https://www.pfsense.org/download/
Extract the iso
Open VirtualBox and Create a new VM

You will need to open the Machine Settings menu and mount the iso

Start the machine and install pfSense

When you reach the Reboot portion of the install, go back to the virtual machine storage menu and unmount the disk. If you don't do this, the iso will run and start the installer again.

Reboot the machine and configure with the web UI using the gateway address shown on the powered up pfSense VM LAN address.

If you want another VM to connect to the pfSense VM select "Internal Network" on the VM network adapter settings.

Create a snapshot after initial configuration and as desired to easily reload the VM to a specified backup.

lifespeed

@landr5 thanks for the overview, looking into the various hypervisors now. I'm mostly concerned with making the virtual network connections and having the router function and accessible. Can I then import the pFsense configuration from the bare metal install to the VM instance?

The easiest Hypervisor might be Windows Server, but it is expensive and is limited to two VMs. More reading.

Landr5

@lifespeed

If you have pfSense configured already you can make a backup and then import it to your VM.

https://docs.netgate.com/pfsense/en/latest/backup/configuration.html

I'm not sure what the advantage would be using Hyper-V. I have no experience with it. You can run multiple boxes with VirtualBox.

Regarding routing: You can configure pfSense to act as DHCP server and point your other hardware to it as the gateway.

If you are setting up a non-personal use VirtualBox and want an Enterprise license you can find those here: https://shop.oracle.com/apex/f?p=dstore:product:7694279212516::NO:RP,6:P6_LPI,P6_PPI:114347640102492137513432

Bob.Dig

You can't just restore the old config, it will not work because of different NIC-drivers I think. Maybe you can partially restore it.
But better start fresh, how complicated can it be?

I have so many interfaces that pfSense is only showing me a list for the rules.

lifespeed

Good points all, I was afraid that a simple restore of the pFsense config wouldn't work.

Patch

@bob-dig said in best approach for pFsense on Windows VM?:

You can't just restore the old config, it will not work because of different NIC-drivers I think

Worked for me however when it boots the first time you have to reassign the network interfaces

WAN
LAN
Opt1
Opt2
Etc

Note you have to use these original names not what you have renamed them to.

PS
I did not setup VLAN when restoring to a new machine. I did that after by

Login to a non VLAN interface
Interfaces -> Assignments -> VLAN
Select each VLAN in turn -> Edit -> Set correct parent interface

There maybe other ways of doing it and you may need to experiment depending on the ordering of physical vs virtual lan interfaces so numbering of Opt1, ... OptN

Patch

@lifespeed said in best approach for pFsense on Windows VM?:

I'm wondering about the overall difficulty of the task moving from a working bare-metal install to running pFsense under windows in a VM

You need a fall back plan for when your pfsense install is not working. I use an old physical router configured to support core Internet access. The biggest risk is when you update your hypervisor. Updating pfsense is relatively low risk as you can use both restore from a backup configuration and snap shots or clone on your hypervisor.

For a guide start with the Netgate configuration recipes

I'm currently using Proxmox but started bare metal pfsense (baby steps).

lifespeed

@patch thanks, yes, a fallback plan to preserve internet for the family is crucial. I don't have any old routers laying around, preconfigured. pFsense is very much the production router, and a good one. Failure would be painful.

I can only imagine trying to access a hyper-V core installation using a networked GUI tool . . . while the network relies on proper function of pFsense installed on a VM. Classic catch 22. Sounds like a potential can of worms, but quite elegant when actually working.

Patch

@lifespeed said in best approach for pFsense on Windows VM?:

I can only imagine trying to access a hyper-V core installation using a networked GUI tool

Fixing a broken hypervisor update / install is the challenge when

You don't have Internet access through the pfsense VM
Your family does not have Internet access.

Which is why I ended up configuring the old physical router I used prior to pfsense. I does not need to be fast, flexible or powerful. Just a limp along option is all that is needed.