Setting up pfSense in a VM with only one physical nic



  • Hi all,

    New here and to pfSense. Wanting to try it out on my fairly simple home network but the machine I have which already runs 24/7 only has one physical nic with no easy way to add a second(mini-itx with no free expansion slot), I had heard it is possible to do this using a VM but not sure how that would work exactly and what the best way to accomplish this is. Basically my network is just wan(cable)->lan(+external wap for wifi). I do push some traffic through an OpenVPN client to get around Geo-blocking(mostly netflix) and also run an OpenVPN server so I can connect to my home lan when out and about.

    If one physical NIC is an issue. My other option might be to repurpose an older Atom(330) based Mini-itx system in place of the one I plan to use. I could add a second nic to it I believe but not sure if it will be powerful enough to do the VPN stuff. My wan connection is currently 28Mbps down/1 up. I may bump that up to 45Mbps down/3 up but that would be as high as I would go for the foreseeable future.

    Thanks,

    Kevin



  • I did this just the other day with VMWARE. It is pretty simple. You just need to create a new "Private/Internal" switch and use that for the LAN virtual adapter. You will then need to allow web access to the web interface over the wan or setup another VM also on the private switch.

    If your looking to use PPTP use the x86 build. You also need to add a custom command to allow openvpn clients to access the WAN. Its on here.



  • Im doing the same thing, I run pfSense on an VM ESX with one adapter configured, in VMWare, however i'm using VLANs in pfsense to route my traffic over my switch.



  • Hi

    Maybe bit late, but here is my general setup which may be something in your direction.
    The evil WAN (cable-modem) directly attached to the core switch. The core switch get all untagged packages and assign the VLAN 666 to it. from this point the evil VAN traffic is limited to this VLAN.
    This is the minimal setup on the WAN side.
    Then i.e. with an ESXi host on the other side running a pfSense vm appliance, just route the evil 666 WAN tagged to the ESXi vSwitch and to a dedicated WAN portgroup configured to VLAN 666.
    The pfSense VM has two virtual interfaces, one LAN and one for WAN. The WAN interface is attached to the WAN portgroup and the LAN interface is attached to a LAN portgroug.
    In this case pfSense can act like any physical installation as router for NATing etc.

    The cool thing is… if you have multiple host and using vSphere you can move the running pfsense from one host the the other without any interruption of the WAN link to the network :)
    This all with just a single NIC. I use an Intel NUC by the way for running my minimal required VMs like the pfSense.  So if I'm on holidays, I just shutdown all other hosts which consumes a lot more of power and still can access by VPN and do some stuff.
    This setup is also useful if have to debug your ISP connection... just attach a VM directly to the WAN... debug.. and then just destroy the VM to be sure to not contaminate your LAN.

    Additional Note about security:
    My first fear was, that on a core switch failure due any reason and he is falling back to his default configuration, I would have the evil WAN in my local network. Depending on how much you trust your switch, you can minimize the chance for this by putting a cheap VLAN capable switch between your cable modem and your core switch. I did this, just let the cheap VLAN capable switch tag everything on the "WAN" port to VLAN 666. Then configure the core switch to only allow tagged VLAN 666 on the incoming port.
    With this setup, only the hopefully rare case where both switches resets to the default configuration, would be a BIG problem.

    In the case of the cheap switch fails and sends unexpected untagged packages, the core switch would drop it on the incoming port.
    In the case of the core switch fails and reverts to default configuration, the incoming port would not allow the incoming tagged packages.
    For me it's the few bucks worth for the additional cheap switch to handle this cases, because even the switches runs fine... the human factor (me in this case) is the biggest thread :)
    I don't have to care if I reset one of the switches to factory default due any reason.

    For sure most would say, don't let the traffic from the internet flow over the core switch, but in my home lab i don't care, as long as you know what you are doing.
    And as always, the human is the biggest risk here.

    Hope this help someone or maybe someone can give some feedback about this setup besides it's not best practice :)
    It's running now for about 2 years without any problems.