Using pfSense Community Edition as a virtual router for your lab environment

When build lab and proof-of-concept solutions in a virtual environment it's very useful to also have a virtual router to enable multiple networks to connect, and to simulate a larger environments. For example to do lab setups like below:

Very shiny Microsoft paint creation 🙂

Depending on virtualization platform you can use built-in network configurations to route, and bandwidth-limit network traffic. In this article you learn about creating a virtual router that works with all modern virtual platforms. In this post you learn to use a Unix-based router, pfSense, which is an open source firewall/router software distribution based on FreeBSD. You can download pfSense here: http://www.pfsense.org/download.

The pfSense firewall/router comes with tons of advanced router features, here is a list: http://www.pfsense.org/about-pfsense/features.html

Note #1: For a guide on rather using a Windows Server 2016 based router, check out this post: https://deploymentresearch.com/285/Using-a-virtual-router-for-your-lab-and-test-environment.

Note #2: If you only are interesting in providing Internet access for a single network, you can just use the NAT feature in Hyper-V or VMware, no need for a virtual router. Ami Casto (@mdtpro) blogged about the Hyper-V NAT feature for Windows 10 and Windows Server 2016 here: https://deploymentresearch.com/558/Setting-Up-New-Networking-Features-in-Server-2016.

Scenario

The step-by-step guides in this article configure a virtual router for part of (two sites) the fictive ViaMonstra network. For a full IP plan for ViaMonstra network, see http://viamonstra.com/?page_id=25.

In this scenario you configure routing between the following local networks, and also provide them Internet access.

• New York: 192.168.1.0/24
• Chicago: 192.168.4.0/24

In addition ViaMonstra also have Internet access. In a real world (physical) network you would have many routers, but in a virtual environment where all virtual machines are running on the same host you only need one router. This also means that in this guide there are two internal virtual networks (virtual switches in Hyper-V), and one external network.

Creating the virtual networks (virtual switches in Hyper-V)

Using Hyper-V Manager (or PowerShell), create the following virtual switches (if you are new into Hyper-V, check this documentation on how to create virtual networks: http://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/quick-start/connect-to-network):

• External network
  • Name: External
  • Connection Type: External network (connected to physical network adapter of your host)
• New York
  • Name: New York
  • Connection Type: Internal network
• Chicago
  • Name: Chicago
  • Connection Type: Internal network

The virtual switches configured.

Create the Virtual Router VM in Hyper-V

The next step is to create a virtual machine on which pfSense will be installed later.

1. Create a Generation 1 virtual machine named GW01 with three network adapters (512 MB RAM and 60 GB disk).

2. In the virtual machine settings, connect network adapter #1 to the External virtual network.

3. Connect network adapter #2 to the New York virtual network.

4. Connect network adapter #3 to the Chicago virtual network.

5. Start the GW01 virtual machine once, and then turn it off again. This is so Hyper-V will assign MAC address to the network cards.

6. On the virtual machine settings, make a note of the Mac Address for each network adapter. In my setup I had the following:

• Adapter #1 (External): 00:15:5D:01:00:D6
• Adapter #2 (New York): 00:15:5D:01:00:D7
• Adapter #3 (Chicago): 00:15:5D:01:00:D8

GW01 created with three network adapters.

Installing pfSense Community Edition, Step-by-step guide

1. Follow the steps in section Create the Virtual Router VM in Hyper-V to create the GW01 virtual machine

2. Start setup of pfSense Community Edition by booting the GW01 virtual machine on the pfSense-CE-2.3.3-RELEASE-amd64.iso file

Booting the GW01 virtual machine on the pfSense-CE-2.3.3-RELEASE-amd64.iso file.

3. Allow the installer to start automatically (default), or press I if you want to save 8 seconds 🙂

4. On the Configure Console page, select the Accept these Settings option.

5. On the Select Task page, select Quick/Easy Install optio
n, and then confirm by clicking OK.

6. On the Install Kernel page, select the Standard Kernel option.

7. On the Reboot page, eject the pfSense ISO file, and then press Enter to reboot.

Note: Sometimes pfSense will lock the ISO so you can't eject it while on the Reboot page. If that happens, just eject when the VM reboots.

8. After reboot, on the Should VLANs be set up now option, press n, and then press Enter.

9. On the Enter the WAN interface name or 'a' for auto-detection option, type in hn0, and then press Enter.

10. On the Enter the LAN interface name or 'a' for auto-detection option, type in hn1, and then press Enter.

11. On the Optional 1 interface name or 'a' for auto-detection option, type in hn2, and then press Enter.

12. On the Optional 2 interface name or 'a' for auto-detection option, press Enter to continue.

11. on the Do you want to proceed option, press y, and then press Enter.

12. On the menu page, press 2, and then press Enter.

13. Select the LAN interface by pressing 2, and then press Enter.

14. Set a static IP address, in my example I used 192.168.1.1, and a subnet bit count (mask) of 24 (255.255.255.0).

15. Skip setting a upstream gateway address option, by pressing Enter.

16. Skip setting a ipv6 address, by pressing Enter.

16. On the Do you want to enable the DHCP server on LAN option , press n, and then press Enter.

Note: Obviously, if you don't want a DHCP server you would select y, but in my scenario I already have one in the New York network.

17. On the Do you want to revert to HTTP as the webConfigurator protocol option, press y, and then press Enter.

18. After the changes have been saved, and routing configuration be reloaded, press Enter to finish the initial setup.

Configure the basic network settings on GW01

For the remaining configuration, you use the pfSense web interface (the webConfigurator feature).

1. Install Windows 10 (or any OS really) on a virtual machine named PC0001, and connected it to the New York virtual switch.

2. On PC0001, configure the following network settings

• IP Address: 192.168.1.10
• Subnet mask: 255.255.255.0
• Default Gateway: 192.168.1.1
• DNS: Whatever DNS you are using, but for example 8.8.8.8 (Google DNS) works fine for testing.

3. Open a web browser and navigate to http://192.168.1.1.

Note: If you can't access 192.168.1.1 from PC0001, on gw01, press 8 to get a shell, run ifconfig to verify that the networks are connected to the correct network adapter.

4. Log in as admin, using the default password of pfsense.

5. On the pfSense Setup page, click Next.

The pfSense Setup wizard.

4. On the Bling your pfSense with pfSense Gold page, click Next.

5. On the General Information page, type in gw01 as your Hostname, accept the other default settings, and click Next.

6. On the Time Server Information page, select your time zone, and click Next.

7. On the Configure WAN Interface page, configure the following:

• Select the DHCP option (assuming your WAN network assigns one),
• If your WAN network has a RFC1918 address range (10/8, 172.16/12 or 192.168/16), in the Block RFC1918 area, clear the Block private networks from entering via WAN check box.

Then click Next.

8. On the Configure LAN Interface page, accept the current settings (192.168.1.1/24), and click Next.

8. On the Set Admin WebGUI Password page, type in the password you want to have, twice, and then click Next.

9. On the Reload configuration page, click Reload.

 

Verify the NAT feature for the New York network

Time to verify that the NAT feature works for the New York network.

1. On PC0001 (the Windows machine you used to configure the gw01 virtual router),

Verify that you can ping 192.168.1.1

Verify that you can ping 8.8.8.8

Verify that you can browse Internet

Configure the Chicago network on GW01

Once the New York network is verified, let's configure the Chicago network (192.168.4.0/24).

1. On PC0001, open a web browser and navigate to 192.168.1.1.

2. Log in as admin, using the password you configured earlier.

3. In the Interfaces menu, select the LAN network, change the description to NewYork (won't save any spaces) click Save, and then click Apply Changes.

4. In the Interfaces menu, select the OPT1 network, and configure the following:

• Description: Chicago
• Enable the interface (check box)
• IPv4 Configuration: Static IPV4
• IP address: 192.168.4.1/24 (the subnet bits are in a drop down menu to the right)

Click Save, and then click Apply Changes.

Setting the IP address for the Chicago network interface.

5. On the Firewall menu, select Rules. Then on the Firewall / Rules / WAN page, select CHICAGO, and add a firewall rule with the following settings:

• Action: Pass
• Interface: CHICAGO
• Address Family: IPv4
• Protocol: Any
• Source: CHICAGO net

6.  Add another firewall rule with the following settings:

• Action: Pass
• Interface: CHICAGO
• Address Family: IPv6
• Protocol: Any
• Source: CHICAGO net

Click Apply Changes.

Adding the firewall rules for the Chicago network.

Verify the Chicago network

Time to verify that the NAT feature works for Chicago, as well as the LAN routing to the New York network. In this scenario I have installed a virtual machine, PC0002, and connected it to the Chicago virtual switch. I also assigned the following IP configuration to it:

• IP Address: 192.168.4.10
• Subnet mask: 255.255.255.0
• Default Gateway: 192.168.4.1
• DNS: Whatever DNS you are using, but for example 8.8.8.8 (Google DNS) works fine for testing.

Verify that you can ping 192.168.4.1

Verify that you can ping 8.8.8.8

Try to browse the Internet.

Testing Routing between the sites:

From a command prompt on PC0001, verify that you can ping PC0002 (192.168.4.10).

Note: If you can't ping PC0002, verify that you don't have a firewall rule on PC0002 that prevents it.

Happy Routing / Johan