Running pfSense on Proxmox VE

Why Virtualize pfSense on Proxmox?

pfSense is one of the most popular open-source firewalls, offering stateful packet filtering, VPN, traffic shaping, and intrusion detection. Running pfSense as a virtual machine on Proxmox VE eliminates the need for dedicated hardware, lets you snapshot your firewall configuration before changes, and integrates your network edge into your existing virtualization infrastructure.

This approach works well for homelabs, small offices, and test environments. For production use, ensure your Proxmox host has multiple physical network interfaces so you can dedicate separate NICs to WAN and LAN traffic.

Network Planning

Before creating the VM, plan your network interfaces. A typical pfSense setup needs at least two network interfaces:

• WAN — Connects to your ISP modem or upstream network. Should be on its own Proxmox bridge tied to a dedicated physical NIC.
• LAN — Connects to your internal network. Uses the main Proxmox bridge that your other VMs and containers are on.

Create a separate bridge for the WAN interface on the Proxmox host. Edit /etc/network/interfaces:

# WAN bridge - connected to the physical NIC facing your ISP
auto vmbr1
iface vmbr1 inet manual
    bridge-ports enp1s0
    bridge-stp off
    bridge-fd 0

# LAN bridge - your existing internal bridge
auto vmbr0
iface vmbr0 inet static
    address 10.0.0.1/24
    bridge-ports enp2s0
    bridge-stp off
    bridge-fd 0

# Apply the network configuration
ifreload -a

Creating the pfSense VM

Download the pfSense CE ISO from the official website and upload it to your Proxmox ISO storage. Then create the VM:

# Create the pfSense VM
qm create 300 --name pfsense \
  --memory 2048 \
  --cores 2 \
  --cpu host \
  --bios ovmf \
  --machine pc-q35-9.0 \
  --efidisk0 local-lvm:1,efitype=4m \
  --scsihw virtio-scsi-pci \
  --scsi0 local-lvm:16 \
  --net0 virtio,bridge=vmbr1 \
  --net1 virtio,bridge=vmbr0 \
  --cdrom local:iso/pfSense-CE-2.7.2-RELEASE-amd64.iso \
  --ostype other \
  --boot order=ide2

# Start the VM
qm start 300

Key configuration notes:

• net0 on vmbr1 — This becomes the WAN interface inside pfSense.
• net1 on vmbr0 — This becomes the LAN interface.
• VirtIO NICs — VirtIO network adapters provide significantly better throughput than emulated Intel E1000 adapters. pfSense includes VirtIO drivers out of the box.
• 2 GB RAM — Sufficient for most setups. Increase to 4 GB if you plan to run Suricata or Snort IDS packages.

Console-Based Initial Setup

Open the VM console in Proxmox and proceed through the pfSense installer. After installation and reboot, pfSense will present its console menu. You need to assign the WAN and LAN interfaces:

## pfSense Console Menu

1) Assign Interfaces
   - WAN: vtnet0 (your first VirtIO NIC, connected to vmbr1)
   - LAN: vtnet1 (your second VirtIO NIC, connected to vmbr0)

2) Set interface(s) IP address
   - WAN: Usually DHCP from your ISP, or set a static IP
   - LAN: Set to your desired gateway, e.g., 10.0.0.1/24
   - Enable DHCP server on LAN: yes
   - DHCP range: 10.0.0.100 to 10.0.0.254

Once the LAN interface has an IP, access the pfSense web GUI from a machine on the LAN network by browsing to https://10.0.0.1. The default credentials are admin / pfsense.

VLAN Trunking

If you use VLANs to segment your network, configure the LAN interface as a VLAN trunk. In Proxmox, remove the VLAN tag from the NIC so all tagged traffic passes through to pfSense:

# Ensure the LAN NIC has no VLAN tag (trunk mode)
qm set 300 --net1 virtio,bridge=vmbr0

Then in the pfSense web GUI, create VLAN interfaces under Interfaces > Assignments > VLANs:

• Parent Interface: vtnet1 (LAN)
• VLAN Tag: e.g., 10 for management, 20 for IoT, 30 for guest

Assign each VLAN as a new interface, give it a static IP and subnet, enable DHCP if needed, and create firewall rules to control inter-VLAN traffic. This gives you full network segmentation managed by your virtual pfSense.

Performance Tuning

• Disable hardware checksum offloading — Under System > Advanced > Networking, check "Disable hardware checksum offload." VirtIO NICs can cause issues with checksum offloading in pfSense, leading to corrupted packets.
• Enable AES-NI — If you use VPN, ensure your CPU supports AES-NI and set the CPU type to host in Proxmox. This dramatically improves OpenVPN and IPsec throughput.
• Pin CPU cores — For consistent performance, consider pinning the pfSense VM to dedicated CPU cores so other VMs do not compete for resources.

Backup and Monitoring

Since pfSense runs as a Proxmox VM, you can use Proxmox's built-in backup system to create regular snapshots of the entire firewall. Schedule daily backups through the Proxmox UI under Datacenter > Backup. Before making significant firewall rule changes, take a manual snapshot so you can roll back instantly if something breaks.

For monitoring the pfSense VM's resource usage — especially when you are away from your desk — ProxmoxR provides a quick way to check that your firewall VM is running and healthy from your mobile device. A firewall going down is one of those situations where you want to know immediately, and mobile monitoring helps you catch it fast.

Virtualizing pfSense on Proxmox gives you a flexible, backup-friendly firewall that takes full advantage of your existing hardware. With VirtIO NICs and proper VLAN configuration, you get excellent performance and complete network control.