Home » Blog With Sidebar » How To Install PfSense on XCP-NG
How To Install PfSense on XCP-NG
Introduction
While we would never suggest installing PfSense as a VM in a production setting, a virtualized PfSense can be a great way to implement a firewall into your homelab or even using it as your home firewall.
Prerequisites
This article assumes you already meet the following requirements.
- You have a basic understanding of networking (and PfSense)
- You have already installed and configured XCP-NG 8.2 or newer
- Your XCP-NG Server has at least two network cards.
(If you are doing this for a home lab this can be done with one physical NIC and internal XCP-NG network) - You have at least 1GB of RAM and 16GB of disc space available to dedicte to this VM
(We will be using 8GB of ram and 64GB of storage) - You have already configured a ISO Storage Repository
- You can view the official list of requirements of PfSense here
How To Easily Setup A UniFi Controller on Linux (Debian based)
Introduction Looking to boost your network’s productivity and efficiency in a friendly way? Say hello to Ubiquiti Controller on Linux!...
Read MoreUpdate Your Windows Devices Now
This CVE Can Be Exploited Without Any User Interaction A critical security vulnerability has been identified in the Wi-Fi drivers...
Read MoreHow To Install PfSense on XCP-NG
Introduction While we would never suggest installing PfSense as a VM in a production setting, a virtualized PfSense can be...
Read MoreApple Announces New iPad Pro (2024)
Source: Apple.com What’s New? The new iPad Pro unveiled at Apple’s “Let Loose” event boasts impressive upgrades, including the first...
Read MoreLet's Get Started
First, you will need to download the latest version of PfSense from the official PfSense Website. We will be using version 2.7.2 – AMD64 DVD Image (ISO) Installer.
Download the ISO and either place it on your ISO Storage share or burn it to a CD/DVD.
Let's Get Started
The next step depends on our goal. If you want to create an isolated network to use as a homelab we will need to create a internal network through Xen Orchestra. If your goal is to use this as a home firewall then you can skip this step as you will be using two network cards.
To create a virtual network with XCP-NG login to your Xen Orchestra console and hover over new and select network.
Select a private network and choose the interface you wish to use for network access
Creating the Virtual Machine
Now we have everything we need to install PfSense on XCP-NG.
In the top right of Xen Orchestra click the New VM button. Select your VM pool and choose Other install media for the template.
Next, give your VM a name and description, set the allocated resources and ISO.
For the network interfaces you will need to ensure you are adding the correct interfaces (WAN/LAN) otherwise you will run into issues.
I am using 32GB of storage. Unless you are running a lot of packages and save logs locally, this should be fine.
If you are using this VM for your main firewall be sure to enable Auto power on so the VM will automatically start when your host boosts.
Now navigate to the Console tab and follow the onscreen instructions to install PfSense normally.
- Accept the terms
- Select Install
- Select Auto (ZFS)
- Select Install
- Select Stripe
- Choose your disc
- Verify you are using a blank disc and accept the installation warning
Once the installation is complete eject the ISO or DVD and reboot the VM. Once the reboot is complete we will need setup our interfaces and install XCP-NG Tools.
Note: You may need to type exit to finish the reboot If you run into any errors here click the restart button in Xen Orchestra
Configuring The Interfaces
After the reboot you will be prompted to configure vLANS. For the purpose of this installation, choose no. These can be added later.
Now you will be prompted to configure the WAN address. Note which interface you physically have plugged into your network and use that address.
For the LAN address choose either the virtual network you created or your LAN network depending on your goal.
Select Y and hit enter, you will be able to set IP addresses later.
Next we will install XCP-NG tools on PfSense.
Installing XCP-NG Tools on PfSense
In order to ensure optimal performance (including speeds over 100Mbps you will need to install XCP-NG tools (Management Agent).
To do this from the console select option 8 and enter the following commands:
pkg install xe-guest-utilities
echo 'xenguest_enable="YES"' >> /etc/rc.conf.local
ln -s /usr/local/etc/rc.d/xenguest /usr/local/etc/rc.d/xenguest.sh
service xenguest start
Once you have completed the above commands the management agent will be installed.
Disabling TX Checksum Offloading
Next we need to disable TX checksum offloading More information on this can be found on the XCP-NG Wiki if you are interested in learning more.
To do this you will need the UUID of the network interfaces. You can get these by navigating to the network tab of Xen Orchestra and copying them to your clipboard.
Next you will need to SSH into the host) or any host within the same pool) and run the following commands:
xe vif-param-set uuid=658408bf-b4f2-3f61-dc39-1e5c9f40aa08 other-config:ethtool-tx="off"
xe vif-param-set uuid=9d0c850c-a91f-83ef-8ca4-65c4e375ec14 other-config:ethtool-tx="off"
Next you will need to reboot the VM for these changes to take effect.
Note: This command will need to be run for each virtual NIC you add in the future.
Configuring PfSense
Most of the settings you choose next are going to be unique to your situation. In a web browser navigate to the internal IP of your new PfSense and login to the web console using the username admin and the password pfsense. Go through the initial setup which will ask you to input some basic information and set a password. Once this is done go to System > Advanced > Networking and find the section labeled “Disable hardware checksum offload” and make sure to enable this or you will run into performance issues.
Installation Complete
Congratulations! You have successfully installed PfSense on XCP-NG either for your home network or your home lab.
You can now configure each interface with the appropriate IP either using the terminal or the GUI.
The default username is admin and the default password is pfsense.
If you have any questions please leave a comment below and I will assist if possible.