*VIDEO GUIDE* A comprehensive guide to pfSense both unRAID VM and physical


SpaceInvaderOne

Recommended Posts

  • 2 weeks later...

can someone help me understand this maybe stupid question, will I be able to test pfsense in my local network without affecting my main network? like creating a sub network within my main network and only route maybe a couple VMs within that sub network? 

 

does this make sense?

 

I want to play around with this but not sure if I can safely do so.

Link to comment
  • 4 weeks later...

So setting PFSense is next of my projects list and I have one quick question I wanted to ask before I get started. 

 

Will I need or would it be better to buy a new NIC (likely a 2 port NIC) and get it installed before beginning? My thought is with my existing MOBO NIC, I can use that as the server LAN port. The new card will have two ports, and one will connect to the WAN and the second will act as the LAN gateway. 

 

I'm sure someone will say that PFSense can create virtual interfaces but I want to set it up for peak performance and I have a 1Gbps (up and Down) internet connection and don't want it to be a bottle neck. 

 

 

Side note, the NIC on my MOBO is a 2.5 Gbps port. 

 

 

Let me know your thoughts, advice, guidance and thank you in advance!

Link to comment
On 4/3/2021 at 11:00 AM, Aerodb said:

So setting PFSense is next of my projects list and I have one quick question I wanted to ask before I get started. 

 

Will I need or would it be better to buy a new NIC (likely a 2 port NIC) and get it installed before beginning? My thought is with my existing MOBO NIC, I can use that as the server LAN port. The new card will have two ports, and one will connect to the WAN and the second will act as the LAN gateway. 

 

I'm sure someone will say that PFSense can create virtual interfaces but I want to set it up for peak performance and I have a 1Gbps (up and Down) internet connection and don't want it to be a bottle neck. 

 

 

Side note, the NIC on my MOBO is a 2.5 Gbps port. 

 

 

Let me know your thoughts, advice, guidance and thank you in advance!

I've been playing with pfsense for well over a year now, and in all my research, and personal experience so far, I would NEVER NEVER NEVER set up a firewall as a VM (on unraid) if you rely on that one as your ONLY firewall. Simple reason is that if something happens and you need to take unraid down, you also lose your network. I've done it, but my VM on unraid acts as a secondary node that is used if I take down the primary.

 

IF you think that one day you MIGHT want to play with primary and secondary boxes in a high availability setup, you'll need THREE network ports - one for WAN, one for LAN, one for sync between the two boxes. I'd recommend a 4 port based on intel i350. Not that much more expensive, and gives you lots of flexibility. I found a 2-pack on amazon so i'm running identical 4 ports in my physical machine and in unraid. It works so well I'd encourage that for everyone. And if you go with a good quality i350 or equivalent, I'd skip using the on-board rj45 unless you need it for something else.

Edited by tiwing
Link to comment

Im confused why a network card is required.  Why can't I just use the physical NICs on the motherboard?  I have 4 of them.  He states you need it to pass through to the firewall.  I would have thought that I could restrict unraid to not being able to use 2 of the NICs and then pass through those to the virtual firewall.  Thanks in advance for the help.

Link to comment
  • 1 month later...

I've run in to some similar issues. and this goes both for a Nvidia quadro card and a Intel Nic.

 

internal error: qemu unexpectedly closed the monitor: 2021-05-20T17:57:42.413287Z qemu-system-x86_64: -device vfio-pci,host=0000:16:00.0,id=hostdev0,bus=pci.1,addr=0x0: vfio 0000:16:00.0: failed to setup container for group 34: Failed to set iommu for container: Operation not permitted

 

tried all of the solutions offered in this thread. and even tried the Kennel hack from the Nvidia GPU thread. But it wont let me pass those cards thru.

 

Any ideas?

Link to comment
  • 4 weeks later...

I am new with unraid here and this question might be dumb, but am not able to get a solution yet!

 

My Unraid box running pfSense vm with 4 port intel nic passthrogh. I am able to set up pfsense and log in with admin user into pfSense, but I cannot access unraid from pfSense, i.e. Users on pfSense's LAN are not able to access my Unraid server but can access internet/wan network.

 

I understand that Unraid being VM have no understanding of Unraid as host OS. So may be a virtual network bridge may help me access the Unraid server.

 

But unfortunately am not able to do the same.

 

Thanks in advance!

Link to comment
  • 3 months later...
On 4/5/2021 at 10:33 PM, tiwing said:

I've been playing with pfsense for well over a year now, and in all my research, and personal experience so far, I would NEVER NEVER NEVER set up a firewall as a VM (on unraid) if you rely on that one as your ONLY firewall. Simple reason is that if something happens and you need to take unraid down, you also lose your network. I've done it, but my VM on unraid acts as a secondary node that is used if I take down the primary.

 

IF you think that one day you MIGHT want to play with primary and secondary boxes in a high availability setup, you'll need THREE network ports - one for WAN, one for LAN, one for sync between the two boxes. I'd recommend a 4 port based on intel i350. Not that much more expensive, and gives you lots of flexibility. I found a 2-pack on amazon so i'm running identical 4 ports in my physical machine and in unraid. It works so well I'd encourage that for everyone. And if you go with a good quality i350 or equivalent, I'd skip using the on-board rj45 unless you need it for something else.

Thank you for the advice. I was thinking about running it within a VM on a small unraid machine that will only run network apps. So I suspect having to reboot it will be very limited. 

 

Also, unfortunately I have already acquired my network card. A two port with an Intel 82576 Chip. BUT I'm wondering if I could use the motherboard NIC as the third sync port should I choose to set up a secondary pfsense VM on my primary multi use Unraid hardware. 

 

so maybe I could run pf sense on this stand alone box and fail back to my main machine in the event of an outage or planned maintenance?

Link to comment
  • 2 months later...

I followed this to setup Pfsense in a VM today. And seams good it saved me using a old computer as a router.

But I'm wondering how do I pass the LAN network from this VM back to my unraid Server. Because I got a 4 port 10gig interface card to use for this VM. and now I was to get 10gig networking going for my unraid server and dockers. is there a easy way to do that. if not can I get maybe one of the other interfaces passed back to unraid server and configure that? I'm thinking its not going to be easy to do this.

Edited by Bizquick
simple type o
Link to comment
  • 7 months later...
On 4/24/2018 at 10:12 AM, SpaceInvaderOne said:

Hi @joelones Just set in the bios of the pfsense to enable wake on lan. When the machine is off it will still power the lan port for wake on lan.

I use @Squid excellent user script plugin to send a wol ping using etherwake command

This script runs on array stop

 

etherwake 00:01:3e:4e:5a:b8

 

I also use another script for when the array starts

This uses ssh to login to the pfsense machine and shut it down this way only one pfsense is running at a time

ie 

ssh [email protected] /etc/rc.halt

You will need to generate some ssh key pairs on unRAID and copy the public key to the admin user in pfsense.

 

All of this will be covered in my pfsense videos

@SpaceInvaderOne I didn't see anything from your videos on how to set up the pfsense failover setup you mention in video one. Would you consider making a video to show how to configure it? I would really appreciate it. Thank you for all you do for the UNRAID community.

Link to comment
  • 5 weeks later...
  • 2 weeks later...
On 7/31/2022 at 3:07 PM, nettech_gt said:

@SpaceInvaderOne I didn't see anything from your videos on how to set up the pfsense failover setup you mention in video one. Would you consider making a video to show how to configure it? I would really appreciate it. Thank you for all you do for the UNRAID community.

second this. i'm very interested in this setup as opposed to an HA setup with one wanip address.

Link to comment
  • 4 months later...
  • 4 weeks later...

I was able to install with Auto (ZFS).

 

Pass trough works great thanks to the amazon tutorial, I am also connected to internet on WAN.

 

I configured pfSense on 192.168.1.1 on Unraid VM, however I cant reach the IP of Unraid 192.168.1.3 or any other ip on my unraid.

 

Should I have left the bridge configuration in the configuration without deleting it?

 

Or do I need to change something in the configuration of Unraid to have it use the pfSense network?

 

 

 

John

image.png

 

image.png.1839b80909f4e71796ee611ca2e56249.png

 

<?xml version='1.0' encoding='UTF-8'?>
<domain type='kvm'>
  <name>pfSense</name>
  <uuid>XXXXXXXXXX9da</uuid>
  <metadata>
    <vmtemplate xmlns="unraid" name="FreeBSD" icon="freebsd.png" os="freebsd"/>
  </metadata>
  <memory unit='KiB'>3145728</memory>
  <currentMemory unit='KiB'>3145728</currentMemory>
  <memoryBacking>
    <nosharepages/>
  </memoryBacking>
  <vcpu placement='static'>2</vcpu>
  <cputune>
    <vcpupin vcpu='0' cpuset='1'/>
    <vcpupin vcpu='1' cpuset='5'/>
  </cputune>
  <os>
    <type arch='x86_64' machine='pc-q35-7.1'>hvm</type>
    <loader readonly='yes' type='pflash'>/usr/share/qemu/ovmf-x64/OVMF_CODE-pure-efi.fd</loader>
    <nvram>/etc/libvirt/qemu/nvram/XXXXXX_VARS-pure-efi.fd</nvram>
  </os>
  <features>
    <acpi/>
    <apic/>
  </features>
  <cpu mode='host-passthrough' check='none' migratable='on'>
    <topology sockets='1' dies='1' cores='1' threads='2'/>
    <cache mode='passthrough'/>
    <feature policy='require' name='topoext'/>
  </cpu>
  <clock offset='utc'>
    <timer name='rtc' tickpolicy='catchup'/>
    <timer name='pit' tickpolicy='delay'/>
    <timer name='hpet' present='no'/>
  </clock>
  <on_poweroff>destroy</on_poweroff>
  <on_reboot>restart</on_reboot>
  <on_crash>restart</on_crash>
  <devices>
    <emulator>/usr/local/sbin/qemu</emulator>
    <disk type='file' device='cdrom'>
      <driver name='qemu' type='raw'/>
      <source file='/mnt/user/isos/pfSense-CE-2.6.0-RELEASE-amd64.iso'/>
      <target dev='hda' bus='sata'/>
      <readonly/>
      <boot order='2'/>
      <address type='drive' controller='0' bus='0' target='0' unit='0'/>
    </disk>
    <disk type='file' device='disk'>
      <driver name='qemu' type='qcow2' cache='writeback'/>
      <source file='/mnt/user/domains/pfSense/vdisk1.img'/>
      <target dev='hdc' bus='sata'/>
      <boot order='1'/>
      <address type='drive' controller='0' bus='0' target='0' unit='2'/>
    </disk>
    <controller type='usb' index='0' model='ich9-ehci1'>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x07' function='0x7'/>
    </controller>
    <controller type='usb' index='0' model='ich9-uhci1'>
      <master startport='0'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x07' function='0x0' multifunction='on'/>
    </controller>
    <controller type='usb' index='0' model='ich9-uhci2'>
      <master startport='2'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x07' function='0x1'/>
    </controller>
    <controller type='usb' index='0' model='ich9-uhci3'>
      <master startport='4'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x07' function='0x2'/>
    </controller>
    <controller type='pci' index='0' model='pcie-root'/>
    <controller type='pci' index='1' model='pcie-root-port'>
      <model name='pcie-root-port'/>
      <target chassis='1' port='0x10'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0' multifunction='on'/>
    </controller>
    <controller type='pci' index='2' model='pcie-root-port'>
      <model name='pcie-root-port'/>
      <target chassis='2' port='0x11'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x1'/>
    </controller>
    <controller type='pci' index='3' model='pcie-root-port'>
      <model name='pcie-root-port'/>
      <target chassis='3' port='0x12'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x2'/>
    </controller>
    <controller type='pci' index='4' model='pcie-root-port'>
      <model name='pcie-root-port'/>
      <target chassis='4' port='0x13'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x3'/>
    </controller>
    <controller type='pci' index='5' model='pcie-root-port'>
      <model name='pcie-root-port'/>
      <target chassis='5' port='0x14'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x4'/>
    </controller>
    <controller type='pci' index='6' model='pcie-root-port'>
      <model name='pcie-root-port'/>
      <target chassis='6' port='0x15'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x5'/>
    </controller>
    <controller type='virtio-serial' index='0'>
      <address type='pci' domain='0x0000' bus='0x02' slot='0x00' function='0x0'/>
    </controller>
    <controller type='sata' index='0'>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x1f' function='0x2'/>
    </controller>
    <serial type='pty'>
      <target type='isa-serial' port='0'>
        <model name='isa-serial'/>
      </target>
    </serial>
    <console type='pty'>
      <target type='serial' port='0'/>
    </console>
    <channel type='unix'>
      <target type='virtio' name='org.qemu.guest_agent.0'/>
      <address type='virtio-serial' controller='0' bus='0' port='1'/>
    </channel>
    <input type='tablet' bus='usb'>
      <address type='usb' bus='0' port='1'/>
    </input>
    <input type='mouse' bus='ps2'/>
    <input type='keyboard' bus='ps2'/>
    <graphics type='vnc' port='-1' autoport='yes' websocket='-1' listen='0.0.0.0' keymap='en-us'>
      <listen type='address' address='0.0.0.0'/>
    </graphics>
    <audio id='1' type='none'/>
    <video>
      <model type='qxl' ram='65536' vram='65536' vgamem='16384' heads='1' primary='yes'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x0'/>
    </video>
    <hostdev mode='subsystem' type='pci' managed='yes'>
      <driver name='vfio'/>
      <source>
        <address domain='0x0000' bus='0x01' slot='0x00' function='0x0'/>
      </source>
      <address type='pci' domain='0x0000' bus='0x01' slot='0x00' function='0x0'/>
    </hostdev>
    <hostdev mode='subsystem' type='pci' managed='yes'>
      <driver name='vfio'/>
      <source>
        <address domain='0x0000' bus='0x01' slot='0x00' function='0x1'/>
      </source>
      <address type='pci' domain='0x0000' bus='0x03' slot='0x00' function='0x0'/>
    </hostdev>
    <hostdev mode='subsystem' type='pci' managed='yes'>
      <driver name='vfio'/>
      <source>
        <address domain='0x0000' bus='0x01' slot='0x00' function='0x2'/>
      </source>
      <address type='pci' domain='0x0000' bus='0x04' slot='0x00' function='0x0'/>
    </hostdev>
    <hostdev mode='subsystem' type='pci' managed='yes'>
      <driver name='vfio'/>
      <source>
        <address domain='0x0000' bus='0x01' slot='0x00' function='0x3'/>
      </source>
      <address type='pci' domain='0x0000' bus='0x05' slot='0x00' function='0x0'/>
    </hostdev>
    <memballoon model='none'/>
  </devices>
</domain>

 

Edited by netfox
added info
Link to comment
13 hours ago, netfox said:

Or do I need to change something in the configuration of Unraid to have it use the pfSense network?

I'm not familiar with using an interface shared with Unraid, I passed through 2 ethernet ports entirely to the VM, Unraid has no access to those two ports, one is connected to WAN, the other connected to the same switch as my Unraid ethernet port.

 

I wanted as much isolation as possible so a misconfiguration or other issue couldn't accidentally allow my server to directly be connected to the internet. Plus, if the VM is down, it's easy to spin up my hardware pfsense box, and since it uses the same config, there's no change as far as Unraid is concerned, it still gets internet through the switch.

Link to comment

I don't know. I've seen some people attempt it before, they may have been successful. Perhaps searching the forums may produce results, but I'm personally very uncomfortable putting my server at risk of being directly connected to WAN, so I've always kept a physical link.

 

That's why I asked if you were directly passing multiple ethernet ports directly through to the VM. I know for sure that way works, and works well for me with some caveats. It's not officially supported, as Unraid expects to have WAN access during the boot process, so some plugins and services may not work or need tweaked to function.

Link to comment
  • 1 month later...
On 2/24/2023 at 10:23 PM, OthmaUni said:

Hi,

After Weeks setting up my home network, I finally finished it and it works properly as I belived, I just want to make sure that I build it right. Can you let me know if my topology seems right please .

I am not that familiar with network but I tried my best.

992938709_Homenetworktoplogy.thumb.jpg.5d8c92b1395cf3215af41818ff46a730.jpg 

Hi  I am new to pfsense,  i would like to use  a similar setup you have. However i am struggling to get my unRaid server ( running HA and 4 cameras & many IOT devices to be recognise in the dhcp  server. Could you share  how you managed to get your unRaid server installed . i  get to the point where it only connects the VM for Home Assistant it does not recognise the any other ip address. 

Your advice would be appreciated.

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.