Posted inVirtualization

Configuring Virtual Firewall and Routing with OPNsense/pfSense in KVM/Proxmox: Building a Secure Virtual Network System

Virtualization tutorial - IT technology blog
Virtualization tutorial - IT technology blog

Introduction to the Problem

It’s 2 AM, and my phone screen suddenly lights up with a glaring red alert: “Critical network issue detected on internal services.” That feeling, I’m sure every IT professional is familiar with. After a few ssh commands into the Proxmox nodes, I immediately realized that some dev VM was causing chaos, or worse, there was a risk of data leakage.

In my homelab, with 12 VMs and containers on Proxmox VE, I treat it as a ‘playground’ to test everything before deploying it to a real environment. However, managing, isolating, and securing network segments here has always been a major challenge. Without a clear system, everything can turn into an inextricable mess.

At such times, I know I need a more serious solution than just relying on the hypervisor’s default firewall. Although Proxmox or KVM have basic networking features, they are not enough to meet the needs for traffic segmentation or deep access control.

It’s also difficult to deploy a VPN gateway as you would with a dedicated firewall/router appliance. Just imagine you have a database server, a web server, and a dev machine – all on a flat network, without clear boundaries. A small configuration error on the dev machine could affect the database, or worse, open the door to uninvited guests.

That’s when I started looking at OPNsense or pfSense – powerful open-source firewall/router solutions that can be turned into a robust virtual firewall right within our virtualization environment. The goal is not just to block external threats. They also help create separate “security zones” within the virtual system.

This ensures that each application, each service, is adequately protected. Most importantly, we can control the flow of data between them. It’s like manually designing and building a multi-layered fortress for my virtual “estate.”

Core Concepts

Before diving into the specific configuration steps, I need to grasp a few fundamental concepts. These are things I struggled to understand when I first started building my own system, and I believe they will help you avoid similar headaches.

What are OPNsense and pfSense?

They are two powerful open-source firewall/router operating systems, built on FreeBSD, that turn virtual machines into professional network appliances. They provide firewall, routing, VPN Gateway, load balancing, IDS/IPS… I use them to manage network traffic between VMs and to the Internet. I prefer OPNsense a bit more due to its modern interface, but pfSense is also very stable.

Why do we need a Virtual Firewall/Router in KVM/Proxmox?

Relying on the hypervisor’s or individual VM’s default firewall is insufficient. A virtual firewall helps with:

  • Network Segmentation: Separating VMs into distinct zones (web, database, dev). The firewall is the only point of intersection; all traffic is inspected.
  • Granular Control: Creating specific rules: Web VM can only access DB on port 3306 from a specific IP.
  • Centralized Management: Managing the firewall in a single location instead of on each VM.
  • Advanced Features: VPN, IDS/IPS for comprehensive security.

Virtual Network Components in KVM/Proxmox

For a virtual firewall to work, you need to understand:

  • Linux Bridge (vmbrX on Proxmox, brX/virtual network on KVM): These are “virtual switches” for VMs to connect. We will create multiple bridges to separate WAN and LAN.
  • Virtual Network Interface Card (vNIC): Each VM has a vNIC, plugged into a bridge. The virtual firewall needs at least 2 vNICs: one for WAN, one for LAN.

Clearly understanding these will make the configuration process smoother.

Detailed Implementation

Alright, enough theory. Now it’s time to face reality: How to turn those ideas into a smoothly operating secure virtual network system. Recalling that 2 AM feeling, I need absolute precision here.

1. Prepare the Network Environment on the Hypervisor

I need to create virtual network “ports” on the Proxmox host.

Objective:

  • WAN Network: Connects to the Internet, usually vmbr0 (bridged with the physical network card eno1).
  • LAN Network: Internal network for VMs, vmbr1 (completely virtual, not physically attached).

On Proxmox VE Host (edit /etc/network/interfaces):

# File: /etc/network/interfaces

# ... (existing configuration for vmbr0 if present) ...

auto vmbr0 # WAN Network
iface vmbr0 inet static
    address 192.168.1.10/24 # Proxmox host IP on WAN
    gateway 192.168.1.1
    bridge-ports eno1     # Replace 'eno1' with your physical card
    bridge-stp off
    bridge-fd 0

auto vmbr1 # Virtual LAN Network
iface vmbr1 inet static
    address 10.0.0.1/24   # Optional IP for Proxmox host on LAN
    bridge-ports none
    bridge-stp off
    bridge-fd 0

Apply: systemctl restart networking

2. Create a Virtual Machine for OPNsense/pfSense

Create a new VM on Proxmox with:

  • OS type: Other (FreeBSD 64-bit)
  • CPU: 1-2 cores, RAM: 1GB-2GB, Disk: 8GB-16GB
  • Network Devices:
    • Net0 (WAN): Bridge vmbr0, Model VirtIO.
    • Net1 (LAN): Bridge vmbr1, Model VirtIO.

Using qm create on Proxmox CLI:

VMID=101 # Optional ID
ISO_PATH=/var/lib/vz/template/iso/OPNsense-24.1.amd64.iso
STORAGE=local-lvm

qm create $VMID --name opnsense-fw --memory 2048 --cores 2 --net0 virtio,bridge=vmbr0 --net1 virtio,bridge=vmbr1 --ostype other
qm set $VMID --scsi0 $STORAGE:8,format=qcow2
qm set $VMID --ide2 $STORAGE:iso/$ISO_PATH,media=cdrom
qm set $VMID --boot order=ide2;scsi0 --serial0 socket --vga qxl # Serial console is very convenient
qm start $VMID

3. Install and Basic Configuration of OPNsense/pfSense

Install from ISO as usual. Upon reboot, via console:

  1. Assign Interfaces: Assign vtnet0 to WAN, vtnet1 to LAN.
  2. IP Configuration:
    • WAN: DHCP or Static IP from the external network.
    • LAN: Must set a static IP, e.g., 10.0.0.1/24. This will be the Gateway for client VMs.
  3. Access Web GUI: From a computer, access https://10.0.0.1 and log in (root/password you set).

4. Set up Virtual Routing and Firewall Rules

This is where we define security.

a. Configure DHCP Server for LAN

Go to Services -> DHCPv4 -> [LAN]. Enable DHCP and configure the IP range (e.g., 10.0.0.100-200). DNS can point to 10.0.0.1.

b. Network Segmentation with Advanced Rules (Example: Web and Database)

Suppose Web VM (IP: 10.0.0.10) and DB VM (IP: 10.0.0.20). Requirement: Web accesses DB on port 3306, other VMs cannot.

  1. Create Aliases (Firewall -> Aliases): Web_Server_IP (10.0.0.10), DB_Server_IP (10.0.0.20), MySQL_Port (3306).

  2. Create Firewall Rules on LAN Interface (Firewall -> Rules -> LAN): (Rules run from top to bottom)

    • Rule 1: Allow Web to DB
      • Action: Pass, Interface: LAN, Protocol: TCP
      • Source: Web_Server_IP
      • Destination: DB_Server_IP, Destination Port: MySQL_Port
    • Rule 2: Block others to DB MySQL
      • Action: Block, Interface: LAN, Protocol: TCP
      • Source: LAN net (or any)
      • Destination: DB_Server_IP, Destination Port: MySQL_Port
      • Note: Rule 2 must be placed immediately BELOW Rule 1.
    • Rule 3: Default LAN Allow All
      • Action: Pass, Interface: LAN, Protocol: Any
      • Source: LAN net, Destination: Any
      • This rule is placed BELOW all blocking/restriction rules.

    Always click Apply changes after editing.

5. Configure Client Virtual Machines

Other VMs need to be configured to use the virtual firewall as a gateway:

  • Network: Assign their network card to vmbr1 (virtual LAN).
  • Gateway: Set the Gateway to the OPNsense/pfSense LAN IP (10.0.0.1).
  • DNS: Set DNS to 10.0.0.1 or public DNS.

Example on Ubuntu client VM (edit /etc/netplan/*.yaml):

network:
  ethernets:
    eth0:
      dhcp4: no
      addresses: [10.0.0.10/24] # Static IP
      routes:
        - to: default
          via: 10.0.0.1 # OPNsense/pfSense Gateway
      nameservers:
        addresses: [10.0.0.1, 8.8.8.8]
  version: 2

Apply: sudo netplan apply

With this, all client VM traffic will pass through OPNsense/pfSense, and all rules you set will be applied. You have successfully created a powerful and flexible security layer.

Conclusion

So, together we have “solved” the problem of virtual network security, from long nights wrestling with alerts to manually building a robust virtual firewall/router system. Personally, after deploying OPNsense on my Proxmox homelab, I not only sleep better but also feel much more secure when experimenting with new services.

Configuring a virtual firewall and routing with OPNsense/pfSense in a KVM/Proxmox environment is not just about adding another layer of security. It gives you a comprehensive view and deeper control over the data flow within your system. From network segmentation that reduces risk, to setting detailed rules to ensure only valid traffic is allowed – it’s all within your reach.

This is a big step forward. It helps you build a virtual infrastructure that is both powerful and secure, ready for even the “craziest” ideas in your homelab. More importantly, it also protects critical applications in your production environment. Continue exploring other features of OPNsense/pfSense such as VPN, IDS/IPS to optimize your system!

Share:
Tags: