pfSense on VirtualBox
I’ve been experimenting with pfSense (firewall software you can use for DIY routers). Following this guide by Get Labs Done, I was able to install pfSense in a Virtualbox virtual machine in Windows 10 (with hypervisor disabled). If you do this, keep in mind this should be done purely for development/testing purposes and not to use as your network’s gateway.
Setting up Two Networks on VirtualBox
Essentially, you install pfSense as a virtual machine with two network cards, the first being a bridge to your physical network, and the second being internal.
When booted pfSense will detect both cards, the “WAN” side (side facing the internet) will be your actual physical network (i.e., behind my home physical router, so something like 192.168.X.X), while the “Lan Side” will be a Vlan (in the example 10.1.1.1/24) where you can connect clients. You then install a second virtual machine and set that up as having a gateway as being the pfSense virtual router 10.1.1.1 on that network. You run both virtual machines simultaneously which can be a load on your host PC.
SSH and Browser Access to pfSense From Windows Host
What stumped me was how to SSH into the box from my Windows host machine or even to access from the host the pfSense web interface. The Get Labs Done tutorial has you accessing pfSense VM through the browser on the second VM using the 10.1.1.1 network.
After opening up the SSH port through the command line on the pfSense box using “ufw allow 22”, ssh was still blocked. I then realized pfSense itself must be blocking it.
Disable the pfSense Private Network Block
The secret to enabling SSH from your host to pfSense is to disable pfSense’s blocked private network firewall rule (I’m sure there are security reasons for this rule, but as mentioned above, do this only on a development setup not if you are actually using the pfSense install for a network gateway):
- After setting up pfSense using this guide, log into pfSense using the browser in the second VM you setup using the guide which is on the Lan 10.1.1.1 sdie of the network:
- Select Interfaces->Wan
- Scroll down to “Reserved Networks” and uncheck “Block Private Networks and Loopback Addresses”. Save.
- That’s it. You should now be able to ssh into the WAN Side (i.e., 192.168.X.X) at the ip address shown in the pfSense menu:
- In addition, on your Windows host, you can go to the same address using your browser (https://192.168.0.19 in my case) and logging into pfsense.
- After setting this up, I was able to make my first pfSense VM instance headless, and shutdown my second VM instance to lighten the load on my PC, while still having full access to pfSense using my browser and ssh.