I installed pfSense as a KVM guest using a variety of sources. The basic installation is pretty simple. I used a Crosstalk Solutions video to guide me.

One issue was that IP permanent reservations are implemented different from typical home routers. Static (permanent) IP addresses can’t be part of the DHCP address pool. Permanent addresses are assigned as static addresses in a different range. However, they will be assigned to the client by DHCP. This made it difficult to keep permanent assignments so my servers all got new IP addresses. Ugh.

Another issue is how to dedicate two new 1GB NICs to the pfSense machine. I opted to use the passthrough option for them when I created the virtual guest. They both negotiated at 100mbps/full duplex. The LAN side should have negotiated at 1GB which is an open issue.

My Ubuntu/KVM drive is a single 256MB Kingston SSD. Since it’s not mirrored, I need a good backup plan.

Dynamic DNS

Since my home IP address is not static, I need to use Dynamic DNS to update my NameCheap domain (lynnhargrove.com) when my IP address changes. I set up a cname record that points to host www at lynnhargrove.com and an aname record that points to host @ at 98.174.184.138. I used a NameCheap forum post to configure NameCheap and pfSense for DDNS, however I was unable to successfully test the update process.

NAT/Port Forwarding

Port forward is under Firewall/NAT in pfSense. When you create a port forward entry, a corresponding rule is written to allow the port through the firewall. What was not obvious is that under System/Advanced/Firewall & NAT/Network Address Translation, you must enable NAT reflection mode for port forwards. Of the two choices, Pure NAT didn’t work, but NAT + proxy did.

Unable to Get IP Address for Host Adapter

There may be a better way to configure networking, but I have a guest VM (pfSense) serving an IP address to the KVM host. Obviously, pfSense is not available when KVM starts so KVM doesn’t get an IP address. It seems to eventually resolve. I configured a static address in /etc/network/interfaces but that didn’t help. I added this to crontab:

sudo crontab -e

@reboot sleep 300 && dhclient