Documentation
pfSense Documentation - Configuration and Administration Guides
pfSense Virtualization - ESXi, Proxmox, KVM Guide
Deploying pfSense in Virtual Environments

Deploying pfSense in Virtual Environments

Virtualizing pfSense enables infrastructure consolidation, simplified backups, and the ability to run multiple isolated instances on a single physical host. This guide covers all major virtualization platforms with emphasis on network configuration - the critical factor that determines stability and throughput of a virtual router.

Minimum requirements for a pfSense virtual machine: 1 GB RAM (2 GB or more recommended when running Suricata/Snort), 8 GB disk space, and at least two network interfaces (WAN and LAN). For routing at speeds above 1 Gbps, allocate 2 or more vCPUs.

VMware ESXi

Creating the Virtual Machine

When creating a VM in ESXi, set the guest OS type to Other - FreeBSD 14 (64-bit). pfSense is based on FreeBSD, so selecting the correct OS type ensures proper VMware Tools compatibility and optimal default VM settings.

Recommended parameters:

ParameterValue
vCPU2 (minimum 1)
RAM2048 MB
Disk16 GB, Thin Provisioning
SCSI ControllerLSI Logic SAS or pvscsi
Network AdapterVMXNET3

Network Adapters: VMXNET3 vs E1000

VMXNET3 is VMware’s paravirtual network adapter delivering maximum performance. pfSense includes the vmx(4) driver for VMXNET3, which supports hardware checksums, TSO (TCP Segmentation Offload), and RSS (Receive Side Scaling). This is the recommended adapter type for all production deployments.

E1000 emulates an Intel 82545EM adapter. It serves as a fallback option when compatibility issues arise. E1000 performance is substantially lower than VMXNET3 - the difference becomes pronounced at loads exceeding 500 Mbps.

Important: changing the adapter type on an already-configured VM may cause pfSense interfaces to be renamed (for example, em0 becomes vmx0). After changing adapter types, reassign interfaces through the console menu (option 1 - Assign Interfaces).

ESXi Network Configuration

Create separate virtual switches (vSwitch) or port groups for WAN and LAN. Verify the following:

  • For the WAN port group, enable Promiscuous Mode: Accept if pfSense needs to see traffic destined to MAC addresses other than its own
  • For VLAN trunk port groups, set the VLAN ID to 4095 (All)
  • Enable Forged Transmits: Accept on port groups where pfSense performs NAT

ESXi Console Access

Access the pfSense console through vSphere using Web Console (HTML5) or VMRC. If the console does not display the pfSense menu:

  1. Verify the VM console type is set to VNC or VMRC
  2. Confirm that the serial port is not enabled if you are using the graphical console
  3. Press the spacebar during pfSense boot to interrupt autoboot - this helps diagnose bootloader issues

Proxmox VE

Creating the Virtual Machine

In Proxmox VE, create a VM with OS type Other and version Generic. Recommended parameters:

ParameterValue
CPU2 cores, type host
RAM2048 MB
Disk16 GB, VirtIO Block (virtio-blk)
NetworkVirtIO (virtio-net)
DisplayVirtIO-GPU or Std VGA

VirtIO and Performance

pfSense supports VirtIO drivers (virtio_net, virtio_blk) since version 2.4. VirtIO provides near-native I/O performance, making it the optimal choice for Proxmox deployments.

If pfSense does not detect the VirtIO disk during installation, temporarily switch the controller to IDE or SATA, complete the installation, then add a VirtIO disk and migrate the installation to it.

QEMU Guest Agent

Install the qemu-guest-agent package through the pfSense package manager for proper Proxmox integration:

  1. Navigate to System - Package Manager - Available Packages
  2. Search for and install QEMU Guest Agent
  3. In the Proxmox VM settings, enable the QEMU Guest Agent option

The Guest Agent enables graceful VM shutdown when stopped from the Proxmox interface, filesystem freeze during snapshots, and IP address reporting to the Proxmox management interface.

PCI Passthrough

For maximum network performance, you can pass a physical network adapter directly to the pfSense VM:

  1. Enable IOMMU in the server BIOS/UEFI (Intel VT-d or AMD-Vi)
  2. Add kernel parameters to /etc/default/grub:
# For Intel
GRUB_CMDLINE_LINUX_DEFAULT="quiet intel_iommu=on"

# For AMD
GRUB_CMDLINE_LINUX_DEFAULT="quiet amd_iommu=on"
  1. Update GRUB and reboot the server
  2. In the VM settings, add a PCI device via Hardware - Add - PCI Device
  3. Select the desired network adapter and enable All Functions for multi-port cards

Warning: PCI passthrough binds the VM to a specific physical host, making live migration impossible. Use passthrough only for the WAN interface where performance is critical.

Hyper-V

Creating the Virtual Machine

Hyper-V supports pfSense with certain limitations. Create a Generation 1 VM (Generation 2 is not supported by pfSense due to its UEFI bootloader being incompatible with FreeBSD).

Recommended parameters:

ParameterValue
GenerationGeneration 1
vCPU2
RAM2048 MB (static memory)
Disk16 GB, VHDX
Network AdapterSynthetic adapter (default)

Integration Services

pfSense supports Hyper-V Integration Services (BIS - BSD Integration Services) since FreeBSD 10. For proper operation:

  • Ensure Integration Services are enabled in the VM settings
  • pfSense automatically loads the hv_vmbus, hv_storvsc, and hv_netvsc modules
  • Synthetic network adapters provide acceptable performance under standard workloads

Legacy Adapters

If pfSense does not detect the synthetic adapter during installation, add a Legacy Network Adapter in the VM hardware settings. The Legacy adapter emulates an Intel 21140 (DEC Tulip) and is guaranteed to be supported, but its performance is significantly lower than the synthetic adapter. After completing installation, replace the Legacy adapter with a synthetic one.

Tip: disable Dynamic Memory for pfSense VMs. Dynamic memory allocation can cause service instability, particularly with Suricata and ntopng.

KVM/QEMU

Installation with virt-install

To create a pfSense VM on KVM, use virt-install:

virt-install \
  --name pfsense \
  --ram 2048 \
  --vcpus 2 \
  --cpu host \
  --os-variant freebsd14.0 \
  --disk path=/var/lib/libvirt/images/pfsense.qcow2,size=16,bus=virtio \
  --network bridge=br-wan,model=virtio \
  --network bridge=br-lan,model=virtio \
  --graphics vnc,listen=0.0.0.0 \
  --cdrom /path/to/pfSense-CE-2.7.2-RELEASE-amd64.iso \
  --boot cdrom

Key parameters:

  • --cpu host passes the full host CPU instruction set to the VM, including AES-NI
  • --os-variant freebsd14.0 configures optimal VM defaults for FreeBSD
  • model=virtio for network adapters delivers maximum throughput
  • bus=virtio for disks enables paravirtual I/O

VirtIO and Optimization

KVM with VirtIO delivers near-bare-metal performance. Additional optimizations:

  • Enable vhost-net to offload network processing from QEMU to the host kernel
  • Use macvtap instead of a Linux bridge when direct access to the physical interface is needed
  • For NUMA servers, pin vCPUs to cores within a single NUMA node using numactl or virsh vcpupin

VirtualBox

VirtualBox is suitable for lab and testing deployments of pfSense. For production use, ESXi, Proxmox, or KVM are recommended.

Virtual Machine Setup

  1. Create a VM with type BSD - FreeBSD (64-bit)
  2. Allocate at least 1024 MB RAM and 8 GB disk space
  3. Add two network adapters:
    • Adapter 1 (WAN): NAT or Bridged mode (for internet access)
    • Adapter 2 (LAN): Internal Network or Host-Only mode
  4. Adapter type: Intel PRO/1000 MT Desktop (82540EM) - supported without additional drivers
  5. Under System - Acceleration, ensure VT-x/AMD-V and Nested Paging are enabled

Limitation: VirtualBox does not support VirtIO for network adapters in FreeBSD guests. Use emulated Intel E1000 adapters.

Cloud Platforms

AWS

pfSense is available in the AWS Marketplace as an AMI (Netgate pfSense Plus). Deployment considerations:

  • Select an instance type with Enhanced Networking (ENA) support - c5.large or larger is recommended
  • Create at least two Elastic Network Interfaces (ENI): one for WAN (public subnet), one for LAN (private subnet)
  • Security Groups are applied on top of pfSense rules - account for this during troubleshooting
  • Disable Source/Dest Check on the ENI for proper routing

Azure

In Azure, pfSense is deployed from the Azure Marketplace (Netgate pfSense Plus):

  • Recommended VM size: Standard_D2s_v3 or larger
  • Create two network interfaces (NIC) in separate subnets
  • Enable IP Forwarding on both NICs
  • Network Security Groups (NSG) operate in parallel with pfSense - for easier troubleshooting, create a permissive NSG and manage filtering through pfSense

Common Virtualization Issues

NIC Ordering

When adding or removing virtual network adapters, pfSense interface names and their ordering may change. This can cause WAN and LAN to swap. To resolve:

  1. Boot into the pfSense console
  2. Select 1) Assign Interfaces
  3. Reassign interfaces in the correct order, using MAC addresses as reference

To prevent this issue, record the MAC address of each virtual adapter when creating the VM.

Console Type

If the VM console shows a blank screen or rendering artifacts:

  • In ESXi, switch the Video Card to SVGA with sufficient video memory
  • In Proxmox, use VirtIO-GPU or Default (Std VGA) display type
  • In KVM, verify the --graphics parameter is set correctly (vnc or spice)
  • For headless servers, configure serial console: add console=comconsole to /boot/loader.conf in the pfSense bootloader

AES-NI Passthrough

AES-NI instructions are required for hardware-accelerated VPN encryption (IPsec, OpenVPN). To pass AES-NI to the virtual machine:

  • ESXi: enabled automatically with CPU type host or by explicitly enabling AES-NI in VM settings
  • Proxmox/KVM: use CPU type host (--cpu host in virt-install or cpu: host in VM configuration)
  • Hyper-V: AES-NI is transparently proxied to the guest OS
  • VirtualBox: supported when VT-x and Nested Paging are enabled

Verify AES-NI availability in pfSense: System - Advanced - Miscellaneous or via console with dmesg | grep -i aes.

Performance Tuning

General recommendations for all hypervisors:

  • Disable offloading in pfSense if experiencing performance issues or packet loss: System - Advanced - Networking, uncheck Hardware Checksum Offload, Hardware TCP Segmentation Offload, and Hardware Large Receive Offload
  • Allocate fixed RAM instead of dynamic - pfSense is sensitive to changes in available memory
  • Use paravirtual adapters (VMXNET3, VirtIO) wherever possible
  • Avoid over-provisioning - pfSense runs efficiently with 2 vCPUs and 2 GB RAM for most workloads

For additional network configuration details, see the firewall rules section. For VPN setup on a virtualized pfSense, refer to the VPN section. General installation topics are covered in the pfSense installation guide.

Last updated on