June 5, 2023

Implementing Hyper-V virtual networks routing with Netgate pfSense 2.6.0

By Roger Carvalho

This entry is part [part not set] of 3 in the series Virtual switches and routing in Hyper-V

Virtual switches and routing in Hyper-V (Posts)

Implementing Hyper-V virtual networks routing with Netgate pfSense 2.6.0
Implementing Hyper-V virtual networks routing with MikroTik Cloud Hosted Router (CHR) 7.9.2
Virtual switches and routing in Hyper-V – Overview and Summary

Welcome to the next installment of our series on virtual switches and routing in Hyper-V. In this post, we will explore another powerful routing option: implementing virtual network routing with Netgate pfSense 2.6.0. As part of this series, we aim to provide you with a comprehensive understanding of different routing possibilities in Hyper-V, empowering you to make informed decisions when configuring your virtualized network environments.

Routing is a critical component of virtualized environments, enabling communication between virtual networks and external networks. Netgate pfSense, renowned for its feature-rich capabilities and robust routing functionalities, serves as an excellent choice for virtual network routing in Hyper-V. In this post, we will focus on Netgate pfSense version 2.6.0 as a solution for routing between virtual networks within Hyper-V.

Technology Overview

The pfSense project is a free network firewall distribution, based on the FreeBSD operating system with a custom kernel and including third party free software packages for additional functionality. pfSense software, with the help of the package system, is able to provide the same functionality or more of common commercial firewalls, without any of the artificial limitations. It has successfully replaced every big name commercial firewall you can imagine in numerous installations around the world, including Check Point, Cisco PIX, Cisco ASA, Juniper, Sonicwall, Netgear, Watchguard, Astaro, and more.

pfSense software includes a web interface for the configuration of all included components. There is no need for any UNIX knowledge, no need to use the command line for anything, and no need to ever manually edit any rule sets. Users familiar with commercial firewalls catch on to the web interface quickly, though there can be a learning curve for users not familiar with commercial-grade firewalls.

Solution Overview

Our Hyper-V has 3 Virtual Switches:

LAB (External): connected to External network (physical NIC/network connection), with access to the Internet, allowing management operating system to share that network adapter. IP configuration is automatically set by DHCP in that physical network.
LAB (Private A): disconnected from any physical network. It will be the virtual switch for network 192.168.1.0/24.
LAB (Private B): disconnected from any physical network. It will be the virtual switch for network 192.168.2.0/24.

Virtual Machines are connected to private networks Private 1 (A) and Private 2 (B).
Network segmentation must be preserved.
Flexible network topology is required, so additional virtual networks can be added later.
Interconnectivity between Private Networks, and with the hypervisor (Hyper-V) host needs to be established.
Virtual Machines connected only to private networks require accessing the Internet to download updates

Solution Blueprint

System Requirements

Hyper-V Host: if you do not have it installed yet, you can find how to do it on Step-By-Step: Turning on Hyper-V on Windows 11
pfSense Community Edition 2.6.0 DVD (ISO) image (download): it supports the x86 64-bit architecture and can be used on most of the popular hypervisors such as VMWare, Hyper-V, VirtualBox, KVM, and others.
7-zip (download): a software that can compress and decompress files in various formats.
Host CPU: 64-bit compatible CPU
RAM: 512MB or more
Disk: 8GB disk space
At least one compatible network interface (1 interface isn’t very practical)

The bare minimum to run pfSense is 512 MB of RAM. The recommended amount is 1 GB of RAM. We wouldn’t recommend running pfSense on 512 MB RAM in any serious project.

Implementation

For this exercise, we created a Hyper-V virtual machine with the following configuration:
Name: RT-PFSENSE260-01
Generation: Generation 2
BIOS: Startup order: Hard Drive, DVD Drive, Network Adapters
Security: Secure Boot DISABLED
Memory: 1024 MB
Processor: Number of virtual processors: 2
SCSI Controller: Hard drive (10GB, Dynamically expanding) / DVD Drive
Network Adapters:
1) Connected to Virtual Switch LAB (External)
2) Connected to Virtual Switch LAB (Private A)
3) Connected to Virtual Switch LAB (Private B)

1. On your lab machine running Hyper-V, access "https://www.pfsense.org/download/" in a browser, select the architecture "AMD64 (64-bit)", installer "DVD Image (ISO) Installer" and mirror closer to your region, and click "Download"
2. Click "Save as" to download the compacted pfSense ISO image
3. Choose a temporary location for saving the compacted pfSense ISO image and click "Save"
4. Open 7-zip, browse to the location where you saved the compacted pfSense ISO image, select it and click "Extract"
5. Choose a path to extract the pfSense ISO image and click "OK"
6. Open the Hyper-V Manager console, select the virtual machine created to be the pfSense router and click "Settings"
7. Click the virtual machine's "DVD Drive", then select "Image file" and click "Browse" to search for the extracted pfSense ISO image
8. Navigate to the location where you extracted the pfSense ISO image, select it and click "Open"
9. Click "OK" to save the modifications to the virtual machine settings
10. With the virtual machine created to be the pfSense router selected, click "Connect..."
11. On virtual machine console, click "Start" to power it on
12. pfSense installation will load automatically
13. After reading the "Copyright and Trademark Notices", accept them by pressing "Enter"
14. Make sure the option "Install" is selected, and press "Enter"
15. Select the proper keyboard map or simply press "Enter" to configure pfSense with the default/stardard "US"
16. With option "Auto (ZFS)" selected, press "Enter" to continue
17. Review the "ZFS Configuration" and press "Enter" to continue
18. As no disk RAID is being configured, select option "stripe" and press "Enter"
19. Press the "space bar" to select your virtual machine's disk and then press "Enter"
20. Confirm the (re)partitioning by selecting "YES" and pressing "Enter"
21. Finally, pfSense installation starts
22. When pfSense installation completes, select "No" and press "Enter"
23. Select "Reboot" and press "Enter" to restart your pfSense router virtual machine. Eject/umount the installation media manually if needed
24. When the virtual machine restarts, configuration wizard is launched. Answer "n" and press "Enter" to skip VLANs set up
25. See the list of identified network interfaces, type the identification for your interface connected to the External Hyper-V virtual switch and press "Enter"
26. Press "Enter" without entering any information for other network interfaces, we will configure them via the Web GUI later
27. Type "y" and press "Enter" to finalize pfSense initial network configuration
28. The pfSense network configuration script will run for a while, please be patient
29. Our network interface connected to our External Hyper-V Virtual Switch gets its network configuration from DHCP server in the physical network where our Hyper-V host is connected. Take note of the automatically assigned IP address
30. Back to the browser of your Hyper-V host, navigate to "https://pfSenseWANIPAddress", where "pfSenseWANIPAddress" is the IP Address that you took note in the previous step. Enter username "admin", password "pfsense" and click "SIGN IN"
31. pfSense GUI loads and informs our user's password should be changed as we are using the default value, click "Change the password in the User Manager"
32. Type a new secure password and its confirmation
33. Scroll down and click "Save" to proceed with the password change
34. Click "Interfaces", and then "Assignments"
35. Select the "Available network port" corresponding to your first internal network interface, connected to Hyper-V virtual switch LAB Private A, and click "+ Add"
36. Click "LAN" to configure the network port that you just added
37. Select "Enable interface", rename your network port to a more meaningful "Description", like PrivateA, select "Static IPv4" in "IPv4 Configuration Type", and finally enter your first internal (LAB Private A) "IPv4 Address" and "CIDR"
38. Scroll down that page and click to "Save" the changes you just performed in the previous step
39. Click "Apply Changes" to reload your pfSense router with new added configuration. When you do this, after a couple of seconds, pfSense will completely disable the access through the WAN/External network interface. That is a best practice to only allow access via internal network interfaces, but in our LAB, as we do not have yet any system with GUI, we want to temporarily keep the access via WAN/External network interface. Let's proceed quickly with next steps before pfSense disconnects us from the configuration GUI
40. Click "Firewall", and "Rules"
41. Click the first "Add" to create a new Firewall Rule for WAN (External)
42. Enter the network IP address (ID) and CIDR of your physical network where your Hyper-V host and External virtual switch are connected and click "Save", that ensures we still can access our pfSense router configuration via that network interface
43. Click "Apply Changes" to reload your pfSense router with new added configuration
44. Click "Interfaces", and then "Assignments" to configure your last network interface connected to the second internal Hyper-V virtual switch "LAB (Private B)"
45. Select that last "Available network port" connected to Hyper-V virtual switch LAB (Private B), and click "+ Add"
46. Click "OPT" to configure the network port that you just added
47. Select "Enable interface", rename your network port to a more meaningful "Description", such as PrivateB, select "Static IPv4" in "IPv4 Configuration Type", and finally enter your second internal (LAB Private B) "IPv4 Address" and "CIDR"
48. Scroll down that page and click to "Save" the changes you just performed in the previous step
49. Click "Apply Changes" to reload your pfSense router with new added configuration
50. Click "Firewall" and then "Rules" once again
51. Click "PRIVATEA" or whatever name that you gave to the first private network connection
52. Note that there are 2 rules that permit network traffic routing for that network, click the "Copy" icon in front of the rule with description "Default allow LAN to any rule"
53. Change "Interface" to be "PRIVATEB" or whatever name that you gave to the second private network connection and "Source" as well to "PRIVATEB net", then click "Save"
54. Click "Apply Changes" to reload your pfSense router with new added configuration
55. Click again "PRIVATEA" or whatever name that you gave to the first private network connection
56. Click the "Copy" icon in front of the rule with description "Default allow LAN IPv6 to any rule"
57. Change "Interface" to be "PRIVATEB" or whatever name that you gave to the second private network connection and "Source" as well to "PRIVATEB net", then click "Save"
58. Click "Apply Changes" to reload your pfSense router with new added configuration
59. Click one more time "PRIVATEA" or whatever name that you gave to the first private network connection
60. Click the "Cogwheel" icon in front of rule with description "Anti-Lockout Rule"
61. As in our lab we have configured a Firewall Rule to allow access to pfSense GUI via WAN (External) network interface, we can "Disable webConfigurator anti-lockout rule"
62. We can also "Password protect the console menu" of our pfSense router virtual machine and click "Save" to apply those changes
63. pfSense confirms the changes were accept and reload automatically the configuration GUI
64. When we check now our pfSense router virtual machine console, we see that authentication is needed to be able to manage it via the console

Testing and Validation

1. Make sure you are on a machine connected only to "Private A" virtual switch by typing the following commands and pressing "Enter" after them: "[Environment]::MachineName" and "Get-NetIPConfiguration", validating your network configuration. Command "Invoke-RestMethod -Uri http://ipconfig.me" should return your external IP address if routing is working properly and machine now has access to the internet.
2. Try pinging the IP addresses of the router's network interface connected to the same virtual switch (Private A) as your first test machine, then try pinging a second test machine connected to the other virtual switch (Private B), finally try pinging external addresses in the internet, such as "8.8.8.8" or "oakit.cloud"
3. Last test could be "Invoke-RestMethod -Uri https://loripsum.net/api" to validate the routing of TCP traffic, as we only validated UDP traffic routing in previous step
4. Now, make sure you are on a machine connected only to "Private B" virtual switch by typing the following commands and pressing "Enter" after them: "[Environment]::MachineName" and "Get-NetIPConfiguration", validating your network configuration. Command "Invoke-RestMethod -Uri http://ipconfig.me" should return your external IP address if routing is working properly and machine now has access to the internet.
5. Try pinging the IP addresses of the router's network interface connected to the same virtual switch (Private B) as your second test machine, then try pinging the first test machine connected to the other virtual switch (Private A), finally try pinging external addresses in the internet, such as "8.8.8.8" or "oakit.cloud"
6. Last test could be "Invoke-RestMethod -Uri https://loripsum.net/api" to validate the routing of TCP traffic, as we only validated UDP traffic routing in previous step

Bottom Line

In this post, we have delved into the implementation of virtual network routing using Netgate pfSense 2.6.0 in Hyper-V. We encourage you to explore and experiment with these concepts in your own virtualized network environments. Your hands-on experience will enhance your understanding of how pfSense can elevate your network routing capabilities.

We greatly appreciate your feedback and value your input. If you have any questions, encounter challenges, or need further clarification, please don’t hesitate to reach out to us. Your feedback not only helps us improve this series but also contributes to the broader knowledge-sharing community.

Stay tuned for the upcoming posts in this series, where we will continue to explore various routing options in Hyper-V. We will provide practical examples and detailed discussions to further expand your knowledge and empower you to optimize your virtual network architecture.

Remember, with virtual switches and routing in Hyper-V, you have the ability to create resilient and efficient network infrastructures. Let’s continue this journey together, learning, implementing, and unlocking the full potential of Hyper-V’s routing capabilities using Netgate pfSense 2.6.0.

Series Navigation

Tagsrouting nat hyper-v tools lab