This article is about building and running a pfSense® virtual machineunder Microsoft Hyper-V. The guide applies to any Hyper-V version,desktop or server (this includes the standalone Hyper-V Server). Theguide explains how to install any major pfSense software version underHyper-V. Article covers the Hyper-V networking setup and pfSense softwarevirtual machine setup process. The guide does not cover how to installHyper-V or Windows Server. A basic, working, pfSense virtual machine willexist by the end of this article.
Note
If pfSense software will be used as a perimeter firewall for anorganization and the “attack surface” should be minimized, many will sayit is preferable to run it non-virtualized on stand-alone hardware. Thatis a decision for the user and/or organization to make, however. Nowback to the topic.
Sophos is a UTM, or a firewall. The other is a software router. One specializes in stopping the bad people from getting onto your network, the other forwards traffic between internetworks. PfSense - An open source firewall/router computer software distribution. Sophos - Human-engineered, AI-powered cybersecurity protection for your business and home.
Both pfsense and astaro are running NAT, but aren't behind NAT. I tried playing with that setting in a few different ways. Anytime I change the VPN ID the tunnel dies until I set the peer address to that same IP on the pfsense side. Fastvue Sophos connect to a pfSense to PFSense via ipsec, network is the ability The sophos is actually One of the critical the pfsense to set from Sophos UTM to the process of investigating trying to configure my - Reddit What Is VPN In 7 Simple Branch Office VPN configuration — Both to configure a VPN UTM need you help pfSense vs Sophos. I used the Sophos UTM9 product for a few years but outgrew the 50 IP address limitation so moved to pfSense. I really liked UTM and was never really happy with pfSense as I always felt UTM had a much better interface and the FW rules were more logically configured.
We’re going to start at the point where we have a Windows Server 2016with the Hyper-V role installed. If other VMs are already running onHyper-V, then it is not likely necessary to follow the networking stepstoo closely. However, we recommend skimming through it to see what issuggested before building the pfSense virtual machine part.
Assumptions¶
Hyper-V host is up and Hyper-V role has been installed.
The reader has an basic understanding of networking and Hyper-Vvirtualization
Basic Hyper-V Networking¶
To virtualize pfSense software, first create two VirtualSwitches via Hyper-V Manager. In the Hyper-V Manager open VirtualSwitch Manager from the Actions menu. Select Internal type ofvirtual switch and click Create Virtual Switch
Sophos Pfsense
Name the newly added switch LAN and select private network. Click apply.
Now create WAN switch the same way as LAN. Make sure Allow managementoperating system to share this network adapter is not selected if the host hasa dedicated NIC for WAN. For the purpose of this guide the management wasallowed, however production use requires a separate NIC for WAN. Click OK.
Creating the virtual machine¶
After creating WAN and LAN switches, we move to virtual machinecreation. Start the new virtual machine wizard add a name.
After clicking next select the appropriate virtual machine Generation:Generation 2.
Sophos Utm Vs Pfsense
On the Assign Memory step add enough of RAM this deployment. This guide uses1GB. 2GB is better if this VM will run multiple packages.
Next step is to Configure Networking, select WAN fromConnection drop-down menu. We will add LAN later.
On the next step select Create a virtual hard disk and assign 10-20GB to thefirewall. Larger disk size is required when running Squid caching.
Select Install an operating system from a bootable CD/DVD-ROM andbrowse to the pfSense installer ISO.
Review the virtual machine information and finish the wizard!
Open Settings of the newly created pfSense virtual machine and addanother network adapter. Select LAN virtual switch for theadapter.
Review the VM settings and make sure to have WAN and LAN switches selected undernetwork adapters
Installing pfSense Software¶
After successfully creating and configuring the pfSense virtual machine,it’s time to start it.
Wait for the virtual machine to boot up and press I to invokeinstaller.
Once installer boots up select the Quick/Easy Install and followthe installer steps.
When prompted, select the standard kernel and continue theinstallation.
After installation is complete, select reboot and eject the ISO.
First boot and interfaces assignment¶
The pfSense virtual machine should boot up quickly and prompt for interfaceassignments. Select N to not set up VLAN’s now.
In the following steps assign WAN and LAN interfaces to the appropriate networkadapters. The MAC address can be verified against the virtual machine settings.
After assigning interfaces, pfSense software will finish the boot-up.Verify both interfaces have the correct IP addresses.
Congratulations! The virtual machine is now running pfSense software onMicrosoft Hyper-V.
Guide under construction, may have minor errors
pfSense Appliance Guidance
The following outlines the best practices for choosing the appliance best suitable for your environment.
Feature Considerations
Pfsense Sophos Xg
Most features do not factor into hardware sizing, although a few will have a significant impact on hardware utilization:
VPN - Heavy use of any of the VPN services included in the pfSense software will increase CPU requirements. Encrypting and decrypting traffic is CPU intensive. The number of connections is much less of a concern than the throughput required. AES-NI acceleration of IPsec significantly reduces CPU requirements on platforms that support it.
Captive Portal - While the primary concern is typically throughput, environments with hundreds of simultaneous captive portal users (of which there are many) will require slightly more CPU power than recommended above.
Pfsense Sophos Sg
Large State Tables - State table entries require about 1 KB of RAM each. The default state table size is calculated based on 10% of the available RAM in the firewall. For example, a firewall with 1 GB of RAM will default to 100,000 states which when full would use about 100 MB of RAM. For large environments requiring state tables with several hundred thousand connections, or millions of connections, ensure adequate RAM is available.
Sophos Utm Pfsense Install
Packages - Some of the packages increase RAM requirements significantly. Snort and ntop are two that should not be installed on a system with less than 1GB RAM.