How to Install and Configure pfSense in VMware Workstation

In this guide, we will walk through the process of installing the pfSense open-source firewall (Community Edition) on a virtual machine using VMware Workstation Pro. We will configure a topology that includes a WAN connection and two separate LAN segments to simulate a realistic network environment.

Step 1: Network Topology and Design

Before installing, it is essential to understand the network layout we are building. The pfSense firewall will act as the central router connecting three networks:

WAN: Connected to the physical network (bridged) to receive internet access from your ISP/Home Router (e.g., 192.168.1.x).
LAN 1: A private network (10.1.1.0/24) hosting a Windows 11 client.
LAN 2: A second private network (10.2.2.0/24) hosting a Linux Mint client.

Step 2: Download and Virtual Machine Creation

1. Download pfSense

Visit pfsense.org and select the download option for the Community Edition (CE) ISO installer. You will need to add the "ISO for virtual machines" to your cart and complete a $0 checkout process to access the download link.

2. Create the Virtual Machine

In VMware Workstation Pro, create a new virtual machine using the downloaded ISO. Configure the hardware with at least:

Disk: 20 GB (Single file recommended).
RAM: 2 GB (1 GB is minimum, but 2 GB is recommended).
Processors: 1 Processor with multiple cores.

3. Configure Network Adapters

This is the most critical step. You need three distinct network adapters to match our topology:

Adapter 1 (WAN): Set to Bridged. This allows the VM to pull a real IP address from your physical network.
Adapter 2 (LAN 1): specific LAN Segment (e.g., "LAN Segment 1").
Adapter 3 (LAN 2): A separate LAN Segment (e.g., "LAN Segment 2").

Note: Ensure your client VMs (Windows 11 and Linux Mint) are assigned to LAN Segment 1 and LAN Segment 2 respectively to ensure they connect to the correct interface on the firewall.

Step 3: Installation via CLI

Power on the VM. Accept the distribution notice and choose "Install pfSense".

1. Interface Assignment

During boot, the installer will detect your interfaces (em0, em1, em2). You will be prompted to assign them:

WAN Interface: Select em0 (the bridged adapter).
LAN Interface: Select em1 (LAN Segment 1).

The installer will ask to configure the VAN/LAN network operation modes. Proceed with the defaults, select "Install CE" (Community Edition), use the "Auto (ZFS)" file system, and confirm the disk format. Once complete, reboot the system.

Step 4: Initial CLI Configuration

After the reboot, you will see the pfSense console menu. Currently, the LAN IP might default to 192.168.1.1, which we want to change.

1. Set LAN IP Address

Select option 2 (Set interface(s) IP address). Select the LAN interface (2) and configure it as follows:

IP Address: 10.1.1.1
Subnet Bit Count: 24
Gateway: Press Enter (None)
IPv6: None
Enable DHCP Server: Y (Yes)
Range: 10.1.1.100 to 10.1.1.199

Finally, select option 3 to reset the admin account password to something secure.

Step 5: Web Configuration Wizard

Switch to your Windows 11 VM (connected to LAN Segment 1). It should automatically receive an IP (e.g., 10.1.1.100) via DHCP.

Open a web browser and navigate to http://10.1.1.1. Log in with admin and your new password.

1. Setup Wizard

Run through the setup wizard:

Set Hostname and Domain.
Configure DNS servers (e.g., Cloudflare or Google).
Set the Timezone.
WAN Interface: Ensure "Block RFC1918 Private Networks" is unchecked since our WAN is actually a private local network.
LAN Interface: Confirm the IP is 10.1.1.1.

Step 6: Configuring the Second LAN Interface

We need to manually enable the third interface for the Linux Mint machine.

1. Assign Interface

Go to Interfaces > Assignments. You should see an available network port (em2). Click Add and then Save.

2. Configure IP and DHCP

Click on the new interface (OPT1), rename it to "LAN 2", and enable it. Set the IPv4 Configuration Type to Static IPv4 and assign the IP 10.2.2.1/24.

Navigate to Services > DHCP Server, select LAN 2, enable the server, and set a range (e.g., 10.2.2.100 to 10.2.2.199).

Step 7: Firewall Rules

By default, new LAN interfaces block all traffic. We need to add rules to allow connectivity.

1. Create Pass Rule

Go to Firewall > Rules and select LAN 2. Click Add.

Action: Pass
Interface: LAN 2
Protocol: Any (to allow web traffic, ping, etc.).
Source: LAN 2 Subnet
Destination: Any

Save and Apply Changes. Your Linux Mint machine on LAN 2 should now be able to ping the Windows machine and access the internet.

← Back to Guides Homepage