Virtualize your router using pfSense and Virtualbox

My Linksys router seems to be going flaky, or at least the WAN port (the end where the internet plugs in) isn't what it used to be. Replacing the unit would set me back a significant amount of cash, which is mainly due to me being snobbishly accustomed to having gigabit speeds on my home network. So instead of paying upward of 160 euros for a new consumer router, I started pondering the alternatives. My ideal set-up would be this baby from Soekris, but I'll reconsider that for home use after I win a lottery.

The second option turned out to be the mediacenter PC which I'm already running 24/7 anyway and which already has one of the two gigabit network ports I need. After ripping out the audio card (which got replaced by a totally awesome Behringer UCA 202), I had the free PCI slot I needed to plug in a second network interface so I could use my mediacenter as a router.

As you may recall, I'm running my mediacenter on Linux. Linux by itself is more than able to function as a home router, but I prefer to keep my base system as clean as possible. It's running the XBMC mediacenter on the 'bare metal' for performance's sake, but I delegate any networking functions to virtual machines. This keeps my base system as clean as possible, while my other services are nicely separated for ease of administration as well as security.

A bridge too far?

Virtualizing a router is slightly more involved than a run-off-the-mill server. The virtual network cards need to emulate real physical ones as closely as possible, which necessitates juggling at least two ethernet bridges. This can be done using all manner of freely available virtualization tools, but I chose VirtualBox for the ease with which it can be configured. Initially I tried to use a combination of libvirt and qemu, but sadly pfSense wouldn't boot properly in that environment.

VirtualBox supports the use of VMWare virtual appliances (.ova files). These are ready-to-run complete virtual machines which can be installed into VirtualBox with just a few clicks of the mouse. I downloaded and imported the pfSense .ova file, taking care to set both virtual network interfaces to bridge each onto their respective physical counterpart.

The tricky bit here is dealing with the MAC address on the virtual network interface on which your WAN link will connect. Many ISP's are extremely finnicky about handing you an IP address. I'm on the Dutch Ziggo network myself, which apparently doesn't mind handing out an IP to whatever device you connect but you will never get more than one address from them. 

Although this may seem obvious, it was a bit of a snag for me to get this working properly. Only after I cloned the MAC address from the pysical network card into the virtual one, would the virtual adapter actually get an address at all. I'm not sure yet if this move is legal from a technical standpoint, as my PC now has two adapters with the same MAC address on the same link which may or may not throw off the gateway device at Ziggo's end. VirtualBox's ethernet bridging is simple to set up, but I found out it's nearly impossible to look under the hood to see what it's doing.. so I guess I'll just wait for Ziggo's angry phone call to see if I'm doing anything wrong.

On the host machine, the MAC address of a network interface can be accessed using the ifconfig or ip addr command, which will result in output similar to this:

enp1s9: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 576
        ether 64:70:02:14:3c:60  txqueuelen 1000  (Ethernet)
        RX packets 1525480  bytes 1306067047 (1.2 GiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 726486  bytes 97885684 (93.3 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

This is the output of ifconfig for the physical interface to which I connect my cable modem. The MAC address is on the second line, which starts with 'ether'. Copy that into the the MAC address field of the virtual network adapter, and your ISP is likely to treat your virtual and physical adapters as one and the same and provide your virtual appliance with an address.

Your particular ISP may be even more picky about MAC addresses, possibly requiring you to fake the address of the device they specificall authorized to connect, like a router of their own. In that case you'll need to fake the address, which can often be found on a label stuck to the bottom of your device, on both the physcal interface and the virtual one.

Starting pfSense

After setting up your network interfaces, it's time to boot the VM and configure it. PfSense is essentially a custom distribution of FreeBSD, trimmed and tuned to perform as a network gateway device. Configuration is done initially from a text-based wizard on the machine's local console. This gets you up and running as far as base connectivity is concerned. Just answer the questions the system asks and you'll be good to go. After that, you can continue the configuration from pfSense's friendly web configurator which is accessible on the LAN-IP over https.

Once you have everything working properly, you'll most likely want to run your virtual router without being forced to have a window for it open at all times. VirtualBox supports this scenario with its VBoxHeadless command. You can start your pfSense router in the background by issuing the following command on the host machine:

VBoxHeadless -s "pfSense 2.1 i386" &

Be sure to add the ampersand at the end in order to not only start your VM, but also move the process into the background. If you don't, the VM will run but it'll hog your shell window. You won't be able to close the shell window without stopping your VM at the same time, kind of defeating the purpose. Allow a few minutes for the VM to properly boot, and then connect to the LAN IP-address using a web browser to continue the configuration of pfSense itself.

from http://www.area536.com/projects/virtualize-your-router-using-pfsense-and-virtualbox/