So the guide may not be 100% perfect, but i can get you close enough to setting it up from what i've learned so far. and perhaps others will share what i might have missed while going about doing this guide *cross fingers
notes: It's a bit long and winded, so i apologize for that. this isn't a proper clean step by step guide (although i do try to point out necessary things to do, to get pfsense to work on the qnap). It's closer to a project diary for my own testing for setting up pfsense. so skip ahead to useful sections relevant to what you need to know.. it's mostly about setting up pfsense on qnap nas using VM, but i will also be mentioning other networking setups to go with the pfsense router e.g. my wireless ap
Short version
TLDR: don't install pfsense from virtual station vm market. i couldn't get that to work right. Instead download pfsense from main website, then create a VM using virtual station using that downloaded file.
Setting up virtual switches is VERY VERY important. Refer to the guide for the details for how to set that up.
Once your pfsense vm router is online, just do the initial setup. by default firewall is up and you are protected, but you still need to setup a strong password, do your WAN to setup your broadband connection, and LAN for DHCP server.
I recommend pfblocker dev package :} doesn't use much resource. Suricata however does, so if not enough ram, or if you see cpu load too high, then don't use it.
Credits to the many people i learned from to get this figured out :} of particular note, someone on qnap reddit posted the proper setup for virtual switches in detail.Code: Select all
https://www.reddit.com/r/qnap/comments/a8kq62/qnap_pfsense_vm_with_bridged_wan_interface_as/ecclv89/
*may edit the short version later with easier/clearer step by step instructions when i have time to spare for it. until then, you may refer to these other guides. and if they don't mention details or you aren't sure about their instructions you can come back here and check if those things were mentioned or not
Code: Select all
https://trainingrevolution.wordpress.com/2016/09/05/running-pfsense-on-qnap-ts-251/
Code: Select all
https://www.reddit.com/r/qnap/comments/a8kq62/qnap_pfsense_vm_with_bridged_wan_interface_as/
Code: Select all
https://www.qnap.com/en/how-to/tutorial/article/installing-pfsense-on-a-qnap-nas/
Code: Select all
https://poyu.co.uk/2020/06/12/how-to-setup-pfsense-for-qnap/
Code: Select all
https://nguvu.org/pfsense/pfsense-baseline-setup/
*update
Moogle's short edition guide
step1: install virtual station
step2: download pfsense community edition amd64Code: Select all
https://www.pfsense.org/download/
step3: put that pfsense download onto your qnap. so you can select it later during the install. i put it in a share i use for vm.note: yes qnap has pfsense for quick deploy through vm market. i tried it but it didn't work properly for me
step4: install virtual station from appcenter in qts. Make sure you install it onto a SSD volume. e.g i'm using a TBS-453DX with raid1 2 x 500gb Crucial mx500 M.2 SSDs. SSDs have good r/w, iops, low latency etc. make sure to use SSDs for your VMs.
step5:notes: depending on how you are going to use pfsense, how much internet broadband speed, VPN, suricata, many many packages running; then you may need to have the appropriate cpu, ssd and ram to achieve your set target. use reddit, google to find our what specs you require. An intel celeron low power cpu , 4-8 gb, should be fine for the average home user, and SSD capacity sizes price wise 500gb is pretty affordable these days.
Go to QTS, virtual switches, and setup virtual switches according to rsted's guide (read the info he posted for the specifics for setting up the virtual switches)
Code: Select all
https://www.reddit.com/r/qnap/comments/a8kq62/qnap_pfsense_vm_with_bridged_wan_interface_as/ecclv89/
notes: qnap recommended setting up the virtual switches differently. you decide who is giving the right answer, i honestly don't know. but Rsted's virtual switch config worked for me
step6: go to virtual station, create a VM. OS: freebsd version: latest, allocate ram, hard drive space (make sure hard drive points to your SSD volume for performance reasons ), select the pfsense file you downloaded earlier. Then create the VM.
After creating the VM, check the settings for the VM. First thing you want to check is that you assigned the WAN and LAN ports correctly (make sure they are VIRTIO). Check virtual switches whether the settings are correct (refer to rsted's guide and virtual switch topology).
then check vm hard drive, also virtio. In addition, make sure you set to cache writethrough. This made a performance difference i found when using cache writethrough for hdd.
step7: in virtual station, go to pfsense vm console (click on it and the console will pop out in a new browser tab). You should be able to go through the normal pfsense setup
i used UFS. not sure about the other options
Code: Select all
https://docs.netgate.com/pfsense/en/latest/install/installing-pfsense.html
at some point you will get this screen
type "2" to configure set interface ip address to setup the wan and lan ports
set vtnet0 as your wan. and set vtnet1 as your lan. Remember, when you were setting up in pfsense vm in virtual station settings, make sure vtnet0 and vtnet1 are both pointing to the correct virtual switch in QTS
e.g. ethernet port1 = vtnet0 (this you will use for WAN), and ethernet port2 = vnet1 (LAN)
notes: If the adapters are em0 and em1 instead of vtnet0 and vtnet1 then you forgot to change the Device Model to Virtual Gigabit Ethernet.
for lan ip, "Y" to configure it. you can then put e.g. 192.168.0.1/24 (this is the pfsense gateway. you use this to login to the pfsense admin ui. also your client devices use this same gateway to connect to the pfsense network, so that their internet works).
configure the DHCP server as well (assuming you will use dhcp server?) e.g. 192.168.0.60 - 192.168.0.200note: the 24 just means 255.255.255.0
notes: Probably a good idea to leave gaps at the early and ending parts of the the numbers. notice there is a gap 1-59 and 201-255 that is outside dhcp range? that is intentional. You can use those lan ips outside dhcp range, for your pfsense gateway, and other devices that have lan static ips.
pfsense at some point will be fully setup/running. You will know when it's done, when you see the shell options again.
at this point it means your pfsense router is fully up and working.
step8: login to pfsense admin web ui using the lan gateway you set earlier. it will then run you through the wizard config. change password obviously to something secure.
next you probably want to setup your WAN, so you can connect to your ISP broadband. For special isp requirements like mine, i had to go create PPPOE, then setup a vlan tag for PPPOE. then go interfaces and select that created PPPOE for my wan to connect to the isp correctly. This may not necessarily apply to you. depends on your ISP requirements for how they expect you to setup your WAN settings to connect to them
step9: you are done.
A few more things i'd like to explain that you should know
To update your pfsense, i recommend doing it from shell. i posted a guide for that here (scroll down)to install packages, go pfsense packages.Code: Select all
https://forum.qnap.com/viewtopic.php?f=45&t=155315&start=30#p755400
to backup your pfsense, you can go to pfsense > diagnostic > backup & restore , to generate a config you can backup/restore. But i found that virtual station pfsense vm snapshots is very reliable for restoring your pfsense vm back to an earlier snapshots when your pfsense might have worked correctly. I recommend preserving snapshots. perhaps even schedule snapshots of your pfsense vm. But if you do restore using snapshots, you probably should reboot your pfsense soon after as well.note: Do not update packages before upgrading pfSense! Either remove all packages or do not update packages before running the upgrade.
to reboot pfsense, go to virtual station pfsense shell console, press "5" and select normal reboot.
pfsense default is good, but i would recommend you check out pfBlockerNG-devel, snort, suricata for better security for your pfsense.
refer to the long version for more details on this subject.KOM Mar 27, 2019
They don't do the same job so they're hard to directly compare. pfBlocker is good for geo-blocking and DNS blackholing, among other things. Snort/Suricata are true IDSes that inspect packet contents against a ruleset and then reject further traffic from bad hosts.
is it safe to use pfsense vm on qnap for edge router?
An edge router is a specialized router located at a network boundary that enables an internal network to connect to external networks. They are primarily used at two demarcation points: the wide area network (WAN) and the internet.
you can check elsewhere to find out/ ask someone else about that. i'm not an expert on this subject, so honestly i don't know either. but afaik it seems okay so far for my own usage. but if i get hacked, i will be sure to report hereQNAP reply: The pfSense VM OS should protect your NAS device when your NAS set virtual switch 1 with "do not assign IP address" this option & bundle it with pfSense LAN adapter 1 and NAS LAN adapter 1, but we still suggest you update the NAS latest version of firmware & APPs to protect your NAS device.
long version
In 2020 (a bit earlier than that actually), QNAP made Pfsense a bit easier, by adding it as an install from virtual station VM market. It's still not quite a 1 click install deal ( a lot of other things need to be done by you as well), but a step they helped simplified.
Minimum Hardware Requirements
The minimum hardware requirements for pfSense® 2.4.5-RELEASE are:
CPU 600 MHz or faster
RAM 512 MB or more
4 GB or larger disk drive (SSD, HDD, etc)
One or more compatible network interface cards
Bootable USB drive or CD/DVD-ROM for initial installation
Code: Select all
https://docs.netgate.com/pfsense/en/latest/book/hardware/minimum-hardware-requirements.html
Hardware Sizing Guidance
When sizing hardware for pfSense® software, required throughput and necessary features are the primary factors that govern hardware selection.
Code: Select all
https://docs.netgate.com/pfsense/en/latest/book/hardware/hardware-sizing-guidance.html
these were the guides i was using to try setup pfsense on the qnap
Code: Select all
https://www.youtube.com/watch?v=5mJ0h6pvKKw
Code: Select all
https://www.youtube.com/watch?v=wXMkQQAu5Sg
Code: Select all
https://www.qnap.com/en/how-to/tutorial/article/installing-pfsense-on-a-qnap-nas/
Code: Select all
https://vshungry.com/hub-vs-switch-vs-router/
Code: Select all
https://www.dnsstuff.com/subnet-ip-subnetting-guide
Code: Select all
https://www.youtube.com/watch?v=ozG8BWbYY0M
You don't subnet a network, you subnet a network block. If you want to two devices to connect to each other without a router between them, they should be on the same network.
Code: Select all
https://superuser.com/questions/1350877/how-to-configure-router-and-devices-for-subnetting
various pfsense guides with pics and step by step instructions
Code: Select all
https://techexpert.tips/category/pfsense/
Code: Select all
https://www.youtube.com/watch?v=9kSZ1oM-4ZM
Code: Select all
https://www.youtube.com/watch?v=KRlbkG9Bh6I
Trexx wrote: ↑Fri Aug 31, 2018 11:48 am My guess is that you need more physical NIC ports... basically NIC 1 & 2 are "Used" by PFSense, and you would need a NIC #3 for the "NAS" gateway.
Did you follow the directions from here? https://www.qnap.com/tr-tr/how-to/tutor ... -qnap-nas/yellowapple wrote: ↑Sat Sep 08, 2018 5:15 pm Hello there,
I confirm that this is working with two interfaces but not on a TBS-453a.
The virtual switch doesn't have an IP, this is not manageable and only layer 2. The NAS is reachable on all interfaces (Vswitch) by default at the exception of the external one. (External mode)
Your first interface is the External one. No IP !
The second is the local subnet. The NAS is having IP 192.168.0.5/24 ? The Pfsense connected to the two virtual switches must have an IP on the local subnet, in your case 192.168.0.100. (I recommend 192.168.0.254/24)
Is your NAS DHCP server of the PFsense? What is the DNS server?
If you put system default gateway on the virtual switch 2, you must configure the gateway of the virtual switch 2 (NAS) as 192.168.0.100.
You can make a dump on the internal interface of the PF to check incoming packets. What do you see?
Rgds
Laurent
Code: Select all
https://forum.qnap.com/viewtopic.php?t=143083
pfSense on QNAP virtualization center - QNAP can't use one of it's own virtual IPs as a gateway?
Disclaimer: this is a type-2 hypervisor issue or perhaps QNAP-centric. Cross-posting here as a last-ditch effort in case anyone has any expertise and advise to offer.
Installed in a VM on my QNAP NAS "Virtualization Center" type-2 hypervisor as a proof of concept using the network topology itemized below. Everything seemed fine until I discovered that the QNAP refused to assign its own default gateway to an IP allocated within a virtual switch config assigned to a VM (for the internal LAN interface to pfSense).
pfSense seems to be operating just fine, only problem came on the QNAP side of things where it is refusing to talk to it's gateway IP anymore, and wouldn't let me confirm/update the setting to the 192.168.4.1 IP since it belonged to a virtual device.
Any suggestions on how to maybe get this working without having to move pfSense to a separate HW device?
Physical Topology:
wan: cable modem -> QNAP eth4
lan: switch LAG (ports 21-23) -> QNAP bond0 (eth1+eth2+eth3)
QNAP switch config:
virtual switch 1: qnap bond0, static IP on 192.168.4.0/24, gw: 192.168.4.1
virtual switch 4: qnap eth4, no IP config, no dhcp... (assigned dhcp by modem in pfSense)
VM network config for pfSense:
vmeth0 (virtIO driver) <- QNAP virtual switch 4 (WAN), dhcp via cable-modem
vmeth1 (virtIO driver) <- QNAP virtual switch 1 (LAN), static IP 192.168.4.1
TIA,
-Fabrizio
Code: Select all
https://www.reddit.com/r/PFSENSE/comments/9z5reg/pfsense_on_qnap_virtualization_center_qnap_cant/
rsted-
Short setup instructions cause someone asked. Please note that some networking/pfsene knowledge is required to set this up.
Install pfsense using this guide.
I used the pfsense ovf provided by QNAP. The basic setup in the tutorial should be enough to get you going. (one WAN side NIC - one LAN side NIC)Code: Select all
https://www.qnap.com/en/how-to/tutorial/article/installing-pfsense-on-a-qnap-nas/
Setup your network on the "network and virtual switch" Application on the QNAP according to this picture.
Do not use any NAT or DHCP features from QNAP - all is done by pfsense. When configuring the QNAP vSwitches don't set an IP adress on the pfsense WAN side virtual switch since pfsense WAN NIC will pull an IP from Modem/Gateway DHCP. The pfsense LAN side should be configured as static IP inside the pfsense LAN network range. The QNAP Webinterface should be accessable through this IP.
Connect your PC to the QNAP NIC Port 2 - you should also get an IP address from pfsense DHCP Server.
Set default gateway on QNAP to the Pfsense Internal Network Switch ((see picture).
all done
Additional hints:
* it's tricky to set this up without locking yourself temporarily out. Some networking knowledge is useful if that happens.
* KVM Switches behave a little slower then physical switches. Take your time and hit ipconfig /renew till you get an IP.
* don't forget to set pfsense VM to start when the QNAP starts. otherwise you won't get an IP adress when the QNAP reboots.
Code: Select all
https://www.reddit.com/r/qnap/comments/a8kq62/qnap_pfsense_vm_with_bridged_wan_interface_as/
and if you accidentally misconfigured and got locked out, you need to soft reset
Code: Select all
https://www.qnap.com/en/how-to/knowledge-base/article/the-different-ways-of-resetting-your-nas-explained/
Out of all these guides, rsted's comment from reddit is probably the best and simplified guide for setting up the pfsense on the QNAP. His config can manage to cope using only 2 physical ethernet ports. He even has a piehole in his vm setup, but he sadly did not elaborate on that
notes: The QNAP guide is a bit outdatedThere has been a change in virtual station, with the introduction of vm marketplace. the pfsense from there is a 1 click deployment. You still have to make other setting configurations (setting up virtual switches, configuring pfsense settings), but at least this is 1 less step to do made easier.Code: Select all
https://www.qnap.com/en/how-to/tutorial/article/installing-pfsense-on-a-qnap-nas/
Another thing, they didn't bother to explain the finer points in regards to virtual switch creation for use with pfsense like rsted did.QNAP-
23 May 2019
QNAP released the new VM Marketplace. Located inside the Virtualization Station app, the VM Marketplace allows users to install several prepackaged virtual machine (VM) images for rapid deployment and greater application potential.
My progress so far (setting up pfsense vm on the QNAP), i got the internet to work using vlan tagging (this is a special requirement for my ISP, so may not necessarily apply to you). But i don't think i setup correctly, because i could not access other lan devices on network (probably a subnet misconfiguration on my part). I also may have incorrectly set the virtual switches as well (but using rsted's info, i'll try again)
i did however test grc shields up to check that ports are shielded behind firewall, and it seemingly worked
Code: Select all
https://www.grc.com/
Make sure your firewall is working
BY FRANCIS NAVARRO, KOMANDO.COM
SEPTEMBER 9, 2018
One essential tool that keeps hackers from seeing your computer online is a firewall. Even if they manage to know your computer’s location and IP address, the firewall keeps them from accessing your system and your network.
Not sure if you have a firewall in place? Well, newer Windows and Mac systems all have built-in software firewalls for configuring your outgoing and incoming internet ports. Although useful for certain applications, you have to be careful when tweaking your firewall port settings.
A wrong port setting can leave your computer vulnerable to port scanners, giving hackers an opportunity to slip past.
Also, if your computer has been exposed to a virus, it might have changed your port settings without you knowing.
Code: Select all
https://www.komando.com/tech-tips/test-your-firewall-to-make-sure-its-working/410026/
This is a complete test of your standard service ports 1-1056.
Why these ports? Internet ports are numbered from 1 through 65535, but according to GRC, ports 1 through 1023 are generally reserved as listening ports for services waiting for incoming connections running on the receiving system.
GRC also added an additional 33 ports due to the “insecure behavior of Microsoft’s Windows operating systems,” bringing this number to 1056. Again, unless done for a specific purpose, these ports should always be scanned as “Stealth” or “Closed.”
On a side note, seems you can use pfsense vm with quwan. But there is still no guide yet how to get pfsense vm to setup/work with quwan :/ it's a bit complicated ..... (and from the looks of their example, seems that may require 3 ethernet physical ports, but the device i was testing on was a tbs-453dx which only had 2 ports) . stand alone setups (either quwan or pfsense) might be simpler to setup, but quwan had issues for people with isp special requirements. because without being able to do the pppoe internet login, get stuck and it won't proceed further.
So for now i'm sticking with getting pfsense to work. Maybe once they fix quwan's issue i'm having with it, i can try that out again.
I may have to postpone the pfsense testing, because i'm expecting my new seagate hard drives to arrive today. So i will be busy with that project first
viewtopic.php?t=155142