With each release going forward, we will be providing a VMware appliance in addition to the versions currently provided. This one is being handled a little differently since it is in the first, in the future they will just be a part of the normal release announcement.
Many people (including nearly all of our developers) run pfSense in various VMware products covering their entire product line. For years now, the pfSense installer has automatically detected when you are running in VMware and applied OS tweaks specific to optimal performance when running under VMware hypervisors. More recently, Open-VM-Tools, the open source version of VMware Tools,is also available as a pfSense package. If you are one of the many existing users of pfSense in VMware, you should consider installing that package.
Latest download link available here.
There are numerous mission critical pfSense deployments running in ESX, so this is a proven virtual firewall solution. The VMware Appliance is different from a stock pfSense install in three ways:
- Default allow all rule added on WAN – usually your VM firewall’s WAN will be connected to your LAN, this makes it easier to get in.
- VMware Tools installed
- Hostname set to pfsensevm.local rather than pfsense.local
Works with VMware Server 1.0 and newer, Workstation 6.0 and newer, ESX 3.x, every version of ESXi, and every version of Player.
Is it good to run my production firewall in a VM?
Sometimes yes, sometimes no. A more expansive dialog on this will come.
For hosted products (Server, Workstation, Player, Fusion) – Just extract the zip file, and double click on the FreeBSD.vmx file.
For ESX and ESXi – there are several ways to pull this VM into ESX/ESXi. I personally prefer using the free VMware Converter.
The WAN interface is configured as bridged, and the LAN is on VMnet2. The WAN is configured for DHCP by default, so if the network your VMs are bridged to contains a DHCP server, it will pull a lease. You will see the WAN IP at the console menu. Because the VM Appliance includes an allow all rule on WAN, you can just pull up the shown WAN IP in your web browser to log in. Note this allow all rule is simply for convenience in getting up and running – with this rule in place, you don’t have a firewall, you have a wide open router.
More info on VMware and networking will also come at some point.