• Hello Guest! SynoForum.com is celebrating its 5th anniversary! 🥳🎉 Read more...
Resource icon

Virtualizing pfSense Firewall on Synology DSM Virtual Machine Manager: 2023-11-09

No permission to download

Currently reading
Virtualizing pfSense Firewall on Synology DSM Virtual Machine Manager:

2
1
NAS
DS1821+
Operating system
  1. Linux
  2. Windows
  3. other
Mobile operating system
  1. iOS
Artemisfan submitted a new resource:

Virtualizing pfSense Firewall on Synology DSM Virtual Machine Manager: - pfSense install guide for Synology DSM

So, if you are like me and you have applications like Plex or VPN that you need to be able to reach outside of your home you want a powerful firewall to secure your home environment. There are very few solid, secure, and affordable firewalls for home use.

pfSense Community Edition is comparable to enterprise solutions like Palo Alto and best of all, it is free. A paid technical support plan is available if you chose to purchase it but there are a lot of good support forums out there as well...

Read more about this resource...
 
Thanks, I found this useful for getting started since I've never used Synology's VM manager before.

I have a couple of suggestions to make this even better:

1. Do not select "Other" when creating the VM, choose "Linux" instead. This affects which devices the VMM presents to the VM. Importantly, if you choose "Other" the VM will get a virtualized E1000 network adapter, which is much slower than the VirtIO paravirtualized device you'll get if you select "Linux". FreeBSD supports VirtIO, and since you're running it as you're router you'll definitely want the faster network device. If you already created the VM using "Other", you can switch the disk and network devices to VirtIO in the "Edit" menu after powering off the VM.

2. As you said, it's not possible to remove the ipv4 address from a NIC in the Synology GUI, but it is possible to remove it from the terminal. Here's how:

First, set a static ipv4 address on the network adapter (NIC) you're using for WAN in the pfSense / OPNsense VM. using the Synology web GUI. This prevents Synology from trying to grab a new address via DHCP after you've removed it. Then ssh into the NAS and run the command "ifconfig" and look for the device entry with the static IP you set, in this case 192.168.10.6.

Code:
ovs_eth1  Link encap:Ethernet  HWaddr <>
          inet addr:192.168.10.6  Bcast:192.168.10.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1595968 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1104570 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1
          RX bytes:884704631 (843.7 MiB)  TX bytes:3823643356 (3.5 GiB)

The device name here is "ovs_eth1". Once you've found the device name you can remove the ip address from the NIC by running the command "ip addr flush dev ovs_eth1". Replace "ovs_eth1" with the name of your NIC.

From my experience if you've set a static IP in the GUI first, Synology won't try to re-assign an ip to the device after you've done this. It does re-assign the static IP after a reboot though, so you'll want to go to the task scheduler and add a cron job that runs this command as root, either shortly after boot ("sleep 1m && ip addr flush dev ovs_eth1") or periodically, say every 5 minutes (running it often doesn't hurt anything).
 
One other suggestion; after the OPNsense/pfSense VM is running and has an internet connection, consider installing the qemu guest tools with the commands below. This will allow the Synology VM manager to pause the filesystem before taking snapshots and also potentially allow it to send more reliable power off signals to the VM.

Code:
# install guest tools
pkg install qemu-guest-agent


# make it run on boot
sysrc qemu_guest_agent_enable="YES"


# start the guest tools agent now without rebooting
service qemu-guest-agent start
 
Thank You for the great input. I try not to Muck around with SSH on the NAS. I mistakenly waited too long to purchase extended support and kinda fear screwing it up. But these suggestions seem like very good ideas and I plan to look further into it. Thanks again,
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Back
Top