Raspberry Pi pfSense Using a VM: Complete Guide to Building a Virtual Firewall

Feb 18th, 2025

pfSense is a free, open-source firewall and router software distribution based on FreeBSD. It is designed to provide enterprise-grade network security and routing features, making it a popular choice for home networks, small businesses, and large enterprises.

Key Features
    • Firewall & Router Capabilities – Implements stateful packet inspection (SPI) and NAT.
    • VPN Support: Supports OpenVPN, IPsec, and WireGuard for secure remote access.
    • Traffic Shaping (QoS): Prioritizes bandwidth usage for critical applications.
    • Intrusion Detection & Prevention: Integrates with Snort and Suricata for security monitoring.
    • DNS & DHCP Management: Acts as a DNS resolver and DHCP server.
    • High Availability & Load Balancing: Ensures redundancy and distributes network traffic efficiently.
    • Captive Portal & Authentication: Useful for public networks and guest Wi-Fi management.

IMPORTANT: pfSense is not officially supported on ARM-based architectures, which means you’ll need to rely on virtualization (e.g., QEMU) to get it working

Why use pfSense on a Raspberry Pi?

Customization & Flexibility

✔ The open-source nature of pfSense allows for custom scripts, packages, and integrations.
✔ Raspberry Pi also supports other networking tools like Pi-hole, WireGuard, and OpenVPN alongside pfSense.
✔ Can be configured for IoT security, home network protection, or small office VPNs.

Lightweight Routing & Firewall for Small Networks
✔ Can be used for basic network security, DNS filtering, and traffic shaping.
✔ Works well in low-traffic environments such as home automation and smart home security.
✔ Supports VPN setups to connect remote devices securely.

Backup Firewall & Network Failover
✔ Can act as a secondary or backup firewall in case the primary one fails.
✔ Useful for emergency situations or quick deployment in test networks.
✔ Works well in edge networking scenarios where lightweight solutions are needed.

Limitations to Consider
× Performance Constraints – The Raspberry Pi’s ARM processor and limited RAM may struggle with high-throughput networks.
× Limited Network Ports – A USB-to-Ethernet adapter is required for dual-interface setups.
× Virtualization Overhead – Running pfSense on QEMU or another VM will use additional system resources.
× Not Suitable for Enterprise Use – Best for small-scale applications, not large

Real-world scenarios

Home Network Firewall & Security
You want to secure your home network against cyber threats, manage bandwidth usage, and block unwanted traffic.

Small Business & Remote Office Network
A small office or a remote worker needs a secure and cost-effective firewall to protect sensitive data and allow remote access.

Learning & Cybersecurity Training
Labs A cybersecurity student or IT professional wants a real-world environment to test firewall rules, VPN setups, and network security.

IoT & Smart Home Network
Protection A user has multiple IoT devices (smart locks, cameras, thermostats) and wants to isolate them from their main network for security reasons.

Low-Cost Captive Portal for Guest Wi-Fi
A small business (café, Airbnb, coworking space) wants to provide secure guest Wi-Fi with a login page and bandwidth control.

Edge Networking for Remote Areas
A small office or a community network in a rural area needs basic networking capabilities without access to expensive hardware.

Challenges of running pfSense on Raspberry Pi

Since pfSense cannot run natively, it needs a virtual machine (VM) using QEMU, VirtualBox, or similar tools.

QEMU emulation is resource-intensive, reducing available CPU power for network tasks.

Virtualizing pfSense on top of Raspberry Pi OS introduces additional complexity in setup and maintenance.

Requirements

Hardware:
    • Raspberry Pi 5 (8GB/16GB RAM) (IMPORTANT: better performance).
    • Storage: 16GB/32GB microSD card (Class 10 or better).
    • Network: At least one additional USB-to-Ethernet adapter.
    • Power Supply: Official Raspberry Pi 5V/3A (USB-C) power adapter.

Software:
    • Raspberry Pi OS 64-bit (Debian-based).
    • pfSense ISO Image: Get the latest pfSense Community Edition (CE) ISO from the official website: 🔗 https://www.pfsense.org/download/. Choose the x86_64 architecture (since we are using virtualization).
    • Virtual Machine Manager : QEMU (Lightweight and best for Raspberry Pi OS)

Step-by-Step Guide

1. Prepare the Raspberry Pi: Install and configure Raspberry Pi OS, enable SSH
         • Instsall Raspberry Pi OS : https://www.sunfounder.com/blogs/news/raspberry-pi-operation-system-complete-guide-to-versions-features-and-setup
         • Enable SSH: https://www.sunfounder.com/blogs/news/mastering-remote-control-unlocking-the-power-of-ssh-with-raspberry-pi
2. Set Up the Virtual Machine: Open a terminal and run:
sudo apt update && sudo apt upgrade -y
sudo apt install qemu-system-x86 qemu-utils bridge-utils -y
We need to create a virtual hard drive to install pfSense.
qemu-img create -f qcow2 pfsense.qcow2 8G

3. Start the VM with pfSense ISO
Run the following command to start the pfSense installer in QEMU:
qemu-system-x86_64 \
    -m 2048 \
    -smp 2 \
    -hda pfsense.qcow2 \
    -cdrom pfSense-*.iso \
    -boot d \
    -net nic -net user \
    -net nic,model=virtio -net tap,ifname=tap0,script=no,downscript=no \ -vga std

Explanation of Parameters:
-m 2048 → Allocates 2GB RAM to pfSense (adjust based on available memory).
-smp 2 → Assigns 2 CPU cores for better performance.
-hda pfsense.qcow2 → Uses the 8GB virtual disk created earlier.
-cdrom pfSense-*.iso → Loads the pfSense ISO for installation.
-boot d → Boots from CD-ROM (for installation).
-net nic -net user → Creates a basic virtual network.
-net nic,model=virtio
-net tap,ifname=tap0,script=no,downscript=no → Creates a virtual network bridge.

4. Install pfSense: Step-by-step guide with screenshots

Use the default configuration and select the disk where you install pfSense.

5. Run the VM again in the terminal
qemu-system-x86_64 -m 2048 -smp 2 -hda pfsense.qcow2 -boot d -net nic -net user -net nic,model=virtio -net tap,ifname=tap0,script=no,downscript=no -vga std
6. Once the VM is running:Open a web browser on another device. Enter http://192.168.1.1 (default pfSense LAN IP).
   Log in using:
       1. Username: admin
       2. Password: pfsense

Advanced Configurations

✔ Split Tunneling (Selective Traffic Routing)
Allows only specific traffic to go through the VPN while other traffic uses the normal internet connection. Reduces bandwidth usage and improves speed for non-VPN applications.
✔ Multi-User WireGuard VPN (Multiple Peers)
Allows multiple users (family, team, remote workers) to connect to the VPN at the same time. Ideal for businesses, shared access, or multiple devices.
✔ Dynamic DNS (DDNS) for Changing Public IPs
Allows VPN clients to connect even if your ISP frequently changes your public IP. Essential if you don’t have a static public IP.
✔ Site-to-Site VPN (Connect Two Networks)
Connects two different networks via WireGuard VPN (e.g., home & office). Securely access remote network resources (file shares, printers, servers).
✔ Running Multiple VPNs
 Simultaneously Allows you to connect to multiple VPN providers at the same time (e.g., one for work, one for personal use). Useful for separating traffic between different VPN services.
✔ VLAN Segmentation (Secure VPN from IoT & Guest Networks)
 You may not want VPN users to access all devices on your home network. VLANs allow you to segregate traffic.

VPN Setup (WireGuard)

1. Go to: System > Package Manager > Available Packages.
2. Search for "WireGuard", then click Install.
3. After installation, go to VPN > WireGuard.

2.1 Create a WireGuard Tunnel (VPN Server)
1. Go to: VPN > WireGuard > Tunnels.
2. Click + Add Tunnel.
3. Configure the following settings:
    o Enabled ✅ (Checked)
    o Description: WireGuard VPN Server
    o Listen Port: 51820 (default WireGuard port)
    o Interface Keys: Click Generate (creates a private/public key pair).
    o Tunnel Address: 192.168.1.23/24 (VPN subnet for clients).
4. Save & Apply Changes.

2.2 Assign WireGuard as a Network Interface
    1. Go to Interfaces > Assignments.
    2. Add the new WireGuard interface (wg0).
    3. Rename it as WG_VPN, then Save & Apply Changes.

Configure a VPN Client (Peer)
3.1 Add a Peer (Remote Client)
1. Go to: VPN > WireGuard > Peers.
2. Click + Add Peer.
3. Configure the following settings:    
      o Enabled ✅
      o Description: Client1 (Laptop, Phone, etc.)
      o Public Key: (Leave blank for now, we’ll generate it on the client later)
      o Allowed IPs: 192.168.1.100/32 (Assigns a static IP to this client).
      o Keepalive: 25 (Prevents NAT disconnections).
4. Save & Apply Changes.

IMPORTANT: We need to allow VPN traffic through pfSense’s firewall.

Optimize Performance pfSense on Raspberry Pi

Limit Logging to Reduce SD Card Wear
In pfSense, go to: System > Advanced > Miscellaneous → Enable "RAM Disk for Logs"

Reduce CPU Usage
Modify QEMU command to reduce load: taskset -c 1 qemu-system-x86_64

Potential Limitations
    • Performance bottlenecks
    • Technical expertise requirements
    • Alternatives to consider

Conclusion about Is pfSense on Raspberry Pi Worth It?

✔ Home labs & learning environments.
✔ Basic firewall & VPN setup.
✔ Lightweight router for small networks.
‌x High-speed networks (>500 Mbps) – Raspberry Pi’s virtualized networking limits throughput.
‌x Enterprise use – Limited performance compared to dedicated pfSense hardware.

Also, we recommend you that visit our firewall posts with Raspberry Pi
→  https://www.sunfounder.com/blogs/news/complete-guide-to-setting-up-a-raspberry-pi-as-a-firewall-how-to-configure-ipfire-on-your-lan
→  https://www.sunfounder.com/blogs/news/how-to-configure-the-firewall-in-raspberry-pi

Conclusion

Setting up pfSense on a Raspberry Pi using a virtual machine is a great way to explore advanced network security features on a budget. While it may not deliver the performance of dedicated hardware, it is a viable solution for home labs, small networks, and learning environments. Throughout this guide, we’ve covered the essential steps for installation, performance optimization, and advanced configurations like WireGuard VPN. Although limitations such as virtualization overhead and hardware constraints exist, this setup provides a flexible and affordable entry point into network security. For more demanding environments, considering a dedicated pfSense appliance may be a better option. Regardless, this project is a valuable experience for anyone looking to enhance their networking skills and experiment with cutting-edge open-source solutions.

If you're interested in further expanding your firewall knowledge, check out our other guides on firewall configurations with Raspberry Pi.