Virtualization

• D

  Loving pfSense in my vSphere environment, but...high CPU...
  • david_harrison

  3
  0
  Votes
  3
  Posts
  226
  Views

  A

  Seeing the same thing here 2.4.4.p2. When shipping a lot of traffic seeing high level of interrupts on both vmx interfaces on my pfsense VM. I've got dedicated NIC ports on my Intel 4 port I340 card for WAN and LAN and then separate physical ports for management and one other VM. Definitely don't see this interrupt issue on the non virtualised pfsense running on this hardware. For reference this in running on a HP T620 thin client (with 4 port i340 intel network card) with 16gb of RAM and a 4 CORE AMD GX-420CA CPU and 128 M2 SSD for local storage. Ran pfsense native on here before and it doesn't even break a sweat. Definitely some sort of oddity using the VMX interfaces. thanks Ad.
• T

  Does Enabling Powerd for a pfSense VM do anything?
  • tibere86

  2
  0
  Votes
  2
  Posts
  128
  Views

  P

  @tibere86 Don't think so. In Hyper-V, I get the same response in the shell to "powerd -v" enabled or not. [2.4.4-RELEASE][root@fw.workgroup]/root: powerd -v powerd: no cpufreq(4) support -- aborting: No such file or directory
• 

  pfSense on Server 2016 Hyper-v, what do you use for autostop
  • IsaacFL

  2
  0
  Votes
  2
  Posts
  44
  Views

  P

  @isaacfl Running on 2012R2, I use Shutdown. In the past I had tried Save, but I think I was getting a panic and crash before it saved and the disk would come up dirty. I would need to restore a checkpoint. Shutdown seems to work fine, though when host reboots are required, I do a manual shutdown from the H-V Manager first, and Always Start. On reasonable hardware, there's not too much time required to cold boot. HTH
• H

  Pfsense stopped allowing traffic after a vMotion. It seemed "hung".
  • Hank6

  4
  0
  Votes
  4
  Posts
  69
  Views

  

  Perhaps you might benefit from running two instance in pfSense HA mode, or using VMware HA.
• K

  Install qemu-guest-agent?
  • killmasta93

  4
  0
  Votes
  4
  Posts
  2108
  Views

  X

  Any update?
• 

  (solve)HyperV 2012 vlans support(hn0)
  • periko

  17
  0
  Votes
  17
  Posts
  290
  Views

  M

  @johnpoz So did I but you are missing the point. A config that works for four hours should work for four days too. The issue I have seen is that the Vlan trunk stops working after a few days. Not even arp will see the nic of the VM. The "workaround" I found was to add or remove a nic to the VM (just a non connected nic) and it will work for a couple of days again With 2016 the same config (actually it's the same VM) works if you can read this ;)
• A

  Pfsense kvm guest and host/guest internet connectivity
  • Asgaroth

  6
  0
  Votes
  6
  Posts
  1987
  Views

  S

  Now it's 2019 and this is still a problem :-) I have been struggling with this for a week; I couldn't work out why ICMP from the host and another VM through the pfSense VM would work, but nothing else. I could only SSH into the host if I SSH to the pfSense VM first. In order to have the host be able to connect out I installed Squid and set it up as a transparent proxy, but I shouldn't have had to do this. Researching, I finally found this thread. I'm replying because I just wanted to say that after I enabled "Disable hardware checksum offload" and pressed save, immediately traffic started flowing to/from the host, and the other VM which had basically been unreachable. No reboot or reconfig or anything else was required. I now see it's fairly well documented here.. https://docs.netgate.com/pfsense/en/latest/virtualization/virtio-driver-support.html Perhaps it would be nice if pfSense could automatically disable hardware checksum offload on the virtio driver/NICs :-)
• O

  Unable to install pfSense on ESXi
  • Octopuss

  9
  0
  Votes
  9
  Posts
  125
  Views

  

  @viragomann But that was after letting him select the .gz in the first place. It was smart enough to know it can't connect to a gzip, but not smart enough to filter out all non-ISO files in the image picker dialog? I just tried it myself with ESXi 6.7 and it doesn't show any non-ISO files. I couldn't select one even if I wanted to. Bizarre.
• M

  Watchdog timeout on queue 0
  • megapearl

  9
  0
  Votes
  9
  Posts
  3084
  Views

  R

  @Erutan409 if this happens to me again, I'll change my virtual NICs over to fully-emulated hardware. I hate to have to do that, but I'm glad it seems to be a viable fix!
• S

  Pfsense 2.4 HA on Xenserver 7.2, a good idea?
  • Stanislasss

  5
  0
  Votes
  5
  Posts
  111
  Views

  

  I have switched to Proxmox as well.
• K

  Setting up a home lab- need NAT to have internal virtual switch to go into the internet
  • korr2221

  42
  0
  Votes
  42
  Posts
  304
  Views

  K

  @johnpoz just for learning sake, if this was a cisco router, how would one set the NAT? anyone happen to know the command? is it enable configure terminal ip nat pool name start-ip end-ip {netmask netmask | prefix-length prefix-length } access-list access-list-number permit source [source-wildcard ] ip nat inside source list access-list-number pool name interface type number ip address ip-address mask ip nat inside exit interface type number ip address ip-address mask ip nat outside end
• F

  How to use unraid mount tag in pfsense vm
  • fallingsloth

  2
  0
  Votes
  2
  Posts
  78
  Views

  

  I've never seen such a thing work with pfSense and a VM host. pfSense doesn't include the binaries to mount smb/cifs, I don't think nfs is there either (client or server). Are you trying to copy from the VM host to pfSense, or from pfSense to the VM host? Why not use scp/rsync? The VM host may be able to use ssh as a filesystem, connecting to pfSense. But that wouldn't work the other way.
• T

  Multiqueue Virtio?
  • tibere86

  6
  0
  Votes
  6
  Posts
  206
  Views

  W

  @tibere86 I'm using Open vSwitch (OVS) instead Linux bridge on PVE. Show from your PVE: ip a s ethtool -I <interface-name-from-previous-command> and cat /etc/network/interfaces And why ethX ? Latest PVE using enpX. Or you wrote that just as example? :) Maybe you must also enable multiqueue inside pfsense VM ? https://bsdrp.net/documentation/technical_docs/performance http://docs.openvswitch.org/en/latest/topics/dpdk/vhost-user/ If one wishes to use multiple queues for an interface in the guest, the driver in the guest operating system must be configured to do so https://cloudblog.switch.ch/2016/09/06/tuning-virtualized-network-node-multi-queue-virtio-net/ This should be done during interface initialization, for example in a “pre-up” action in /etc/network/interfaces P.s. Bingo! (Maybe this step not needed ?) Add something like in PVE network config: ... pre-up ethtool -L enpX combined N ... Then reboot PVE host and check is multiqueue enabled: ethtool -I <PVE-interface-name> And then https://forum.proxmox.com/threads/kvm-and-multi-queue-nics.27213/ set on PVE side in VM config file (pfsense VM must be stopped!): ... -netX virtio=XX:XX:XX:XX:XX:XX,bla-bla-bla,queues=N ... Starting pfsense VM and enable multiqueue within https://www.freebsd.org/cgi/man.cgi?query=vtnet reboot VM check is multiqueue worked https://forums.freebsd.org/threads/multiple-network-queues-on-vmx-interface.49080/ P.p.s. https://forum.proxmox.com/threads/virtio-multi-queue-balancing.43744/
• E

  How many bridges needed for pfSense vm?
  • eiger3970

  9
  0
  Votes
  9
  Posts
  191
  Views

  E

  Ok, thank you for the clarification. The setup seems correct then.
• C

  Nic down with vlan wan connection
  • castiel

  2
  0
  Votes
  2
  Posts
  57
  Views

  

  You probably want to put the pfSense on its untagged interface (ao1) and let vmware do the tagging. In order to pass vlan tags to the VM interface I'm pretty sure you have to put VLAN 4095 on it in vmware. Moving to Virtualization.
• V

  Accessing Web GUI from bridged virtual WAN interface
  • vzr

  3
  0
  Votes
  3
  Posts
  79
  Views

  V

  It works, thank You very much!
• N

  configuration master/backup loadblancer and connectivity failure
  • NOC

  1
  0
  Votes
  1
  Posts
  50
  Views

  No one has replied

• 

  (Solve)Hyper V 2012 Pfsense NIC deX efect?
  • periko

  3
  0
  Votes
  3
  Posts
  133
  Views

  

  Hi sorry. Forget this one, I had found the issue I was having, thanks.
• P

  VMware ESXi 6.7 increased latency with NIC Passthrough
  • pfsvrb

  1
  0
  Votes
  1
  Posts
  135
  Views

  No one has replied

• M

  Very slow traffic from other VM's through pfSense on XenServer
  • mortenchristensen

  46
  0
  Votes
  46
  Posts
  44170
  Views

  W

  Hi. Much better https://xcp-ng.org/ + https://xen-orchestra.com/docs/
• W

  Proxmox, Ceph, ZFS, pfsense
  • werter

  1
  0
  Votes
  1
  Posts
  82
  Views

  No one has replied

• F

  Virtualizate an appliance in production
  • franjgl

  3
  0
  Votes
  3
  Posts
  111
  Views

  

  Do a fresh Install in your VM, take a Backup for the appliance in Diagnostics > Backup & Restore and Restore this Backup to your VM. More Information here: https://www.netgate.com/docs/pfsense/backup/configuration-backup-and-restore.html -Rico
• E

  Installing virtual pfsense after update broke router hardware
  • eiger3970

  15
  0
  Votes
  15
  Posts
  463
  Views

  

  The guide is like that because running with only two NICs total is not recommended. It states: Host has at least two network interfaces available for WAN and LAN. If you have used a NIC for the management port then you don't have two available. However it should work with two NICs total and no dedicated management port as you found. Steve
• E

  1 dual port NIC or 2 x NICs for LAN and WAN port?
  • eiger3970

  2
  0
  Votes
  2
  Posts
  144
  Views

  

  @eiger3970 Buy any NIC you want, so long as it's supported by FreeBSD. Stick with Intel if you can. However not sure if pfSense is clever enough to allocate the 2 ports to LAN and WAN? pfSense doesn't allocate anything. You define WAN and LAN yourself during setup by telling pfS which NIC is WAN and which is LAN.
• C

  PfSense on Hyper-V - lower WAN speed
  • codera

  2
  0
  Votes
  2
  Posts
  423
  Views

  W

  refer to this thread https://social.technet.microsoft.com/Forums/exchange/en-US/ca93a8bc-500a-49e3-be6e-bf3407d8d798/hyperv-is-not-configured-to-enable-processor-resource-controls?forum=win10itprovirt i used bcdedit /set hypervisorschedulertype classic to fix the latency, intermittent, and bandwidth issues this is needed on win10 1803 and 1809 also in pfsense under System/Advanced/Networking make sure Disable hardware checksum offload Disable hardware TCP segmentation offload Disable hardware large receive offload are checkmarked with certain networkcards such as realteks
• A

  hyper-v on windows 10 1809
  • Actionhenk

  2
  0
  Votes
  2
  Posts
  491
  Views

  W

  refer to this thread https://social.technet.microsoft.com/Forums/exchange/en-US/ca93a8bc-500a-49e3-be6e-bf3407d8d798/hyperv-is-not-configured-to-enable-processor-resource-controls?forum=win10itprovirt i used bcdedit /set hypervisorschedulertype classic to fix the latency, intermittent, and bandwidth issues this is needed on win10 1803 and 1809
• P

  pfSense on QNAP NAS
  • pmk3

  11
  0
  Votes
  11
  Posts
  1610
  Views

  F

  Ran into an interesting issue with the QNAP's default gateway config after switching my router from an external device to virtualized PFSense on the QNAP. Wondering if anyone else has noticed or run-into this? My TVS-1282T will no longer acknowledge it's default gateway route now that my "router" has an IP address on the QNAP's own Virtual Switch. There seems to be some additional configuration needed or perhaps a bug with the QNAP OS/config utilities in this regard? Installed PFSense in a VM on my QNAP NAS using the network topology itemized below. Everything seemed fine until I discovered that the QNAP refused to assign its own default gateway to an IP allocated within a virtual switch config assigned to a VM (for the internal LAN interface to pfSense). pfSense seems to be operating just fine, everything else on my network can access the configured "default gateway" to the PFSense LAN interface - the only problem came on the QNAP side of things where it is refusing to talk to it's gateway IP anymore, and wouldn't let me confirm/update the setting to the 192.168.4.1 IP since it belonged to a virtual device. The virtual switch Any suggestions on how to maybe get this working without having to move pfSense to a separate HW device? Physical Topology: wan: cable modem -> QNAP eth4 lan: switch LAG (ports 21-23) -> QNAP bond0 (eth1+eth2+eth3) QNAP switch config: virtual switch 1: qnap bond0, static IP on 192.168.4.0/24, gw: 192.168.4.1 virtual switch 4: qnap eth4, no IP config, no dhcp... (assigned dhcp by modem in pfSense) VM network config for pfSense: Adapter 1 - vmeth0 (virtIO driver) <- QNAP virtual switch 4 (WAN), dhcp via cable-modem Adapter 2 - vmeth1 (virtIO driver) <- QNAP virtual switch 1 (LAN), static IP 192.168.4.1 TIA, -Fabrizio
• A

  pfSense on Hyper-V Server 2016: Strange Issues, Need Help!
  • AGnet

  2
  0
  Votes
  2
  Posts
  179
  Views

  B

  Did you get your hyper-v pfsense running? If not, feel free to post again. I have a couple of pfsense instances running on a hyper-v server, so it's definitely possible to get it working properly.
• B

  port mirroring pfsense stream to virtual ids analysis machine
  port mirroring • • BxuEyE4

  2
  0
  Votes
  2
  Posts
  125
  Views

  B

  i found the link below and a few others on the net but this one explains what i'm trying to do, at least from a vm perspective: dailysysadmin.com/KB/Article/965/port-mirroring-cisco-switch-virtual-machine-vmware-esxi-host/ made those configurations & mirrored the pfsense LAN switch port to security onion. checking now if i have the VLAN option correct but for now seeing a lot of traffic on the securityonion " ens192 " interface, the one without an ip that, i think, captures on all interfaces. getting there. i want to get the actual traffic to securityonion for analysis, say versus streaming pfsense syslog to securityonion. so port mirroring the pfsense LAN port is the way to do so, yes?
• J

  PfSense 2.2 not passing traffic, but ping does get through
  • jpsense42

  30
  0
  Votes
  30
  Posts
  20627
  Views

  

  1.6 Gbit/sec between two VMs in each direction. Single-stream TCP. iperf3 hosts are on 1302 and 1201.
• M

  pfsense on kvm -- slow network speed
  • macduke

  2
  0
  Votes
  2
  Posts
  156
  Views

  M

  i installed a freebsd 11.2. and this vm worked as expected. So it doesn't seem to be a basic freebsd problem. Unfortunately my freebsd knowledge are less than basic, so I have no idea at which place I could look. Does anyone here have pfsense running on kvm and no network performance problems?
• G

  PFsense with SR-IOV virtual function NIC
  • gandolf

  4
  0
  Votes
  4
  Posts
  1468
  Views

  R

  Im trying to do the same thing in ESXi 6.7 and pfSense. What did you do?
• E

  IP-Based Failover with AWS Marketplace pfSense App
  • Erez Buchnik

  8
  0
  Votes
  8
  Posts
  277
  Views

  E

  @netblues Hi, following up on this, below is a small and crude (sorry...) script for setting up a basic UDP LB with Nginx on-board pfSense. This script assumes that the directory /root/NGINX exists, and you have your custom nginx.conf file in it. #!/bin/sh if [ -f /usr/local/etc/rc.d/nginx ] then echo "Backup and rename nginx service" cp /usr/local/etc/rc.d/nginx /root/NGINX/nginx-dist mv /usr/local/etc/rc.d/nginx /usr/local/etc/rc.d/nginx.sh cp /usr/local/etc/nginx/nginx.conf-dist /root/NGINX/nginx.conf-dist echo 'nginx_enable="YES"' >> /etc/rc.conf.local fi echo "Update nginx config" cp /root/NGINX/nginx.conf /usr/local/etc/nginx/nginx.conf echo "Restart nginx" service nginx.sh restart ...and this is the diff between the default nginx.conf and my custom one, which balances two AWS instances (addresses intentionally changed): [2.4.4-RELEASE][ec2-user@MY-pfSense.localdomain]/home/ec2-user: diff /usr/local/etc/nginx/nginx.conf-dist /usr/local/etc/nginx/nginx.conf 0a1 > load_module /usr/local/libexec/nginx/ngx_stream_module.so; 15a17 > user root wheel; 122a125,142 > > stream { > > upstream lb_instances { > server 1.1.1.17:1234; > server 1.1.1.147:1234; > server 1.1.1.140:1234; > } > > server { > listen 2.2.2.1:5678 udp; > proxy_pass lb_instances; > proxy_bind $remote_addr:$remote_port transparent; > proxy_responses 0; > } > } > It seems that the failover feature is an Nginx+ feature, which requires a paid subscription. Thanks a lot for your help! Erez
• E

  pfsense virtual machine on esxi not detecting more than NIC
  • elyp

  2
  0
  Votes
  2
  Posts
  128
  Views

  E

  @elyp Got it working. I had to blow away the whole virtual machine, and recreate it in esxi. Even though I had previously tried adding more nics in esxi, and then reinstalling pfsense all over again from scratch, it wasn’t getting more nics. So problem seems like it is on the esxi side with adding more nics to this type of vm after initial vm creation.
• G

  Azure - Marketplace - Virtual Appliance pfSense environment
  • genesis_mp

  7
  0
  Votes
  7
  Posts
  163
  Views

  

  10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 -Rico
• U

  pfSence network order and VM ware 15
  • unsunghero

  10
  0
  Votes
  10
  Posts
  275
  Views

  N

  @unsunghero The sort answer is unfortunately, NO. pf is an enterprise grade firewall solution. It is never meant to be a plug and play box. It can do many complicated things, but then its like driving a racing car. You have more things to do apart from the steering wheel and the gas pedal. Here is a great reference for all things pfsense https://www.netgate.com/docs/pfsense/book/ It will answer all your questions, but then you need to invest some time and effort.
• C

  1&1 IONOS Cloud Server - Routing Socket - Network is Unreachable
  • coolesticeking

  8
  0
  Votes
  8
  Posts
  149
  Views

  C

  @rico said in 1&1 IONOS Cloud Server - Routing Socket - Network is Unreachable: Glad you have it working now. I would not open Management Port 80 and 443 to the whole Internet. Maybe you could lock it down to only a few Source IPs in your Firewall Rules. The best Solution is to use some VPN. -Rico Thanks Rico - I have a static IP so locked it down just down just to this one. Thanks again David
• O

  Timing issue with HyperV 2012R2 core
  • OutbackMatt

  4
  0
  Votes
  4
  Posts
  199
  Views

  T

  This isn't directly related to your probably but you probably don't want to use a VM as a time source as the VM and the Hyper-V host tend to fight about the time...possibly the cause of the jumps you mention. https://blogs.msdn.microsoft.com/virtual_pc_guy/2010/11/19/time-synchronization-in-hyper-v/ "...the rate at which the time in a virtual machine drifts is affected by the total system load of the Hyper-V server. More virtual machines doing more stuff means time drifts faster." Aside from that 2.4.4 upgraded FreeBSD so you might look into the NIC settings on the host. I am not really pointing to you anything specific but maybe there were driver changes in FreeBSD related to Hyper-V NICs. Oh, how about this bit in the blog post for 2.4.4-p1? "Fixed issues with Hyper-V hn(4) network interfaces and IPv6 as well as issues with ALTQ."
• C

  Hyperv Pfsense NAT public to lan NOT WORKING
  hyperv pfsense • • chetansonawane

  1
  0
  Votes
  1
  Posts
  97
  Views

  No one has replied

• S

  pfsense vtnet lack of queues
  • sheptard

  8
  0
  Votes
  8
  Posts
  272
  Views

  

  Mystery solved! Thanks @jimp