There’s one every month. Not sure we’ll revisit virtualization this year but the recording of the June 2014 session is available for gold subscribers in the members area.
hello, i had the same issue ,was gonna post a thread regarding this but NV
I’m starting to think that it could be a hardware issue with the nic card. I have this setup in a 1U case (link below). I’m using SuperMicro’s 90 degree PCI piece.
I noticed the case itself was really hot, so I popped the cover off and the card was too hot to touch. The heatsink on the CPU was cool. I’ve been running a room fan into it (uncovered). This seems to lessen the errors, but definitely does not stop it. Is it possible I already burned the card up?
Tonight I’ll put the card in the other machine and see if I still get the timeouts and if its running hot. I will try memtest/SMART/temp tests before switching over as well.
Tutuapp TextNow Photomath
http:// www. supermicro. com/products/chassis/1U/504/SC504-203.cfm
@gjaltemba thx for your response.
I finally solve it, i’m using this script:
#!/bin/bash
Setup network namespace with veth pair, start xterm in it
nsterm ns0 veth0 10.0.0 yellow 24
if [[ $EUID -ne 0 ]]; then
echo “This script must be run as root” 1>&2
exit 1
fi
NS=${1:-ns0}
DEV=${2:-veth0}
DEV_A=${DEV}a
DEV_B=${DEV}b
ADDR=${3-:10.0.0}
ADDR_A=${ADDR}.254
ADDR_B=${ADDR}.1
MASK=${5:-24}
COL=${4:-yellow}
echo ns=$NS dev=$DEV col=$COL mask=$MASK
ip netns add $NS
ip link add $DEV_A type veth peer name $DEV_B netns $NS
ip addr add $ADDR_A/$MASK dev $DEV_A
ip link set ${DEV}a up
ip netns exec $NS ip addr add $ADDR_B/$MASK dev $DEV_B
ip netns exec $NS ip link set ${DEV}b up
ip netns exec $NS ip route add default via $ADDR_A dev $DEV_B
ip netns exec $NS su -c “xterm -bg $COL &” USER
When i do “dhclient veth0a” i receive ip address from pfsense, and i can finally route all traffic throught pfsense
@andrea96 said in Virtual pfsense - vlan Trunking:
I’ve updated my tplink firmwar
I don’t see any pics? And what tplink do you have - their low end switches do not do vlans correctly… Do you have v3 of 105 or 108e? Their low end switches do not allow you to remove vlan 1 from every port. There was a recent firmware update for v3 that suppose to fix that - but maybe it didn’t?
BTW 6.7 is current esxi - why would you not be on that?
I have ran pfsense on esxi for years… Have used both the port group and the 4095 method. 4095 is better method IMHO… unless you break out physical nic to its own vswitch, etc.
Yes. It is still necessary if you want to use the PV NICs.
You can also put this in /boot/loader.conf.local:
hw.xen.disable_pv_nics=1
Your interfaces will now present as reX and you will not have to make those VM checksum changes. But they won’t be paravirtualized.
@stephenw10
yes im really sure about that, i can ping from my windows machine to 192.168.1.1 (lan interface virtual).
I dont configure any routing or port forwards just add a firewall rule to allow all traffic in all interface (wan and lan)
yes Pfsense are respondig. were i can find that state table?
Hi, tnx for your response.
Solved.
My problem was a Realtek NIC bug, disabled all items in windows (system - advanced settings from hardware list) i dont remember english name.
All disabled except Flow Control, now i have same download / upload speeds
@Derelict:
If CARP won’t work neither will VRRP. They use essentially the same network functions, including the same multicast address etc.
Not sure what you are seeing on XenServer 7 but CARP works just fine in XenServer 6.
Hmm… this and other threads https://forum.pfsense.org/index.php?topic=122588.0
Suggest that they function differently. Where as CARP uses a multicast MAC VRRP uses a single virtual unicast MAC?
Either way, I can confirm that the keepalived vrrp implementation works in my environment so I’m hopeful that freevrrp will work as well.
Are/Were you using OVS on XenServer6? The network switch default backend is bridge mode…
@vc6SfV8:
Following back up on this - I successfully installed pfSense today on Linode.
Follow the directions here: https://www.linode.com/docs/tools-reference/custom-kernels-distros/install-freebsd-on-linode
In step 5, replace the curl command with the following:
curl -k https://nyifiles.pfsense.org/mirror/downloads/pfSense-CE-memstick-serial-2.3.1-RELEASE-amd64.img.gz | gunzip | dd of=/dev/sda
Everything else works beautifully.
Ryan
Hi, I followed your tips however during during the botting of Installer Profile I am getting this error
"Cannot Direct Disk boot a disk with no MBR: Linode Configuration Profile problems detected. "
Any ideas on how to solve this?
Thank you.
Awesome, great to hear that the pesky vmware tools message is going to disappear. I should be carrying out the upgrade soon after backing up my ESXi host.
It’s quite interesting that Jim uses ESXi… Maybe that’s why it’s been so stable for me ::) ::) ::)
Just adding this in case it helps someone now or later. I have still had problems with dirty disks and unable to mount problems in my 2012R2 VM, even though I had set the VM to shut down when the server is rebooted rather than save. At times it would just choke and leave me at (I think) a db> prompt. I found this info at Altaro.com:
https://www.altaro.com/hyper-v/extending-hyper-vs-guest-grace-period-host-shutdown/
I changed the associated registry entry to 600 and have rebooted several times without issue. It doesn’t really wait 10 minutes to restart, but as soon as it sees all machines are stopped it proceeds with the reboot, rather than just forcing the machines off after the stock timeout of 2 minutes (at least I think that’s what’s happening :P). I also staggered the VM startups to prevent resource contention.
If interested, they also have a backup program for VMs that is free for 2 VMs (no affiliation, just looks pretty good).
https://www.altaro.com/hyper-v-backup/
It depends. If it’s something where performance doesn’t really matter (like my lab) I find it easier to just install, boot to single user, add hw.xen.disable_pv_nics=1 to /boot/loader.conf.local, reboot, and configure the re NICs.
My understanding is that the console is only accessible via your ‘very secure’ vultr username & password?
So while it’s a potential risk, it shouldn’t be a major problem during setup & provisioning.
But definitely appreciate the link for securing this.
Do you have any feedback on pfsense on Vultr, long-term?
I am running symmetric gig and not using pci-pass through with no issues. I am using a 7 year old Xeon thats barely supported by ESXI anymore, and allowed the VM to have 4 vcpu’s. This is probably close to your newer i5. When I am fully saturating the link i get 30-40% useage. Your milage may vary as well depending on what network card your using. I’m using a server grade dual intel NIC that handles just about everything on board.
The only real reason anymore to allow anything to use passthrough is using some storage software. When you virtualize storage devices they like to have full control over the bare metal devices, networking not so much.
@johnpoz:
Yes or you need to use vlan to break them out - you have 3 ports groups on the same vswitch0… Unless you create tags for these port groups or setup them to 4095 and set the tags before the traffic hits the pfsense you have placed all of those networks on the same layer 2.
I have moved away from esxi… Just recently wiped that box… I have hardware pfsense now and just running the few vms I Need on my synology nas.
You can do it with port groups on the same vswitch if you set the tags correctly on your physical network. But its more complex setup.
He is right. Unless you are really good with esxi just make different vswitches.
1. Leave your vmk on vswitch0 (this is for mgmt)
2. Make a new vswitch, call it WAN, assign a NIC to it and make a port group called WAN.
3. Make a new vswitch, call it LAN and assign it a NIC, make new port group called LAN.
4. Plug your modem into the WAN NIC, plug your inside switch or whatever into the LAN NIC, and your good.
I had to restart my modem for the WAN interface to pull a public IP, once it does I’ve never had a problem since (including using ipv6 if your ISP supports this)
The problem we had is probably solved in the 2.4.3 release. We are now running for 22 days without problems. Still have to wait but sofar it looks good.
As for speed, it runs near the LAN speed of 1 Gbs.
In our case problem was clearly visible in the logs.
Lex
Only replying because I had a (possibly) similar problem recently. Maybe it will help a Googler from the future…
I had pfSense 2.4.3 64-bit running in a 2012R2 VM just fine, but then the Meltdown/Spectre exploits were announced, so I reverted to my old 32-bit Via hardware box. I decided to give the VM another shot, but when I booted it up it would occasionally get a WAN IP (but mostly not) but no Internet. After much hair-pulling, including rebuilding and restoring several times, I disconnected the WAN vSwitch and deleted/recreated it. Got a WAN IP, no issue. Then I faced a strange problem that I could not get Internet access from my 2 wireless access points (on the same net as the wired). I was unable to resolve any DNS addresses from devices behind the wireless, even though I could ping through the pfSense (to, say, www.google.com) by IP. Nothing in the Unbound logs (Forwarder did not work either). I could RDP to another wired box across the wireless, and get Internet fine. Ended up disconnecting the LAN vSwitch from all my VMs and deleted/recreated it as well.
All fine now. Bits, gotta love 'em… ::)
Hope this saves someone some grief.
@MrTiberius:
Hey guys,
I am setting up a virtual security lab environment as part of a senior project at my school using a VMware esxi host (mostly managed via vcenter).
Currently, I have three separate networks I am configuring, a LAN network, a DMZ network, and an external network (this one is outside the firewall and internet facing). The idea is to have students on the external network us Kali Linux VMs to attempt to penetrate the two internal networks (DMZ & LAN).
There would be a second group of students on the inside of the network, monitoring traffic on the firewall as wells as hardening and maintaining the internal servers. The internal networks are made up of a mix of windows and Linux servers.
I was wondering what would potentially be the steps to configure the firewall for this type of environment? Also I have limited experience with pfSense and was wondering if this could also function as a router?
I have also attached a diagram of the lab environment.
Ok, some more feedback.
I have been playing with this on my own lab and came to some conclusions. I haven’t tested NAT yet so nothing there yet.
If your networks are composed of just one IP subnet per color then you have a lot less work. The routing will be setup automatically. Automatic outbound NAT rules as well.
The firewall management will be activated on the lan interface so assign interfaces and then only configure the LAN interface’s IP address. This will give you access to the webconfigurator (it will show you the ip you can connect to). It will ask you if you want to convert the protocol to http. Don’t, https is better for security reasons.
Connect on the webconfigurator and go through the wizard. At this point you will probably need to configure the rest of the interfaces ip addresses. If internet access is indeed on the red side, then the next hop on that path should be your default gateway, configured on the WAN interface (red) and on the same ip subnet.
Routing should now work between the different ip segments connected to the firewall interfaces. But to access services you need to configurre firewall rules.
From what I figured through testing you need to configure floating rules. Make things as specific as possible (use the any option as less as possible).
Monitor the firewall logs (provided you checked the logging option in the rules) to see what is passed and what is dropped. The logs are under status->system logs->firewall
In case you need more complex static routing, check what you currently have in Diagnostics->Routes, and then add more if necessary in system->Routing.
If you can configure the firewalls own internet access correctly, you can check for available packages (addons). These include a lot you may find usufull such as snort, ospf routing, ntopng, etc.
Let me know if you need any specific help.
No reason what so ever to use esxi in your case. You will loose a lot of functionality and the only thing you ll get is a built in representation of the virtual networking which you will still have great difficulty in understanding. Unless you are in a corporate environment and need a dedicated machine (let me say that again: dedicated) for your server virtualization, stick to workstation and the virtual network editor.
Your physical pfSense must know that the 172.16.10.x networks are behind 10.0.0.10, otherwise it will direct traffic to these networks to its default gateway.
So you have to add static routes for the 172.16.10.x networks and set 10.0.0.10 as gateway. That can be done in System > Routing.
On the Gateways tab add 10.0.0.10 as gateway on the LAN interface. Then go to the static routes tab and add a route for each of your 172.16.10.x networks and select the gateway you’ve added before. If you don’t have other subnets in that range you may also conflate all subnets in 172.16.0.0/19.
Your not the OP… Are you… Your saying your running the same hardware as him without any issues? I doubt that to be honest since the board he mentions supports at max 64GB of ram… And your stating you have over 100…
It’s quite possible his box just can not push gig while yours can… Ram not really the limiting factor here anyway.
