There's one every month. Not sure we'll revisit virtualization this year but the recording of the June 2014 session is available for gold subscribers in the members area.
It's fairly clear now that the VMware appliance template has been discontinued, but I've still documented the problem at https://redmine.pfsense.org/issues/8787 in case anyone else suddenly runs into this!
When you ping from a static IP are you also seeing packets leave but no replies?
I would definitely try disabling checksum offload. That should work fine with igb but with virtual igb NICs....
That needs to be added to the config usually via the GUI but if you can't access that you can edit the file directly /conf/config.xml.
In the <system> section at the top add:
<disablechecksumoffloading></disablechecksumoffloading>
Reboot to see that change.
Steve
Ok. Thanks for the reply
Does anyone on the virtualization side have any ideas? Ive done pci passthrough via hostdev in libvirt xml and pci stubs in grub. Im under the impression that since the OS has no knowledge of the NIC card then neithier does libvirt since its a user space app. As i posted ealier freebesd sees the actual intel chipset instead of the standard e1000 emulated chip that QEMU provides to the guest. Also the mac addresses that pfsense sees on the NICs are those that are hardcoded on the hardware Additionally, the xml config has no entry for these nics and the centos cant even bring them up via ifup as the driver has never bound itself to the card.
Maybe im missing something on the hypervisor side here but im under the impression that atandard anti spoofing mac address feature shouldnt apply here since libvirt is unaware of the existence or the card. Or is it?
Thsnks
Alright, I figured out the issue. I was too stupid to notice but the issue was that my lovely host hypervisor routing table did not know what interface to use to connect to 172.16.2.0/24 subnet. So my solution was:
ip route add 172.16.2.0/24 via 172.16.1.1
and it worked. SSH, ICMP everything. My host hypervisor (172.16.1.2) was able to connect to the ArchLinux server running in a vm internal network (172.16.2.2).
Thanks @johnpoz for replying. This was pretty educational actually :)
One solution to keep NICs to a minimum is to use VLANs instead.
IE: set your VMNIC on vlan 4095 (all vlans) and then pop them off as needed inside pfSense.
No help, just confirmation that this occurs to more people.
I am running pfSense in a virtual environment. When it works, it works. But randomly pfSense will block any incoming/outgoing traffic without clear warning. A reboot is the quickest method to resolve it.
logs:
Apparent moment of the latest stop:
Jul 19 06:00:00 [] /usr/sbin/cron[15210]: (root) CMD (/usr/local/bin/php /usr/local/www/pfblockerng/pfblockerng.php cron >> /var/log/pfblockerng/pfblockerng.log 2>&1)
Jul 19 06:00:00 [] /usr/sbin/cron[15542]: (root) CMD (/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/pkg/snort/snort_check_cron_misc.inc)
Jul 19 06:00:00 [] /usr/sbin/cron[15454]: (root) CMD (/usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 virusprot)
Jul 19 06:00:00 [] /usr/sbin/cron[15701]: (root) CMD (/usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 webConfiguratorlockout)
Jul 19 06:00:00 [] /usr/sbin/cron[15889]: (root) CMD (/usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 sshlockout)
Jul 19 06:00:00 [] php: [pfBlockerNG] Starting cron process.
Jul 19 06:00:00 [] php: [pfBlockerNG] No changes to Firewall rules, skipping Filter Reload
[IPs sensored.]
Network traffic after this moment seems blocked, strangely logs are still going after this moment. Also web interface is reachable, host machine is fine.
Anyone some clues how to get more things logged?
@brother_scud said in pfSense on QNAP NAS:
@pmk3
Hey there,
Update: I was able to get the full speeds up perfectly with QNAP's pre-image and the NAS did not struggled at all. Very happy with the performance. Which program do you recommend me first to try? Or the most CPU intensive..
In Nerd mode: The issue was one of the 4 adapters were strangely acting up.
So far really happy with the equipment.
cheers
Thanks for the update! Happy to hear you got it working.
In terms of packages, I've read that Snort (intrusion detection and prevention system) can be quite cpu intensive. Other packages that interest me are pfBlockNG (for blocking incoming and outgoing traffic based on IP address or domain name), and SquidGuard (URL filter and redirector). I don't know if there are packages for spam or virus filtering, but those would be worth checking out as well. I know the throughput can drop dramatically (up to 10x) when you start running other services, so I'll be interested in hearing how it does.
Thanks for checking it out!
@blackpaw29
The Proxmox machine is a server. It's never a good idea to have a dynamic IP on a server, of course.
The Proxmox host machine should have a static IP in the LAN where also your management PC has an IP. So there's no need to have the virtualized firewall up and working to get access to the host machine.
hello, i had the same issue ,was gonna post a thread regarding this but NV
I'm starting to think that it could be a hardware issue with the nic card. I have this setup in a 1U case (link below). I'm using SuperMicro's 90 degree PCI piece.
I noticed the case itself was really hot, so I popped the cover off and the card was too hot to touch. The heatsink on the CPU was cool. I've been running a room fan into it (uncovered). This seems to lessen the errors, but definitely does not stop it. Is it possible I already burned the card up?
Tonight I'll put the card in the other machine and see if I still get the timeouts and if its running hot. I will try memtest/SMART/temp tests before switching over as well.
Tutuapp TextNow Photomath
http:// www. supermicro. com/products/chassis/1U/504/SC504-203.cfm
@gjaltemba thx for your response.
I finally solve it, i'm using this script:
#!/bin/bash
Setup network namespace with veth pair, start xterm in it
nsterm ns0 veth0 10.0.0 yellow 24
if [[ $EUID -ne 0 ]]; then
echo "This script must be run as root" 1>&2
exit 1
fi
NS=${1:-ns0}
DEV=${2:-veth0}
DEV_A=${DEV}a
DEV_B=${DEV}b
ADDR=${3-:10.0.0}
ADDR_A=${ADDR}.254
ADDR_B=${ADDR}.1
MASK=${5:-24}
COL=${4:-yellow}
echo ns=$NS dev=$DEV col=$COL mask=$MASK
ip netns add $NS
ip link add $DEV_A type veth peer name $DEV_B netns $NS
ip addr add $ADDR_A/$MASK dev $DEV_A
ip link set ${DEV}a up
ip netns exec $NS ip addr add $ADDR_B/$MASK dev $DEV_B
ip netns exec $NS ip link set ${DEV}b up
ip netns exec $NS ip route add default via $ADDR_A dev $DEV_B
ip netns exec $NS su -c "xterm -bg $COL &" USER
When i do "dhclient veth0a" i receive ip address from pfsense, and i can finally route all traffic throught pfsense
@andrea96 said in Virtual pfsense - vlan Trunking:
I’ve updated my tplink firmwar
I don't see any pics? And what tplink do you have - their low end switches do not do vlans correctly.. Do you have v3 of 105 or 108e? Their low end switches do not allow you to remove vlan 1 from every port. There was a recent firmware update for v3 that suppose to fix that - but maybe it didn't?
BTW 6.7 is current esxi - why would you not be on that?
I have ran pfsense on esxi for years.. Have used both the port group and the 4095 method. 4095 is better method IMHO.. unless you break out physical nic to its own vswitch, etc.
Yes. It is still necessary if you want to use the PV NICs.
You can also put this in /boot/loader.conf.local:
hw.xen.disable_pv_nics=1
Your interfaces will now present as reX and you will not have to make those VM checksum changes. But they won't be paravirtualized.
@stephenw10
yes im really sure about that, i can ping from my windows machine to 192.168.1.1 (lan interface virtual).
I dont configure any routing or port forwards just add a firewall rule to allow all traffic in all interface (wan and lan)
yes Pfsense are respondig. were i can find that state table?
Hi, tnx for your response.
Solved.
My problem was a Realtek NIC bug, disabled all items in windows (system - advanced settings from hardware list) i dont remember english name.
All disabled except Flow Control, now i have same download / upload speeds :-)
@Derelict:
If CARP won't work neither will VRRP. They use essentially the same network functions, including the same multicast address etc.
Not sure what you are seeing on XenServer 7 but CARP works just fine in XenServer 6.
Hmm… this and other threads https://forum.pfsense.org/index.php?topic=122588.0
Suggest that they function differently. Where as CARP uses a multicast MAC VRRP uses a single virtual unicast MAC?
Either way, I can confirm that the keepalived vrrp implementation works in my environment so I'm hopeful that freevrrp will work as well.
Are/Were you using OVS on XenServer6? The network switch default backend is bridge mode..
@vc6SfV8:
Following back up on this - I successfully installed pfSense today on Linode.
Follow the directions here: https://www.linode.com/docs/tools-reference/custom-kernels-distros/install-freebsd-on-linode
In step 5, replace the curl command with the following:
curl -k https://nyifiles.pfsense.org/mirror/downloads/pfSense-CE-memstick-serial-2.3.1-RELEASE-amd64.img.gz | gunzip | dd of=/dev/sda
Everything else works beautifully. :)
Ryan
Hi, I followed your tips however during during the botting of Installer Profile I am getting this error
"Cannot Direct Disk boot a disk with no MBR: Linode Configuration Profile problems detected. "
Any ideas on how to solve this?
Thank you.
Awesome, great to hear that the pesky vmware tools message is going to disappear. I should be carrying out the upgrade soon after backing up my ESXi host.
It's quite interesting that Jim uses ESXi… Maybe that's why it's been so stable for me ::) ::) ::)
Just adding this in case it helps someone now or later. I have still had problems with dirty disks and unable to mount problems in my 2012R2 VM, even though I had set the VM to shut down when the server is rebooted rather than save. At times it would just choke and leave me at (I think) a db> prompt. I found this info at Altaro.com:
https://www.altaro.com/hyper-v/extending-hyper-vs-guest-grace-period-host-shutdown/
I changed the associated registry entry to 600 and have rebooted several times without issue. It doesn't really wait 10 minutes to restart, but as soon as it sees all machines are stopped it proceeds with the reboot, rather than just forcing the machines off after the stock timeout of 2 minutes (at least I think that's what's happening :P). I also staggered the VM startups to prevent resource contention.
If interested, they also have a backup program for VMs that is free for 2 VMs (no affiliation, just looks pretty good).
https://www.altaro.com/hyper-v-backup/
It depends. If it's something where performance doesn't really matter (like my lab) I find it easier to just install, boot to single user, add hw.xen.disable_pv_nics=1 to /boot/loader.conf.local, reboot, and configure the re NICs.
My understanding is that the console is only accessible via your 'very secure' vultr username & password?
So while it's a potential risk, it shouldn't be a major problem during setup & provisioning.
But definitely appreciate the link for securing this.
Do you have any feedback on pfsense on Vultr, long-term?
I am running symmetric gig and not using pci-pass through with no issues. I am using a 7 year old Xeon thats barely supported by ESXI anymore, and allowed the VM to have 4 vcpu's. This is probably close to your newer i5. When I am fully saturating the link i get 30-40% useage. Your milage may vary as well depending on what network card your using. I'm using a server grade dual intel NIC that handles just about everything on board.
The only real reason anymore to allow anything to use passthrough is using some storage software. When you virtualize storage devices they like to have full control over the bare metal devices, networking not so much.
@johnpoz:
Yes or you need to use vlan to break them out - you have 3 ports groups on the same vswitch0.. Unless you create tags for these port groups or setup them to 4095 and set the tags before the traffic hits the pfsense you have placed all of those networks on the same layer 2.
I have moved away from esxi.. Just recently wiped that box.. I have hardware pfsense now and just running the few vms I Need on my synology nas.
You can do it with port groups on the same vswitch if you set the tags correctly on your physical network. But its more complex setup.
He is right. Unless you are really good with esxi just make different vswitches.
1. Leave your vmk on vswitch0 (this is for mgmt)
2. Make a new vswitch, call it WAN, assign a NIC to it and make a port group called WAN.
3. Make a new vswitch, call it LAN and assign it a NIC, make new port group called LAN.
4. Plug your modem into the WAN NIC, plug your inside switch or whatever into the LAN NIC, and your good.
I had to restart my modem for the WAN interface to pull a public IP, once it does I've never had a problem since (including using ipv6 if your ISP supports this)
