Also, ESXi 6.0.0 Update 1a came out just a few days ago.

AWebster: thanks for your reply.. the reason wan is currently on em3 is because this hardware and platform will be moved to a data centre at some point soon, and em0 will be WAN… im just waiting for the IP details from our network provider until everything is confirmed.

I configured the nic's in pfsense as per cmd line which was in the screen shot i attached to my original post.

regarding vlans, my proxMox presents the tagged vlan ports straight into the kvm guest which pfsense is running on by way of each of the nics, em0-3. I didn't see any reason to bring the vlan's straight into pfsense.

Doktornotor : This 'PEBAK' you speak of - is possible because the 'physical switch' we're actually using to plug the two physical hypervisor servers (proxmox) only turned up this morning and I was trying to do as much 'config' on what I currently had available...

thanks tho.. will update asap

Thanks for the reply johnpoz. Yes, I well agree with you about splitting up traffic; managmenet vmnic0, iSCSI traffic vmnic1, etc.. and this now makes sense. In a worst case scenario, one could literately could jack into the esxi server through the dedicated nic. I am thinking in my configuration where pfsense actually brings up the entire network. I am an idiot, 2 labs servers setup this exact way but I could not see the trees through the forest.  The rest is just virtual switch's to port the lan of pfsense into security onion and then out to the actual lan nic. I am just wondering if 802.1q is going to be lost going through security onion. Well, in any case thanks for all the help, a new project is on the horizon.

Hi there gents,

I'm experiencing the same issue here, after I'm adding a new "physical" (from pfSense's point of view) interface things go kaboom!

I've been thinking about using VLAN's as well, but my only question is: will it work on multiple hosts?

I have a pretty straight setup with two hosts, connected via switches. Of course, for inter-host communication I'm mapping the virtual networks to VLANS.

Is there a possibility to add "virtual dot1q tags" inside the actual virtual networks?

Thanks,
Sebastian

Anybody have any pointers or tips? Seems like an impasse at this point…

Thanks, that was the issue :)

I mean the WAN firewall rules for iperf to allow a remote PC to talk to the test server behind the LAN are at the top of the list.

Just to clarify, the test points I used indicate that testing from an internet host to the WAN IP, there's no issue
Testing from the pfsense LAN IP, to the test server, there are no issues

The connections that the issue occurs is when an internet host connects across the pfsense router. Since you've confirmed there aren't any inherint issues with vmxnet3, I guess my new question would be some recommendations on how to probe for a cause since this is new territory for me.

I'm factory resetting the pfsense install to defaults and will be trying from a bare minimum setup as a starting point like you suggested you were working with.

BIS is built-in. Works out of the box.

so your esxi 6u1 which is build 3029758 then.. And all is smooth, great to hear!

So it seems cmb that doesn't actually play all that nice with older versions of esxi that do not officially support freebsd 10.1 ;)

You got xbox to show open nat, you might want to share that in the gaming section..  That sure comes up quite a bit, and there is some really bad advice in there floating around about setting all port 1-65k to strict nat..  Which is just nonsense..

Where there you go you have 18,446,744,073,709,551,616 ipv6 addresses to work with, which is a LOT different than 1 ;)

if using same in a windows 10 hyper v, are there any limitations on using pfsense as a dhcp given the concurrent connection limitations of windows 10 (non-server)?

Just wanted to say thanks for this post as this helped me get past this connectivity issue with PfSense 2.2.3 + vSphere 6.0. I created the following RC script (not pretty but it gets the job done) based on the example provided which seems to do the trick:

#!/bin/sh for vnic in $(/sbin/ifconfig | grep "vmx3f[0-9]:" | awk -F ':' '{ print $1 }'); do /usr/bin/logger -t vmxnetfix.sh "Disabling checksumming on $vnic" /sbin/ifconfig $vnic -rxcsum -txcsum -tso4 /sbin/ifconfig $vnic down /sbin/ifconfig $vnic up /usr/bin/logger -t vmxnetfix.sh "Checksumming has been properly disabled on $vnic" done

Cheers,

Dan

You want to download VMware ESXi 6.0 U1 ISO Image and VMware vSphere Client.

Not a dumb idea. Actually a pretty basic one to protect your host behind pfSense.

As Mats has explained, when you setup your vSwitch in Hyper-V Manager, there is an option to "Allow management operating system to share this network adapter”. By checking that box a new virtual NIC will appear in your host's network config. Configure that virtual NIC as if it was a physical NIC connected to that vSwitch. DO NOT change the configuration of the physical NIC in the Host's network config, that will break the vSwitch config. Basically you're using Hyper-V to virtualize your host network configuration the same way it's done for the VMs.

Ideally, to accomplish what you're looking for, the NIC that connects to your modem would be attached to a vSwitch where “Allow management operating system to share this network adapter” is NOT checked so your host OS doesn't have access to it. Then you share your LAN vSwitch and configure your host to use that.

Found out what was happening.

My motherboard is a Supermicro MBD-X9SCM-F-O with dual ethernet ports: 1x Intel 82574L and 1x Intel 82579LM.
I was trying to passthrough the intel 82579LM, and couldn't make to survive a guest reboot. I switched to the other port, passing though the intel 82574L and it works a as charm.
So it wasn't a configuration/KVM issue but rather a NIC drivers one.

Good info @johnpoz, I would say before adding the vmkern to the LAN side maybe setup a VPN with OpenVPN in PfSense ? This way you can just VPN into the LAN side network to manage the server && just lock down the vmkern on the WAN side in tell needed…

;) Oh and I found this when googling it may help a bit as reference material even tho they are using two NIC's in this HOWTO
https://doc.pfsense.org/index.php/PfSense_2_on_VMware_ESXi_5

with pfsesne 2.2 32/64 bit  and xs 6.5 :

there is not parent nic in the vlan define window on pfsense , and the speed of nic 100 or 1000 not shown
i am sure the xs 6.5 does not detect pfsense NIC driver

i have tested PF ver 2.1.5 64/32 bit , everything works good

any help or experience with Pfsense 2.2 on xs 6.5 about this issue ???

there you go so now you have a different wan IP.. but yes that makes sense.. Not what you were seeing before where you seeing on the wan 10.x as source address.