@Supermule:

Maybe because you had both WAN and LAN in the same physical network on the switch??

yup, with heavy network traffic, it would took few hours to freeze the pfsense box.

@quetzalcoatl:

Thanks matguy.

But when you said "pfSense won't really use much more than 2" did you mean 2 cores or 2 gigs of ram.
Since you then talk about ESX it sounds that you are talking about cores.

Besides all the PFSense stuff going on here i have a question for you.

If you meant cores that means that if i have a 6 core CPU and 2 VMs and i assign 6 cores to each one of them, those VMs will actually end up being slower than giving them only 3 cores each?

Because if one of the VMs is idle, the other one should be able to take advantage of all 6 cores, unless the idle VM is actually slowing down all 6 cores even if it's idle. Maybe it depends also on the OS you have inside the VMs.

TIA!

Yes, I was talking about cores.  Having multiple VMs with a couple vCPUs (assuming your VM host has, say, 4 or more cores) is fine as ESX(i) can schedule them easily.  When a single VM has as many (or close to) vCPus as cores in your host it can become difficult to schedule a busy VM as it may have to wait for enough cores to become available all at once.

Generally ESX(i) has to schedule all the cores of a multi-vCPU VM to run at the same time (I think the physical CPU may do some command re-shuffling, but as far as ESX(i) is concerned, they need to be fed to the CPUs at the same time.)  It needs to do that whether or not anything is actually happening on those vCPUs, so even an idle vCPU needs to be scheduled as though it was a busy one.

That causes 2 problems:  1, scheduling these large groups of vCPUs in an otherwise busy host, where that group of 6 vCPUs may have to wait a few, or many CPU cycles for enough cores to become free (think of it like a large family that all wants to ride the roller coaster together, they may have to wait for the next train or 2 to get enough open seats.)  2, filling an otherwise busy physical CPU with cycles that are forced idle by idle vCPUs that have to be scheduled when there may be only 1 or 2 that are actually processing anything.

Like I was saying, this may not be an issue for you if you have very few VMs running on that host, especially if the others are single vCPU VMs, or even 2 vCPU.  I share this more for others that may read this; it's probably not doing you any harm as long as you're not seeing contention or other instability.

I come from more dense environments, where a single host is probably hosting 10 to 30 VMs.  Even on hosts with 12 to 16 physical cores we generally put a limit on VMs to 4 vCPUs, and even then we generally require real justification for going over 2.

@trunix:

I've got the Open-VM-Tools-8.8.1 package installed on the pfSense vm I'm running under ESXi 5.1 (installed via the System menu in the pfSense webGUI > Packages).  From what I remember, the regular Open-VM-Tools package gave me some errors, but the 8.8.1 version seems to be fine.  I'm running the i386 2.0.1-Release.  My vSphere client reports the tools as installed and 3rd party/Independent.  You may consider upgrading to 5.1, as it fixes a problem where the pfSense vm (or any other vm for that matter) wouldn't auto-start after the ESXi host was booted.  Not sure if auto-start is important to you or not.

There's another release something like 5.0.1 update 1b that also fixes it. Off the top of my head build number is 8xxxxx

dhatz.

I tested pfsense in virtualbox for over an year and i got always the sam kind of crashes.
Since the main reason i use pfsense is for squid, i always used squid and i believed those crashes every couple of hours were happening because of squid.
Then i installed pfsense without the squid package and pfsense was not crashing any more…...until it crashed but 2 days later.
For a couple of days i believed that squid was the reason but i was wrong.

Having squid installed just makes more frequent reads and writes than not having squid at all.

Since i believed also that it was virtualbox, i tested pfsense with vmware but the very same crashes happened every couple of hours forcing me to reset the VM

So to fix this:
Open your VM VirtualBox Manager
Click on your pfSense VM
Click on settings
Click on Storage
Click on your IDE or SATA controller
Uncheck the Use host I/O cache

Also I don't thing there is any difference between IDE or SATA controller.

I noticed that some snapshots didn't work with SATA controllers but now they do.

But as long as you have that host I/O cache in your virtual storage controller, pfsense works just fine.

There is a little overhead an waste because of virtualization so if you virtualize, make sure you get a powerful computer.

Anyways the more power the better it is with or without virtualization.

Hi miodzicho!
I'm not sure, but see if this post gives you some hints to solve your issues…
Cheers!

Im with matguy on this – VMKernel on public IP?  As stated not a great idea.

So is this as assumed a hosted box?  Do you have physical access, is it say a locker or room/suite at a colo?

That being said the esxi does have built in firewall that you could use to lock down the access to the VMK, do you have console outofband access to the box if needed?

which vSwitch?

VM network (default) or the newly created for the 2nd interface?

Of course all NICs are connected. How would I see the NICs during boot if they weren't connected.

Just to close off on this, I have rebuilt the 32-bit PFSense in a 32-bit VM container, and it's been stable for a week now.  I think that must have been the issue.  Glad to have spotted that or it would have driven me round the bend!

ESX is the host? I'd try configuring the VLAN networking on the ESX side, this way pfSense handles traffic and ESX tags the VLAN.

@jimp:

Just a note, 2.0.1 is based on FreeBSD 8.1 and so is 2.0.2, after that is 2.1 which will be based on FreeBSD 8.3, so if they did get things working on 8.2 and 8.3, it would require at least pfSense 2.1 to function.

Exactly jimp.

Anyway particularly interesting to think MS support to FreeBSD on your Hyper-V. In a way, means that they admit the relevance of the platform in the enterprise!

i guess it depends if you want to use the vmxnet drivers or not.
if you only want to be able to have your guest shutdown nicely by *tools then the open-vm-tools work fine

I never noticed the clock stopping, buit it was probably just cause I wasn't observant enough.

I wonder if this was related at all to my puzzling pfSense stability problems under ESXi 5.0.0 where the DHCP function would just stop working at random intervals.  Clients already assigned IP's would continue to work just fine nd data would be routed to them,  but new clients would not get IP's and not function at all.

It was a puzzling issue I never quite figured out.  In the process of reinstalling with 5.1 now, time will tell if the issue disappears.

Personally I don't want to risk any slowdowns to my router from the vSwitches and virtual adapters, so I forward my dual port Ethernet NIC (Intel EXPI9402PT) directly to my guest using DirectPath I/O.

@cmb:

I've seen about everything there is to see with this kind of stuff countless times, people would be a lot better off if they just believed me. ;D At least you fessed up to it, thanks for the follow up.

Glad you found and fixed it. And that I was right. ;)

No need to rub it in though.. ;)

Microsoft is interested in as wide of OS support as possible in Hyper-V, proven by the FreeBSD support code they put out very recently. We'll be integrating that post-2.1. In the mean time, I know of some minimal usage installs running on Hyper-V, but I'd strictly recommend serious production installs on hypervisors that have had FreeBSD support for ages (VMware is best, but others work great too).

They are server grade Intel nics, MT series I believe. Do I need to configure the nics in a certain way?

@iFloris:

Recently I ran across a similar problem.
The latest update to 5.01 (not the Pro version) fixed it for me.
Have you tried 5.01 yet?

I am not sure if Fusion 5.0.1 solved it or not.

I have moved my PFsense FW VM to a different Mac.  The original phsyical host had only a single ethernet, and an Airport card.  The PfSense interfaces were:

em0 = WAN = Mac Ethernet
em1 = LAN = Mac airport card

I have moved the VM to a new Mac, a Mac Pro tower which has two physical ethernet ports.

Also… I rebuilt the VM for pfSense and this time I chose not to upgrade the VM hardware.  I stuck with the older version of Fusion 4.0 rather than update the HW to Fusion 5.0 (Even though the VM is running under Fusion 5.0.1)

I have it working.  But... at some point I will move the VM for pfSense back to my Macbook Pro and test it again with a single ethernet and an airport.

Unfortunately too many things changed within my environment for me to determine what the fix was.

you can do it with an L2 managed switch. my setup has:

on the switch:
port 23 = tagged vlan100 with vdsl modem connected
port 24 = tagged vlan100, vlan201, vlan202, vlan 203 which is connected to intel nic on esxi5 host
other ports on switch tagged as required

on esxi host:
virtual switch is set to allow all vlans (vlans are not set here)

on pfsense vm:
interfaces are set as vlan - vlan100 = wan, vlan201 = lan1, vlan202 = lan2, vlan203 = lan3
wan interface is pppoe

although i haven't tried it, i would imagine if i wanted a multiwan, it would be as simple as adding another vlan eg vlan101 to port 22 & 24 of the switch and to pfsense and then set the desired routing.