@blcktape That was already in place. This issues was different than the 100% slow down all the time those settings fix.

@viragomann

https://www.youtube.com/watch?v=hdoBQNI_Ab8

this video did not elaborate this issue after the installation of pfsense

Capture.PNG

See the comment by one of the viewers as well, we might have similar question

Are you able to install anything else as a VM in VBox?

I've seen no issues installing pfSense in VBox but I've never tried it under Windows 11. That error looks like it something related to accessing the storage so you might try a different controller type.

I would disable the virtual audio hardware for the VM. No point having that for pfSense.

Does that happen when booting the CD installer or at first boot after install?

Steve

@laszlo said in Proxmox, pfsense, bridge:

I'm bridged the second 2 interface. VLAN untagged management network the bridge, and the tagged VLANs on the interfaces. (100, 102 the first, 101 the second)

Uhm...
In pf you should have 1 physical interface with your 3 VLANs tagged, making 3 interfaces in pfSense.

Then your ProxMox should have 1 connection to a switch, which has all three VLANs tagged on that port.

Bridges in FreeBSD should be avoided.

@brianmcg
Hi Everyone,
I've fixed it myself. :-) I had to turn OFF "Enable Secure Boot" in VM's Security Settings. pfsense is now running.

@inmarket I’m running windows server 2022.
The problem is there and tried all the recommended “solutions”.
Only downgrading to 2.5 or upgrading to 2.7 fixed the performance issue.

@thimplicity OK, I got impatient with all the reboots and started the journey yesterday. I created a new VM according to the official pfSense instructions and set it up as q35 with UEFI. I decided against just rolling back the config and will configure the stuff from scratch. So far the basics that I have configured work without a hitch, but it has only been 10h.

Thanks for the input!

@fahadshery
In my opinion you are compromising your system by using ISP router as a router & using it's wifi.

A better solution is:

just use pfsense as your router. Your wifi access point belongs on the lan side of pfsense firewall router. A combined product can be used for this but only in bridge mode or better still use a product designed to be an access point. On the WAN side of pfsense you want only a modem (eg a combined product in bridge mode & wifi disabled) Proxmox console has a LAN address

PS
Save a copy of your ISP router's configuration prior to putting it in bridge mode. That way if a Proxmox update fails you can restore the ISP routers configuration and use that to restore a broken Proxmox installation.

Sure, I'll answer questions as time allows.

I agree with what @Patch said previously though. You need to discover how to do a lot of this for yourself in order to learn from it.

Steve

@srytryagn
Running pfSense virtualized on top of another system naturally adds an additional layer to the whole system, which may offer additional vulnerabilities and possibilities for attacks. These grow up with the number of services you're running on the host.
Hence I'd not recommend to run a production pfSense on a PC which you use for working, playing or any other purposes.

However, if you virtualize pfSense together with other machines on a dedicated hypervisor system I'd not much concerns due to security.
But Windows + Virtualbox is not really well eligible for these purposes in my opinion.

For instance, my home pfSense runs virtualized on top of Linux with KVM aside from a web server to achieve better utilization of my hardware and safe cables, energy and hardware costs.
The host itself is only connected to the LAN side of pfSense, so the firewall secures my whole system. The pfSense WAN is connected to the ISP modem and establishes the internet connection via PPPoE.

Natting the traffic on the ISP router is basically not a security issue as long as the router works reliably.

If pfSense can increase security for the VMs depends on your network design. pfSense, whether bare metal or virtualized, can segregate your (virtualized) network, you can drive this up to connect each VM to a separate network interface if you want, so that no VM can access anything without passing the firewall.

Here is the ARP table of the pfSense.Screen Shot 2022-07-07 at 9.35.06 PM.png

I can't really comment in detail here. I don't use ESXi myself.

Do you still have access to the pfSense WAN after making that change?
What connections are you actually losing?

Obviously access to the management would then be via port forwards or VPN etc so connections there would have to be remade if that was not already in place.

Steve

@deanfourie said in pfSense on HyperV = Massive problems:

Lets take for example my WAN interface. I have the ability to DISABLE IPv4 on this interface.

No, you wouldn't share this with the host to begin with so no need to disable anything.

It will look like this on the host, don't mess with it.

Capture.PNG

@brucie
All software has bugs and security vulnerabilities.
With pfSense running on bare metal the possible locations for bugs are:

Hardware pfsense (FreeBSD retained code, Netgate code) pfsense user customisation / added packages

Note Netgate removes none essential components from FreeBSD to reduce vulnerabilities / minimise the attack surface.

With vitalisation you add

Proxmox ( Debian 11.3 retained code, QEMU 6.2, Proxmox code)

The most exposed of which to external attack is probably the WAN port which is why some pass through at least the WAN NIC.

@ironmonkey If the Redmine catalog indicates something is included in 22.05 then it would be in the next release.

Wait..what? Doesn't the ONT untag it?

I have a similar setup, PPPoE servers are in the VLAN891 or something like that in the ISP's network all the way to the ONT.

I route mode, it works with it directly, J/K these devices suck in route mode but they do handle the VLAN directly, for what it's worth. In bridge mode it untags the VLAN and the ports all are access ports basically on the native VLAN (untagged 1 or 0); pfSense and other firewalls are virtualized, and since my ISP allows several connections, the ONT connects to an access port on a switch where PPPoE traffic is available to any PPPoE-cabable device with access to that VLAN.

The ONTs' and modems' bridge mode is exactly the same thing as if you'd bridge interfaces in pfSense, it bridges the VLAN ISP-side to the native one so the device that dials up the connection doesn't need to also be VLAN-aware, most client devices aren't supposed to be. I don't think the problem is on pfSense but rather in Hyper-V. If you didn't use System Center VMM to set it up, tagged VLANs in Hyper-V are only doable via PowerShell. So, when you set up pfSense to expect a tagged VLAN I think it might be expecting something like a Q-in-Q at that point. I'll assume that by Mikrotik, you meant CHR which treats these things very differently in addition of PPPoE is kind of their thing. I'm familiar with CHR and I know it's easy to get a misconfigured working router by accident — I'm not saying you did, I just mean that it's very forgiving in regards to this specific setup — if your ONT is in bridge mode, double check its settings. Mine, Huawei-branded, can even bridge the ISP-side PPPoE VLAN to specific ports on it which other modems can piggyback to access the ISP (they're handed out like hotcakes bc they double as VoIP terminals).

Just in case you didn't know, when you add enable Hyper-V, Windows is turned into a VM, so is its own networking; when you add a external switch on Hyper-V, you take away a NIC from Windows, create this virtual raw thing where all VLANs exist. Allow management operative system to share this network adapter is kind of misleading bc the switch comes first, checking that option what actually does is to create a virtual NIC for the VM Windows has become. It's the virtual switch that shares the network with Windows, not the other way around. The VLAN ID boxes are also confusing because they suggest the traffic is tagged to the guest OS to untag it on its own—not the case. I don't know how to invert Microsoft's words to explain the reasoning behind such a horribly mislabeled UI.

I think that if you select your NIC without isolating the VLAN first, it should work.

Check out how one of my boxes is set, hopefully it helps your figure things out.
hyper-vtrunkpppoe.png

If you want to set a trunk port to your VM you'll need to do it in PowerShell, remote in Enter-PSSession {machineName} from another newer Windows machine if you can so you get color syntax, it wasn't available on Windows Server 2012 R2.

Get the vNICs of your VM and convert one or more to trunk ports so you do all in pfSense and don't need to reconfigure Windows each time. Remember every Microsoft product has a tendency of failing for no reason.

hyper-v-vlan-config.png

If your VM only has one NIC, you can pipe the commands, e.g; Get-VMNetworkAdapter -VMName IdentiCA | Set-VMNetworkAdapterVlan -VMName IdentiCA -VMNetworkAdapterName "Network Adapter" -Trunk -AllowedVlanIdList 1-4094 -NativeVlanId 1. :)

You may already know there's an issue with Windows since WS2012R2 to present WS2022 that even when you configure a network adapter correctly it's saved without a gateway, thus locking you out unless you have console access or are in the same L2 to fix it — don't forget about it.

If that doesn't fix your issue, there's one other thing… Some time back I becamed obsessed with telecom tech and found out that PPPoE, which is somewhere between layers 2 and 3, cannot just be put reliably into VLANs, I can vouch for that myself; back when had 4 PPPoE ADSL2+/VDSL2 lines I had to maintain them separated because 1. being all mine, credentials would be accepted anywhere, but being 2. DSL they all had different physical max speeds, which the username logically limited further, so I tried a million times to send them over VLANs but only 3 would connect. I learned that there's a special kind of switch that's compatible with this thing now called PPPoEoE — not kidding — it appears only to be made by Cisco, so you might be in luck, I even posted it here somewhere, in the end it was too little information though so never was able to make it work without discrete NICs.

Good luck with your setup!

I'm still having this same issue, we're unable to boot 2.6 installer and even boot a pre-installed 2.6 from a VHDX that we've used Windows11 to install and copy across.

Just checking in to see if anyone else has had this issue with Hyper-V 2016 and the new ZFS based versions of pfSense?

Are you still seeing those warnings on the console? Or in the system logs?

It sounds like they might be an unexpected connection to the LAN. Like somehow it's linked to WAN maybe. If we can see what the actual warning was we might know more.

Steve

@nicesub said in Upgrade to 2.6 slashes throughput:

@bmeeks said in Upgrade to 2.6 slashes throughput:

Most likely you are being impacted by a known bug in FreeBSD 12.3 with Hyper-V. You will need to disable RSC (Receive Side Coalescing). Check the Virtualization sub-forum here on the Netgate forums. There is a huge thread about this and how to fix it on most installs.

Edit: here is a link to that thread: https://forum.netgate.com/topic/169884/after-upgrade-inter-v-lan-communication-is-very-slow-on-hyper-v.

Thank you fort that, I upgraded a copy of pfSense to 2.7 DEV and no issues were observed and I did not need to make any tweaks to Hyper-V. It appears that 2.6 has some issues with Hyper-V so I think that I will just skip it and stay with 2.5.2 until 2.7 is official.

Yep, 2.7 DEV fixed the problem in the FreeBSD virtual NIC driver for Hyper-V. The problem came in with FreeBSD used in pfSense 2.6.

For me this issue was caused by thin provisioning on the virtual hard drive. I followed VMware's instructions to "inflate" the disk to thick provisioning and I stopped getting these errors.

@viragomann ohh good, im so stupid!

check >> service qemu-guest-agent status
qemu_guest_agent is running as pid 517.

thats was the solution now runs qemu guest agent finaly, thx for help :*

cYa BUSTER

@planetinse
Is it a thin provision virtual disk? As far as I know, FreeBSD doesn't like this.

@wolfram There is a problem with Hyper-V, see here. It will be fixed in the next release.

I figured out how to connect my computer to the pfsense vm. On windows server 2016 i went to network connections where i can see all my ethernet adapters. Then i selected in my case ethernet 3 where my computer is connected and the internal lan adapted and bridged the two adapters. In the bridged adapter i changed the ipv4 adress and i was connected to the router.

However now i am connected but still dont have internet and i am able to ping 8.8.8.8 but not google.com i get the error dns could not be resolved when trying to access internet in chrome.

@stevenderycke244 That is correct. Powering it off is one of the steps we listed. There are a few things in Proxmox which require the VM to be powered off to apply a change.

I have added a note to the instructions in the repo to hopefully be clearer.

@darcey Thank you for that info, I may look into proxmox and try it out, need to expand my toolbox a bit.

@basense
Can you check out if it's an DNS issue? Try to ping a public IP, e.g. 8.8.8.8.

If that fails as well, is pfSense able to access the internet?
If not, it might rather be an issue or wrong settings in VirtualBox.

@topogigio
I have no idea about the hw upgrade or VMware.

But always backup the config file to a secure place ...
Then it's easy to reinstall pfSense , to the current state - If s... hits the fan.

/Bingo

Strange. I cannot imagine that only two people have this issue.

@robh-0 I've only skimmed this thread while trying to solve my own obscure problems (tl;dr), but when I ran pfSense under ESXi, I passed all VLANs through from the physical world to the pfSense VM so that from pfSense's point of view I just had one network interface and then defined whatever VLANs I needed within pfSense. It met my needs; you may be trying to do something similar.

The port(s) on the physical switch: I had 6-8 different VLANS defined and in use for different purposes. All of the defined VLANs were tagged on the port(s) connected to the ESXi server.

ESXi:
Virtual Switch/port groups:
If I had a (non-pfSense) virtual machine that needed access to any given LAN, I had a port group defined for that particular VLAN (1-4094).
For a pfSense virtual machine, I had a port group defined for VLAN 4095 so that all VLANs would be passed through to pfSense in the VM. I also needed to enable Promiscuous Mode for ONLY this VLAN 4095 port group.

pfSense virtual machine:
I configured the pfSense virtual machine to only have one virtual NIC, which was mapped to the VLAN4095 port group. Within pfSense, I then had only one network interface, but I was able to add/remove VLANs as needed to match the physical network's VLAN config.

Promiscuous Mode on your VLAN4095 port group may be what you're missing. It seems I needed to enable that, as I recall. HTH.

@rmh-0
Thanks so much for posting this!
I can confirm that this fix worked for us as well!

Well, since the test is with the host, and pfsense is not involved, why it is a pfsense issue.

The host connects to the internet through the pfSense VM.