@patch https://www.youtube.com/watch?v=3l0AySgYlkg&t=380s

@michelvdriel

https://www.youtube.com/watch?v=3l0AySgYlkg&t=380s

What is 192.168.100.7?

What IP are you pinging from?

Which adapter is that subnet on?

I recommend not using Net networks in VBox unless you have no choice, it makes everything much more complex.

Steve

Yeah, this issue is the same. I was trying in my OpenStack Queen and Train, but still like pfSense having a bottleneck in hypervisor KVM. I don't know why.

Someone say 'https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=165059#c24'

Maybe you can try from this ref https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=165059

@viragomann

For now, I will leave it at 2GB. I have a new SFF box coming which has 32GB of RAM. Plans are to move all of this over there, and put a few more VMs on it. The box that I am currently using has 16GB RAM and 2 VMs (this one now at 2GB and the other at 8GB).

I may need to increase the RAM as I install packages and re-setup CloudFlare DDNS on here.

I appreciate your and @Patch input.

@epimpin

that would be awesome.
as per my knowledge, it is possible to adjust the firmware of the connectx-2 cards to enable SR-IOV but this was never intended by mellanox.

so I did that and switched on sr-iov in esxi but a message to reboot appeared, so i rebooted the server and after reboot, i had the exact same msg there.

in case you figure out a way to enable it, it might be the solution to 10gbit

HW conf mellanox connectx-2 MNPH-29D-XTR, FW: 2.9.1200
.ini file

;; Generated automatically by iniprep tool on Mon May 07 15:39:40 IDT 2012 from ./b0_hawk_gen2_464.prs ;; PRS FILE FOR Hawk ;; $Id: b0_hawk_gen2_464.prs,v 1.7.2.3 2012-04-24 12:43:10 ofirm Exp $ [PS_INFO] Name = 81Y9992 Description = Mellanox ConnectX-2 EN Dual-port 10GbE PCI-E 2.0 Adapter [ADAPTER] PSID = IBM0FC0000010 pcie_gen2_speed_supported = true silicon_rev=0xb0 adapter_dev_id = 0x6750 ;;;;; {gpio_mode1, gpio_mode0} {DataOut=0, DataOut=1} ;;;;; 0 = Input PAD ;;;;; 1 = {0,1} Normal Output PAD ;;;;; 2 = {0,Z} 0-pull down the PAD, 1-float ;;;;; 3 = {Z,1} 0-float, 1-pull up the pad ;;;;; Under [ADAPTER] section ;;;;; Integer parameter. Values range : 0x0 - 0xffffffff. gpio_mode1 = 0x80010 gpio_mode0 = 0x0b160bef gpio_default_val = 0x000e031f receiver_detect_time = 0x1e [HCA] hca_header_device_id = 0x6750 hca_header_subsystem_id = 0x0019 eth_xfi_en = true mdio_en_port1 = 0 num_pfs = 1 total_vfs = 64 sriov_en = true [IB] gen_guids_from_mac = true port1_802_3ap_kx4_ability = false port2_802_3ap_kx4_ability = false phy_type_port1 = XFI phy_type_port2 = XFI new_gpio_scheme_en = true read_cable_params_port1_en = true read_cable_params_port2_en = true eth_tx_lane_polarity_port1 = 0x0 eth_rx_lane_polarity_port1 = 0x0 eth_tx_lane_polarity_port2 = 0x0 eth_rx_lane_polarity_port2 = 0x0 eth_tx_lane_reversal_port1 = off eth_tx_lane_reversal_port2 = off eth_rx_lane_reversal_port1 = off eth_rx_lane_reversal_port2 = off ;;;;; SerDes static parameters for FixedLinkSpeed ;;;;; Under [IB] section port1_sd0_muxmain_qdr = 0x1f port2_sd0_muxmain_qdr = 0x1f port1_sd1_muxmain_qdr = 0x1f port2_sd1_muxmain_qdr = 0x1f port1_sd2_muxmain_qdr = 0x1f port2_sd2_muxmain_qdr = 0x1f port1_sd3_muxmain_qdr = 0x1f port2_sd3_muxmain_qdr = 0x1f port1_sd0_ob_preemp_pre_qdr = 0x0 port2_sd0_ob_preemp_pre_qdr = 0x0 port1_sd1_ob_preemp_pre_qdr = 0x0 port2_sd1_ob_preemp_pre_qdr = 0x0 port1_sd2_ob_preemp_pre_qdr = 0x0 port2_sd2_ob_preemp_pre_qdr = 0x0 port1_sd3_ob_preemp_pre_qdr = 0x0 port2_sd3_ob_preemp_pre_qdr = 0x0 port1_sd0_ob_preemp_post_qdr = 0x2 port2_sd0_ob_preemp_post_qdr = 0x2 port1_sd1_ob_preemp_post_qdr = 0x2 port2_sd1_ob_preemp_post_qdr = 0x2 port1_sd2_ob_preemp_post_qdr = 0x2 port2_sd2_ob_preemp_post_qdr = 0x2 port1_sd3_ob_preemp_post_qdr = 0x2 port2_sd3_ob_preemp_post_qdr = 0x2 port1_sd0_ob_preemp_main_qdr = 0x10 port2_sd0_ob_preemp_main_qdr = 0x10 port1_sd1_ob_preemp_main_qdr = 0x10 port2_sd1_ob_preemp_main_qdr = 0x10 port1_sd2_ob_preemp_main_qdr = 0x10 port2_sd2_ob_preemp_main_qdr = 0x10 port1_sd3_ob_preemp_main_qdr = 0x10 port2_sd3_ob_preemp_main_qdr = 0x10 port1_sd0_ob_preemp_msb_qdr = 0x0 port2_sd0_ob_preemp_msb_qdr = 0x0 port1_sd1_ob_preemp_msb_qdr = 0x0 port2_sd1_ob_preemp_msb_qdr = 0x0 port1_sd2_ob_preemp_msb_qdr = 0x0 port2_sd2_ob_preemp_msb_qdr = 0x0 port1_sd3_ob_preemp_msb_qdr = 0x0 port2_sd3_ob_preemp_msb_qdr = 0x0 center_mix90phase = true ext_phy_board_port1 = HAWK3 ext_phy_board_port2 = HAWK3 ;;;;; External Phy: ignore mellanox OUI checking. ;;;;; Under [IB] section ;;;;; Integer parameter. Values range : 0x0 - 0x1. ignore_mellanox_oui = 0x1 ;;;;; External Phy check GPIOs values for the 4 configurable GPIOs per port. ;;;;; every GPIO has 2 bits that can get the values "00", "01", "11" - dont check. ;;;;; Under [IB] section ;;;;; Integer parameter. Values range : 0x0 - 0xff. ext_phy_check_value_port1 = 0xff ext_phy_check_value_port2 = 0xff [PLL] lbist_en = 0 lbist_shift_freq = 3 pll_stabilize = 0x13 flash_div = 0x3 lbist_array_bypass = 1 lbist_pat_cnt_lsb = 0x2 core_f = 44 core_r = 27 ddr_6_db_preemp_pre = 0x4 ddr_6_db_preemp_main = 0x7 ddr_6_db_preemp_post = 0x0 ddr_3_dot_5_db_preemp_pre = 0x2 ddr_3_dot_5_db_preemp_main = 0x7 ddr_3_dot_5_db_preemp_post = 0x0 [FW]

server spec:
Xeon E5-1620v4 3,5GHz 2011-3
Supermicro X10SRA-F
4x 16GB Samsung DDR4-2133 reg. ECC Ram

ESXi:
6.7.0 Update 3 (Build 19997733)
I flashed ESXi from pre U1 up to latest patch after enabled SR-IOV (but not working) to see if something has changed. Nothing changed, from pre U1 to post U3 SR-IOV seems not supported, as described above.

3ef4594c-f8c6-4c21-957c-617ebf239f78-grafik.png

cannot select the mellanox card
91cd4b53-2cdf-47cc-b12f-1b5b49990cfe-grafik.png

Are you passing the Broadcom NICs through to pfSense? It looks like you're probably not but if you are there was an issue we've seen with that driver that required the NIC to be in promiscuous mode. That may be getting reset when pfSense is rebooted.

Steve

@loser8491 Okay so there are some virtualization caveats on windows 11. Virtualization on Intel cpu's older than 6th gen will be disabled out of the box due to security concerns with previous generations. There is a workaround but requires some hackery. Check Microsoft forums on the issue. Furthermore, if you have a 6th gen Intel or later or a xen architecture amd cpu or later, check the bios settings. You have to enable virtualization in bios and also directed io if possible. (VT-x and VT-d) respectively. Then reinstall virtual box. If you have an older cpu you need to first verify it is capable of virtualization.

Windows Hyper-V 2019
Windows 10 VM behind PFsense 2.6.0

fceba6ae-4fa1-4eec-a79d-7b848bf7f260-image.png

https://www.doitfixit.com/blog/2020/01/15/slow-network-speed-with-hyper-v-virtual-machines-on-windows-server-server-2019/

No restart required

@patch said in pfsense on Proxmox - Help with config:

@natharas
An over view of your network architecture would help

Is the Asus DSL-AC68U configured as a modem only (bridge mode) or a router Why is the Asus DSL-AC68U connected to the TP-Link SG2210P rather than directly to the WAN NIC on your Dell PowerEdge T420. Your Proxmox should be managed via your LAN not WAN port as should pfsense

Alternatively your could configure both DELL nic in LAG and use VLANs on your L@ managed switch to separate WAN and LAN but I would not recommend starting with that

Thanks for the reply

It is currently configured as modem only, I do believe it can be bridged though. I've attempted connecting to the WAN NIC on the Poweredge T420 but had no luck getting a WAN IP via DHCP.

@keyser So I just setup a VM running pfSense on my Synology NAS along side my UniFi network.

I'm really glad I spun up an isolated VM this way (with one of my extra public IPs) without having to eff with my production network. I just configured a VLAN-only network on my UDM and assigned it to some switch ports to test with.

Man, I am absolutely loving pfSense so far! What a great product. I might end up having to buy a 6100 after all. Everything just works on the first try (DDNS, PIA, pfBlockerNG, Suricata, and ntopng).

Thanks again for sharing your experiences and opinions.

@sabrielandoj
If you ping from the pfSense GUI using the Ping tool with the default source (WAN IP) all devices on the 192.168.7.x network should response.
If they don't, but do if you ping from other machines in this network, there must be something wrong in the network settings on one involved device.

If you change the source to LAN it's expected that pings won't work, as long as the devices have no route for 192.168.6.124/25 pointing to pfSense. Responses will be sent to the default gateway.

OK, the solution was to install in a local Virtualbox on my computer with a similarly sized HDD. I then shut down the Virtualbox VM before it rebooted into pfSense after install and cloned the disk to the OVH VPS. Works like a charm! Also much faster.

@blcktape That was already in place. This issues was different than the 100% slow down all the time those settings fix.

@viragomann

https://www.youtube.com/watch?v=hdoBQNI_Ab8

this video did not elaborate this issue after the installation of pfsense

Capture.PNG

See the comment by one of the viewers as well, we might have similar question

@laszlo said in Proxmox, pfsense, bridge:

I'm bridged the second 2 interface. VLAN untagged management network the bridge, and the tagged VLANs on the interfaces. (100, 102 the first, 101 the second)

Uhm...
In pf you should have 1 physical interface with your 3 VLANs tagged, making 3 interfaces in pfSense.

Then your ProxMox should have 1 connection to a switch, which has all three VLANs tagged on that port.

Bridges in FreeBSD should be avoided.

@brianmcg
Hi Everyone,
I've fixed it myself. :-) I had to turn OFF "Enable Secure Boot" in VM's Security Settings. pfsense is now running.

@inmarket I’m running windows server 2022.
The problem is there and tried all the recommended “solutions”.
Only downgrading to 2.5 or upgrading to 2.7 fixed the performance issue.

@thimplicity OK, I got impatient with all the reboots and started the journey yesterday. I created a new VM according to the official pfSense instructions and set it up as q35 with UEFI. I decided against just rolling back the config and will configure the stuff from scratch. So far the basics that I have configured work without a hitch, but it has only been 10h.

Thanks for the input!

Sure, I'll answer questions as time allows.

I agree with what @Patch said previously though. You need to discover how to do a lot of this for yourself in order to learn from it.

Steve

@srytryagn
Running pfSense virtualized on top of another system naturally adds an additional layer to the whole system, which may offer additional vulnerabilities and possibilities for attacks. These grow up with the number of services you're running on the host.
Hence I'd not recommend to run a production pfSense on a PC which you use for working, playing or any other purposes.

However, if you virtualize pfSense together with other machines on a dedicated hypervisor system I'd not much concerns due to security.
But Windows + Virtualbox is not really well eligible for these purposes in my opinion.

For instance, my home pfSense runs virtualized on top of Linux with KVM aside from a web server to achieve better utilization of my hardware and safe cables, energy and hardware costs.
The host itself is only connected to the LAN side of pfSense, so the firewall secures my whole system. The pfSense WAN is connected to the ISP modem and establishes the internet connection via PPPoE.

Natting the traffic on the ISP router is basically not a security issue as long as the router works reliably.

If pfSense can increase security for the VMs depends on your network design. pfSense, whether bare metal or virtualized, can segregate your (virtualized) network, you can drive this up to connect each VM to a separate network interface if you want, so that no VM can access anything without passing the firewall.

Here is the ARP table of the pfSense.Screen Shot 2022-07-07 at 9.35.06 PM.png

I can't really comment in detail here. I don't use ESXi myself.

Do you still have access to the pfSense WAN after making that change?
What connections are you actually losing?

Obviously access to the management would then be via port forwards or VPN etc so connections there would have to be remade if that was not already in place.

Steve

@deanfourie said in pfSense on HyperV = Massive problems:

Lets take for example my WAN interface. I have the ability to DISABLE IPv4 on this interface.

No, you wouldn't share this with the host to begin with so no need to disable anything.

It will look like this on the host, don't mess with it.

Capture.PNG

@brucie
All software has bugs and security vulnerabilities.
With pfSense running on bare metal the possible locations for bugs are:

Hardware pfsense (FreeBSD retained code, Netgate code) pfsense user customisation / added packages

Note Netgate removes none essential components from FreeBSD to reduce vulnerabilities / minimise the attack surface.

With vitalisation you add

Proxmox ( Debian 11.3 retained code, QEMU 6.2, Proxmox code)

The most exposed of which to external attack is probably the WAN port which is why some pass through at least the WAN NIC.

@ironmonkey If the Redmine catalog indicates something is included in 22.05 then it would be in the next release.

Wait..what? Doesn't the ONT untag it?

I have a similar setup, PPPoE servers are in the VLAN891 or something like that in the ISP's network all the way to the ONT.

I route mode, it works with it directly, J/K these devices suck in route mode but they do handle the VLAN directly, for what it's worth. In bridge mode it untags the VLAN and the ports all are access ports basically on the native VLAN (untagged 1 or 0); pfSense and other firewalls are virtualized, and since my ISP allows several connections, the ONT connects to an access port on a switch where PPPoE traffic is available to any PPPoE-cabable device with access to that VLAN.

The ONTs' and modems' bridge mode is exactly the same thing as if you'd bridge interfaces in pfSense, it bridges the VLAN ISP-side to the native one so the device that dials up the connection doesn't need to also be VLAN-aware, most client devices aren't supposed to be. I don't think the problem is on pfSense but rather in Hyper-V. If you didn't use System Center VMM to set it up, tagged VLANs in Hyper-V are only doable via PowerShell. So, when you set up pfSense to expect a tagged VLAN I think it might be expecting something like a Q-in-Q at that point. I'll assume that by Mikrotik, you meant CHR which treats these things very differently in addition of PPPoE is kind of their thing. I'm familiar with CHR and I know it's easy to get a misconfigured working router by accident — I'm not saying you did, I just mean that it's very forgiving in regards to this specific setup — if your ONT is in bridge mode, double check its settings. Mine, Huawei-branded, can even bridge the ISP-side PPPoE VLAN to specific ports on it which other modems can piggyback to access the ISP (they're handed out like hotcakes bc they double as VoIP terminals).

Just in case you didn't know, when you add enable Hyper-V, Windows is turned into a VM, so is its own networking; when you add a external switch on Hyper-V, you take away a NIC from Windows, create this virtual raw thing where all VLANs exist. Allow management operative system to share this network adapter is kind of misleading bc the switch comes first, checking that option what actually does is to create a virtual NIC for the VM Windows has become. It's the virtual switch that shares the network with Windows, not the other way around. The VLAN ID boxes are also confusing because they suggest the traffic is tagged to the guest OS to untag it on its own—not the case. I don't know how to invert Microsoft's words to explain the reasoning behind such a horribly mislabeled UI.

I think that if you select your NIC without isolating the VLAN first, it should work.

Check out how one of my boxes is set, hopefully it helps your figure things out.
hyper-vtrunkpppoe.png

If you want to set a trunk port to your VM you'll need to do it in PowerShell, remote in Enter-PSSession {machineName} from another newer Windows machine if you can so you get color syntax, it wasn't available on Windows Server 2012 R2.

Get the vNICs of your VM and convert one or more to trunk ports so you do all in pfSense and don't need to reconfigure Windows each time. Remember every Microsoft product has a tendency of failing for no reason.

hyper-v-vlan-config.png

If your VM only has one NIC, you can pipe the commands, e.g; Get-VMNetworkAdapter -VMName IdentiCA | Set-VMNetworkAdapterVlan -VMName IdentiCA -VMNetworkAdapterName "Network Adapter" -Trunk -AllowedVlanIdList 1-4094 -NativeVlanId 1. :)

You may already know there's an issue with Windows since WS2012R2 to present WS2022 that even when you configure a network adapter correctly it's saved without a gateway, thus locking you out unless you have console access or are in the same L2 to fix it — don't forget about it.

If that doesn't fix your issue, there's one other thing… Some time back I becamed obsessed with telecom tech and found out that PPPoE, which is somewhere between layers 2 and 3, cannot just be put reliably into VLANs, I can vouch for that myself; back when had 4 PPPoE ADSL2+/VDSL2 lines I had to maintain them separated because 1. being all mine, credentials would be accepted anywhere, but being 2. DSL they all had different physical max speeds, which the username logically limited further, so I tried a million times to send them over VLANs but only 3 would connect. I learned that there's a special kind of switch that's compatible with this thing now called PPPoEoE — not kidding — it appears only to be made by Cisco, so you might be in luck, I even posted it here somewhere, in the end it was too little information though so never was able to make it work without discrete NICs.

Good luck with your setup!

I'm still having this same issue, we're unable to boot 2.6 installer and even boot a pre-installed 2.6 from a VHDX that we've used Windows11 to install and copy across.

Just checking in to see if anyone else has had this issue with Hyper-V 2016 and the new ZFS based versions of pfSense?

Are you still seeing those warnings on the console? Or in the system logs?

It sounds like they might be an unexpected connection to the LAN. Like somehow it's linked to WAN maybe. If we can see what the actual warning was we might know more.

Steve

@nicesub said in Upgrade to 2.6 slashes throughput:

@bmeeks said in Upgrade to 2.6 slashes throughput:

Most likely you are being impacted by a known bug in FreeBSD 12.3 with Hyper-V. You will need to disable RSC (Receive Side Coalescing). Check the Virtualization sub-forum here on the Netgate forums. There is a huge thread about this and how to fix it on most installs.

Edit: here is a link to that thread: https://forum.netgate.com/topic/169884/after-upgrade-inter-v-lan-communication-is-very-slow-on-hyper-v.

Thank you fort that, I upgraded a copy of pfSense to 2.7 DEV and no issues were observed and I did not need to make any tweaks to Hyper-V. It appears that 2.6 has some issues with Hyper-V so I think that I will just skip it and stay with 2.5.2 until 2.7 is official.

Yep, 2.7 DEV fixed the problem in the FreeBSD virtual NIC driver for Hyper-V. The problem came in with FreeBSD used in pfSense 2.6.