OK. Thanks for the update. I'll do some groping around on that topic.

Is there a handy command to dump interface features/modes in FreeBSD? Maybe the output of that could be helpful on what PF is seeing.

Thanks!

I found the answer to this problem here:

http://pastebin.com/kQMiqwF3

The thing that I changed (not sure if it makes a difference) is to use "packages-8.3-release" since pfSense 2.1 is based on FreeBSD 8.3.

Oh yeah, that also says ftp-archive, don't put the -archive in the name.

Over a month and no answer?
Unacceptable as Seven of Nine would have put it :)

The trick is to see the virtual switches as physical ones and treat them the same way.
If we would build this in a server rack with physical stuff we would need
1. one wan switch
2. One incoming wan connection
3. One internal switch
4. One outgoing connection to the internal network
5. One server
6. One firewall

Lets do the same thing in the virtual world…..

The first thing to do is to create the wan swtich (nr 1 above). Do that by going into virtual Network Manager in the Hyper-V console.
Create a new External network and call it Wan.
It now should be Connected to the wan connection (nr 2 above). Do this by Selecting the right Intel adapter in the drop down list (i guess you get two there).

Make sure that allow management operating system …. is NOT Selected. You dont plug a Cable from the wan switch into an internal server in the physical world and neither should we do it in the virtual world.

Now we have an wan switch and we have a Connection from it to the Wan

The next step is to create a the internal switch (nr 3 above)
Create a new External network (Yes it should be external since exteranl in hyper-v means allowed to use physicall nics).
I call my one internal network.
It should now be connected to the outgoing connection (4). This is done by selecting the Realtec card.
Now make sure that allow management operating system …. is Selected. This equals putting a cable between the internal switch (3) and the server (5)

The last thing is to install and connect the firewall box.
Create a Virtual machine with two legacy network adapters.
Connect them to wan and internal (just like we would plug in two cables on a physical switch)
Install Pfsense on it

Done!

Hi,

Looks like I'm on a roll! I changed the DNS Server IP to 10.0.0.254 and I can now get on the internet from my Win Server machine!

Thanks.
Camilla.

@johnpoz:

"If I use configuration 1 the security of the VM is defined only by the client firewall settings inside the VM"

Says who??  Your still behind pfsense, only the ports you allow would be sent to the VM.  Your not doing a 1:1 nat are you with any any rules?

Yes, by pfsense I can control traffic from WAN and LAN to the VM inside the DMZ. But to make the client side more secure, inside the VM I carefully have to take care to define what port is from outside and what port is from inside. Having two networks inside the VM would help a lot to separate inside the VM.

@johnpoz:

Your calling it DMZ - its just another network segement connected to your firewall - you have full control of what ports are allowed through the firewall to IPs on the DMZ.  You have full control of which ports are allowed from the lan to the dmz, or from the dmz to the lan, etc. etc.

This is why for security reason you often can find separate management networks. The separation is not done by port control but by having separate NIC with separate networks. In the same way I want to separate services inside the VM: Some to get access to from LAN only and some to get access from WAN. The question from my side is how to connect these two networks to the pfsense system.

But after using my brains a little bit again there is no reason not to use option 2 with one DMZ. Two NIC with two IP I can connect. This will allow me to separate both networks inside the client VM.

Many thanks for your help and being patient.

Thanks for the quick response.

I solved my issue I was giving the em1 an IP that was already being used. I thought I had to set it the same as VMnet 1 IP but that was wrong.

So now i can play with the menus and start forming a plan for my network.

Thanks again.

How much RAM in the VM? That indicates that it consumed all your RAM and swap space (if you had any swap space at all)

Hello ibanez89

I have Virtual environment with Proxmox (KVM based) and pfsense. I have a network with 7 virtual LANs and 2 (virtual) WANs. It works fine without any problem and I can access proxmox from any VLan (if the firewall rule let pass).

Your configuration is completely wrong. You never can have a vmbr1 based on iface vmbr1. You need to define in "interfaces" one vmbr0 based on eth0 and provide a static ip address for vmbr0. This is the LAN and address for proxmox server. Whenever your client is in this network segment (my technical network is 192.168.70.0/23) proxox is reachable.

Further I have generated for each other network including WAN a virtual LAN (vlan) with the entry eth0.xx in the vmbrxx defintion (vmbr40 iface eth0.40). I used bond0 instead of eth0. A bond is a link aggregation. I aggregate eth0 and eth1 to bond0. This aggregation is linked to my switches which let pass all vlans to the server. Don't provide ip addresses in other networks. This is done by pfsense DHCP server or statically in pfsense.

Within pfsense I have assigned each vlan as a "normal" NIC adapter. Each interface must have an ip address which is the gateway between networks. Default gateway is the router for WAN (in your case 10.0.0.1)

It's very important that your switch ports are managed and configured carefully. Example the port with the WAN connection must let pass the WAN vlan only (untagged). Ports with clients in vlan2 (on your case 10.0.1.1) is vlan2 allowed only (tagged or untagged). Proxmox Server connection is the only port which has open all vlans (technical LAN untagged, all others tagged).

Attached you can find my interface definition on proxmox server and pfsense if assignments.

interfaces.txt

10 days ago i built new vm and installed the i386 version of 2.1 beta and i am having no more issues.  the 2.1 beta has not crashed since the install. 
i suspect improved em(4) drivers in the newer release of FreeBSD
thanks

thanks for your feedback.

pfSense is optimized to act as a firewall, not an endpoint. Try the test with:

Debian –- pfSense --- Debian

Running iperf only on the Debian hosts.

You have a couple of options but on the whole, what you want will not "officially" work as ESXi does not support ANY wireless nic. Official VMware HCL for reference: http://www.vmware.com/resources/compatibility/search.php?deviceCategory=io

Option 1: Possibly use a 3rd party driver to compile your own support. This tends to be hit or miss, there were a lot of community compiled drivers for 4.0/4.1 but I did not see any wireless nics in the whitebox HCL list and I do not know of a good list for 5.0/5.1 other than searching here: http://www.vm-help.com/forum/viewforum.php?f=23

Option 2a: If your setup supports IOMMU/AMD-Vi for PCI device pass-through, you could (in theory) use any wireless NIC you like as long as it is supported on pfsense (I don't know what specific cards those are so I'll let others chime in with those suggestions).

Option 2b: If you don't have IOMMU/AMD-Vi support, you could try USB pass-through. This may be more trouble than it's worth as I had a hell of a time just getting a printer to stay connected to the guest. Probbaly also need the Official VM Tools installed, not the OpenVM Tools - it's doable but not as easy as the built-in package installation. Same goes for others chiming in on supported USB nic options here.

Personally, I don't like any of the available options but it is what it is. If anyone else has other ideas I'd be happy to hear them.

I'm afraid I wasn't looking. If I have to run these tests again I'll make a point of measuring.

This should be no problem.
Your T310 is going to have plenty of headroom for running pfsense, even with those windows servers and LAMP.
Just follow biggsy's tutorial here: http://doc.pfsense.org/index.php/PfSense_2_on_VMware_ESXi_5

If you have no bandwidth problems, then you might leave vlan pruning off. or set it as none

The way I normally do this is to setup VLAN networks in ESX and then create a nic for pfsense in that new vswitch. This keeps pfsense from having to do any VLAN work on top of what ESX is doing.

Hi,

Is it possible you could provide a guide for building the PV aware kernel? This was something I was very interested in a year ago, but didn't have the time and couldn't find any guides.

Lookd forward to your response

See my post here: http://forum.pfsense.org/index.php/topic,57851.0.html

The "HgfsDebugPrintVattr undefined" error doesn't appear to cause any problems but seems to have been fixed in later versions of OpenVMTools..

I have a similar setup for one of my box and here are some of my 0.02:
1. You will need more RAM If you plan to use SNORT, squid … etc. I have an odd ball 5G system and memory usage is constantly at 95%+. Pfsense is in a 3G VM together with win7 host they use more then 4G. With SNORT fully loaded pfsense memory load  (within the VM) can peak at 80% - SNORTis the memory hog, so if you not plan to use it you will need more host memory.
2. Get a 3rd network card as a management interface to the box. if you are concern, you can assign the 2 NIC to some funky IP address and have a firewall rule to block them off completely.
3. I never able to get VLAN to work in this setup, somehow the 11q tag was lost. Maybe because at the time I was running an older version of workstation or because I have not install vmware tool. VLAN is not important to me in this setup so I never go back to look into it.