Come to think of it, I don't really know what would be considered best practice for deploying pfSense on a Type 2 virtualizer as a primary firewall.

I'm going to start another thread asking just that.

http://forum.pfsense.org/index.php/topic,53469.0.html

I assume that you say.
I was trying to use vlan in pfsense but not okay cox there are one broadcast domain in physical network.
So, the only way to solve this problem is to create broadcast domain separately by using vlan in physical network that you said.
Thank a lot for your help.

Any default gateway set on the VMs?
By default there is a deny rule on all new interfaces, start with adding allow all to all rules on all VLANs

Bridged??  Yeah I run pfsense on my esxi and it is my connection to the internet..  AYou don't nat/bridge in an esxi setup.  Your nic would be tied to a vswitch.  Devices connected to that vswitch would have access to that physical network.

So one nic connected to your modem is on 1 vswitch - this is your WAN for pfsense.  Another nic is connected to your lan, and this you put the lan interface of pfsense on that vswitch.  Vms you want connected to lan you connect to your lan vswitch, that physical nic connects to switch of your actual lan and there you go everyone happy and connected.  Pfsense is now your edge router/firewall.

Thanks for the reply and link!

I've solved 1) and 2) by using the setup wizard and adjusting IP's - somehow settings stuck that didn't when I entered them bypassing the wizard.

I have the adapters right now for WAN and LAN, and after getting NAT working, will read that link thoroughly and look at making the firewall transparent by bridging WAN and LAN.

But for now I've decided NATing/port-forwarding will be more flexible in the short-term eg should I want pfsense to handle redundancy/load-balancing.

And it means I won't have to mess about with virtualbox adapters again for a little while! ;)

The problem I currently have appears to be concerned with nat-reflection…

As I wrote earlier, I can access the public IP from the mac host (and externally) without pfsense integrated.

This includes both the webserver over port 80 and my squirrelmail on email server over 443.

But with pfsense being port 80 forwarded to by the modem, I keep getting redirected to my modems web admin page over https (whereas normal access to it is over http).

The public ip isn't resolving externally, at least from my testing via a proxy, so I'm really confused/frustrated…bleh.

I've set up NAT and port-forwarding rules, tried the auto-generated ones from setting up NAT rules and auto-generated Easy Rules added from the firewall logs, as well as my own tweaks to each.

Before I used pfsense, I fixed the same issue with my modem to allow locally resolving the public IP, by telneting to the modem, enabling nat loopback and trying to delete the relevant wan http/https admin rule.

(For some reason I can't delete the https rule even as admin user as it does'nt recognise the wan group in the rule - though 'wan' is one of the actual group options for their ifdelete command! #)

None of the pfsense rules I've setup or are auto-generated redirect from http to https, and none of my reverse proxy rules could cause this redirection.

So… is the problem how nat-reflection is setup somewhere in pfsense?

I've tried 2 ways to fix this:

i) enabled Nat Reflection settings in my NAT rules (and tried disabling/system default)
ii) using split-dns by enabling dns-forwarding and adding host and domain entries for servers the reverse proxy listens for.

Perhaps I'm doing each wrong??

Once I have this solved, I should have pfsense doing everything needed including dns.

I hope someone has encountered this problem and has advice to fix it.

Thanks

I managed to get it working by using the setup wizard and not bypassing it by clicking the logo above it.
From a comparison, I entered the same information manually as I did in the wizard, so I'm not sure why it now works.
But it does.

Thanks for your reply.

Use the pci passthrough feature. It will come at a cost (upped power consumption, because freeBSD NIC drivers appear to do that compared with linux). I am running xen with a pfSense VM, and I found that the CPU time went up when moving traffic that went through my LAN interface (which was the shared interface, the WAN interface already had a passthrough NIC). Because all traffic that came in to the LAN interface was inevitably destined for the WAN, I didn't hit a transfer limit cap, but I estimate I would have been capped at somewhere between 50 and 100MB/s. No good. So I installed a third NIC and also passed that through as the LAN interface, Power consumption went up by 2W, but the CPU never goes up for network transfers now.

The reason is that  (in linux+xen anyway), when running a purely HVM virtual machine (required, since BSD + paravirtual drivers don't really work yet), qemu-dm is used to emulate the device. This process uses a lot of CPU-time (read: it's crap) and is a major cap for network and disk I/O. Disk I/O will still suffer the same limitations, but one doesn't expect too much disk I/O for this to be a serious concern, unless you have lots of logging (then use a remote log server I guess?). A linux virtual machine doesn't have this limitation, because paravirtual drivers do work, and this allows a HVM guest to control the I/O device directly (indirectly) through some PCI front and and back end drivers in the guest and host that doesn't rely on device emulation, like qemu-dm.

So basically, if you want a high throughput firewall system, its absolutely possible. You'll probably need a remote logserver, your hardware must support VT-d (or AMD equivalent which provides IOMMU, don't know its commercial name, and its essential bother motherboard and CPU support this properly), and your hypervisor should support using IOMMU (I imagine all paid hypervisors do by now, xen and by extension citrix xenserver, most certainly do).

I'm surprised it only happens every minute.  This is DHCP traffic, as heper has said.  It's cable modems obtaining or renewing leases.

If I leave on the Log packets blocked by the default rule I see the DHCP requests and replies for every cable modem on the same segment of cable.

Might be related to this:

http://forum.pfsense.org/index.php/topic,50863.msg271703.html#msg271703

yeah you can do vlan's for your wan's either on esxi or pfsense. I've done both.

I found something that shows some promise for getting this out of the box

http://wiki.freebsd.org/FreeBSD10

But that probably wouldn't materialise and trickle into pfSense 'til 2013, maybe 2014 ..

"172.6.0.1"

You mean 172.16 ? 172.6 is not a valid private IP range.

So you say your vmware intefaces 1 is bridged, 2 is Custom: Specific virtual network: VMnet2

That doesn't really tell me much about interface 2, and what is connected to what?  your wan of pfsense is connect to vmware 1 and is bridged to your physical interface, and what network is that on?  You can not assign your pfsense a IP of 192.168.2.19 and expect it to work if its bridged to a physical network of 192.168.1.0 etc..

Again - are you running workstation, server, esxi ?  How are you vmware interfaces connect to your physical network?  What physical ip ranges are you using.  Can not help you if we do not understand how your trying to set this up.

Are you wanting to use this pfsense install as the actual router for your physical network?  Are you want to just play with it?  What networks do you want to route/firewall between?  2 virtual networks, which one do you want connect to your physical network - if any?

Your in the visualization section, so I assume your asking how to visualize your router (pfsense) and have another VM that runs xmbc.  Sure that would not be an issue at all.

I currently run my pfsense on a N40L box as VM, and have multiple other VMS running on that same hardware N40L - I installed the free ESXI 5 from vmware on the n40l.  Then created whatever vms I need, one is router - then others for my NAS, my test workstations, couple linux distros, couple bsds, test 2k8r2 server for active directory testing, etc.  There should be no issues running a xmbc vm.  I currently stream all my moves from my NAS vm.

So what hardware do you have to work with?  And what virtual software are you most familiar with?

After a power cut,

uptime 14 days, 15:29

which I think it means that this is a fix/workaround. before it would fail within a week and need to be restarted.

Check out the other thread on this - I have uploaded a modified dhclient that has ttl set for 128 vs 16.  Still not understanding why it would be set so low?  Why not just use the OS default setting for ttl.  For freebsd that would be 64.

http://forum.pfsense.org/index.php/topic,51803.0.html

Cool! Did you have to install pfsense youself or did the product come with? I'm most concerned about installing the drivers for it to work in KVM.