OK, the solution was to install in a local Virtualbox on my computer with a similarly sized HDD. I then shut down the Virtualbox VM before it rebooted into pfSense after install and cloned the disk to the OVH VPS. Works like a charm! Also much faster.

@blcktape That was already in place. This issues was different than the 100% slow down all the time those settings fix.

@viragomann

https://www.youtube.com/watch?v=hdoBQNI_Ab8

this video did not elaborate this issue after the installation of pfsense

Capture.PNG

See the comment by one of the viewers as well, we might have similar question

@laszlo said in Proxmox, pfsense, bridge:

I'm bridged the second 2 interface. VLAN untagged management network the bridge, and the tagged VLANs on the interfaces. (100, 102 the first, 101 the second)

Uhm...
In pf you should have 1 physical interface with your 3 VLANs tagged, making 3 interfaces in pfSense.

Then your ProxMox should have 1 connection to a switch, which has all three VLANs tagged on that port.

Bridges in FreeBSD should be avoided.

@brianmcg
Hi Everyone,
I've fixed it myself. :-) I had to turn OFF "Enable Secure Boot" in VM's Security Settings. pfsense is now running.

@thimplicity OK, I got impatient with all the reboots and started the journey yesterday. I created a new VM according to the official pfSense instructions and set it up as q35 with UEFI. I decided against just rolling back the config and will configure the stuff from scratch. So far the basics that I have configured work without a hitch, but it has only been 10h.

Thanks for the input!

Sure, I'll answer questions as time allows.

I agree with what @Patch said previously though. You need to discover how to do a lot of this for yourself in order to learn from it.

Steve

@srytryagn
Running pfSense virtualized on top of another system naturally adds an additional layer to the whole system, which may offer additional vulnerabilities and possibilities for attacks. These grow up with the number of services you're running on the host.
Hence I'd not recommend to run a production pfSense on a PC which you use for working, playing or any other purposes.

However, if you virtualize pfSense together with other machines on a dedicated hypervisor system I'd not much concerns due to security.
But Windows + Virtualbox is not really well eligible for these purposes in my opinion.

For instance, my home pfSense runs virtualized on top of Linux with KVM aside from a web server to achieve better utilization of my hardware and safe cables, energy and hardware costs.
The host itself is only connected to the LAN side of pfSense, so the firewall secures my whole system. The pfSense WAN is connected to the ISP modem and establishes the internet connection via PPPoE.

Natting the traffic on the ISP router is basically not a security issue as long as the router works reliably.

If pfSense can increase security for the VMs depends on your network design. pfSense, whether bare metal or virtualized, can segregate your (virtualized) network, you can drive this up to connect each VM to a separate network interface if you want, so that no VM can access anything without passing the firewall.

Here is the ARP table of the pfSense.Screen Shot 2022-07-07 at 9.35.06 PM.png

I can't really comment in detail here. I don't use ESXi myself.

Do you still have access to the pfSense WAN after making that change?
What connections are you actually losing?

Obviously access to the management would then be via port forwards or VPN etc so connections there would have to be remade if that was not already in place.

Steve

@deanfourie said in pfSense on HyperV = Massive problems:

Lets take for example my WAN interface. I have the ability to DISABLE IPv4 on this interface.

No, you wouldn't share this with the host to begin with so no need to disable anything.

It will look like this on the host, don't mess with it.

Capture.PNG

@brucie
All software has bugs and security vulnerabilities.
With pfSense running on bare metal the possible locations for bugs are:

Hardware pfsense (FreeBSD retained code, Netgate code) pfsense user customisation / added packages

Note Netgate removes none essential components from FreeBSD to reduce vulnerabilities / minimise the attack surface.

With vitalisation you add

Proxmox ( Debian 11.3 retained code, QEMU 6.2, Proxmox code)

The most exposed of which to external attack is probably the WAN port which is why some pass through at least the WAN NIC.

@ironmonkey If the Redmine catalog indicates something is included in 22.05 then it would be in the next release.

Wait..what? Doesn't the ONT untag it?

I have a similar setup, PPPoE servers are in the VLAN891 or something like that in the ISP's network all the way to the ONT.

I route mode, it works with it directly, J/K these devices suck in route mode but they do handle the VLAN directly, for what it's worth. In bridge mode it untags the VLAN and the ports all are access ports basically on the native VLAN (untagged 1 or 0); pfSense and other firewalls are virtualized, and since my ISP allows several connections, the ONT connects to an access port on a switch where PPPoE traffic is available to any PPPoE-cabable device with access to that VLAN.

The ONTs' and modems' bridge mode is exactly the same thing as if you'd bridge interfaces in pfSense, it bridges the VLAN ISP-side to the native one so the device that dials up the connection doesn't need to also be VLAN-aware, most client devices aren't supposed to be. I don't think the problem is on pfSense but rather in Hyper-V. If you didn't use System Center VMM to set it up, tagged VLANs in Hyper-V are only doable via PowerShell. So, when you set up pfSense to expect a tagged VLAN I think it might be expecting something like a Q-in-Q at that point. I'll assume that by Mikrotik, you meant CHR which treats these things very differently in addition of PPPoE is kind of their thing. I'm familiar with CHR and I know it's easy to get a misconfigured working router by accident — I'm not saying you did, I just mean that it's very forgiving in regards to this specific setup — if your ONT is in bridge mode, double check its settings. Mine, Huawei-branded, can even bridge the ISP-side PPPoE VLAN to specific ports on it which other modems can piggyback to access the ISP (they're handed out like hotcakes bc they double as VoIP terminals).

Just in case you didn't know, when you add enable Hyper-V, Windows is turned into a VM, so is its own networking; when you add a external switch on Hyper-V, you take away a NIC from Windows, create this virtual raw thing where all VLANs exist. Allow management operative system to share this network adapter is kind of misleading bc the switch comes first, checking that option what actually does is to create a virtual NIC for the VM Windows has become. It's the virtual switch that shares the network with Windows, not the other way around. The VLAN ID boxes are also confusing because they suggest the traffic is tagged to the guest OS to untag it on its own—not the case. I don't know how to invert Microsoft's words to explain the reasoning behind such a horribly mislabeled UI.

I think that if you select your NIC without isolating the VLAN first, it should work.

Check out how one of my boxes is set, hopefully it helps your figure things out.
hyper-vtrunkpppoe.png

If you want to set a trunk port to your VM you'll need to do it in PowerShell, remote in Enter-PSSession {machineName} from another newer Windows machine if you can so you get color syntax, it wasn't available on Windows Server 2012 R2.

Get the vNICs of your VM and convert one or more to trunk ports so you do all in pfSense and don't need to reconfigure Windows each time. Remember every Microsoft product has a tendency of failing for no reason.

hyper-v-vlan-config.png

If your VM only has one NIC, you can pipe the commands, e.g; Get-VMNetworkAdapter -VMName IdentiCA | Set-VMNetworkAdapterVlan -VMName IdentiCA -VMNetworkAdapterName "Network Adapter" -Trunk -AllowedVlanIdList 1-4094 -NativeVlanId 1. :)

You may already know there's an issue with Windows since WS2012R2 to present WS2022 that even when you configure a network adapter correctly it's saved without a gateway, thus locking you out unless you have console access or are in the same L2 to fix it — don't forget about it.

If that doesn't fix your issue, there's one other thing… Some time back I becamed obsessed with telecom tech and found out that PPPoE, which is somewhere between layers 2 and 3, cannot just be put reliably into VLANs, I can vouch for that myself; back when had 4 PPPoE ADSL2+/VDSL2 lines I had to maintain them separated because 1. being all mine, credentials would be accepted anywhere, but being 2. DSL they all had different physical max speeds, which the username logically limited further, so I tried a million times to send them over VLANs but only 3 would connect. I learned that there's a special kind of switch that's compatible with this thing now called PPPoEoE — not kidding — it appears only to be made by Cisco, so you might be in luck, I even posted it here somewhere, in the end it was too little information though so never was able to make it work without discrete NICs.

Good luck with your setup!

I'm still having this same issue, we're unable to boot 2.6 installer and even boot a pre-installed 2.6 from a VHDX that we've used Windows11 to install and copy across.

Just checking in to see if anyone else has had this issue with Hyper-V 2016 and the new ZFS based versions of pfSense?