@andmattia Does your processor include AES-NI and is it enabled in BIOS?

It's highly unlikely to be related. There is nothing that gets triggered by pressing 8. Maybe your system connecting to the firewall via SSH on its own might have nudged your client system's IP stack in some way (e.g. a new ARP request), but it's unlikely to be a firewall problem.

@Gertjan Ok i will try that way.

@securityconcerned said in Need help in taking pfSense for test drive in VirtualBox:

my computer is infected with viruses, and these perpetrators also seem to be on my network at various times. So I was thinking of putting a pfSense firewall on my network.

Look outside. We are in the year 2020.
Most, if not all processes communicate with each other using something like TLS.
This is even more valid if these processes have sensible information to hide, like, for example, viruses.
So, never ever pfSense can find out what is coming in and out of your network **.

There is only one way out. Stop downloading any executables, probably even pay-ware, free ware for sure.
Remember : if there is no price (no $) then the product is YOU.
There are two major solutions for this. Stop clicking. And your done. This will even save your mouse buttons.
Far less better, but it might work : check out all the videos from, for example, https://www.youtube.com/user/ThePCSecurity - you'll see an relatively up to date tests among 'the best' which you will re qualify as the "most commercial known". And again, if you pay nothing, you will have the quality worth you paid for. Knowing that 0 / "something" is .... known as zero.

It's not very hard to learn where to look for when it comes to viruses and family. And when done, no more need to use anti-virus scanners and stuff like that (I'm using none).

Don't get me wrong, but I concerned about your concept of security ;)

** actually, I should say : pfSense could do some inspection work for you. The real issue is : a huge knowledge about SSL/TLS, certificates, proxies will be needed. People that can pull this one of .... never do so because they do not have the need for it : these guys saw a virus somewhere in the last decade, the day they were learning.
An exception to the rule might be an email server, something like postfix, which doesn't belong at all on a device that is a firewall router like pfSense. This kind of server unpacks your mail, and stores them in clear text, which makes scanning possible before the user can see and/or download it into the mail client.
There is no such solution as "install XYZ ito pfSense, set this and ckick there" and all my traffic is scanned, and blocked if needed.

If I recall I used e1000 vs vmx and no problem

You should inquire via e-mail to sales@netgate.com

Thanks for your suggestions, have some fries 🍟

Okay ☺ , so tried the MikroTik LTE modem, but too expensive and I will use an old iPhone hotspot via USB. I use an iPhone hotspot via USB for my computer browsing and it is fast enough for streaming.

The pfSense VM router will route no streaming, only Home Assistant traffic, which I estimate to be minimal.
If I grow, I'll move back to an LTE dedicated modem.

So, the question remains:
USB setup on the Hypervisor Proxmox server to connect to the VM pfSense router?

Hypervisor has:
WAN Eth0 Ethernet port.
LAN Eth1 Ethernet port.
VM pfSense router has:
Net0=vmbr0 connected to Eth0.
Net1=vmbr1 connected to Eth1.

So, add a USB port connection somehow in Proxmox or configure something in pfSense?🌏

Here's my current network topology:
current network topology

Here's my planned topology:
planned network topology

@djair thanks for the reply 😊 I decided that for the work i need to do, I need a more friendly hypervisor. So I used VMware Workstation 15.5 and did the same job in half the time 😊

Its a ESXI host, do you not have access to the vmkern.. throw up some VM on the lan side network... Console that VM.. Or sure console to pfsense and disable the firewall..

@provels

I think that the setting to have the Time Synchronization enabled in Integration Services fixes this.

Since I enabled this setting, I have only seen the clock unsynchronized error at reboot.

@johnpoz

I answered 'no' to that on my previous comment in the first line.

I don't have too much idea about networking, sorry. I am just giving you as much information as I can.

hi Ingenium, I know it might be a bit late for an answer, but I think one solution for your VLAN on VF problem might be to bind a VLAN on a VF on the host.

You can use "ip link set PF vf X vlan Y" on the host to bind a VLAN on the VF. Replace PF with your PF-interface name, X is the VF interface and Y is the VLAN. You would end up in having a VF for each additional VLAN.

The VLAN header is stripped/inserted by the VF and the interface can be used just like a standard interface in pfSense. No need to configure VLAN in pfSense.
check out https://doc.dpdk.org/dts/test_plans/vf_vlan_test_plan.html for reference.

@ldiciolla as xcp-ng version 7.x you must add 4 extra in the mtu 1500 cause the nic in xen has no 802.1q vlan driver due that the max vlan 4094 is done like
1024 2048 4096 4096 is how memory is allocated but the mtu 1500 is the tcp mac window max trans (m)utex just add 4 in the mtu and there the vlan number will be stored (in v8)this is covered , pfsense runs in a vm so don't allocate vlan(s in vlan(s on the gen1 hypervisor , buy a switch vlan802.1q built there your nic vlan in and deliver pfsense simple lan interfaces reason is the nic must also be vlan capavle, by using a switch this is covered and on one realtek i ran wan lan1,2,3,4,5,6
always tag the port the 802.1q has nothing to do with the ARP MAC thats in 802.1ad
vlan 4096 tag means all vlans and start by id 4 due 1-3 is are used for LAG not like LACP or LACP.802.a3d ,

It seems I might have made a mistake in my virtual network configuration. I tried ssh'ing to the gateway 10.0.0.1, and lo and behold, an ssh server running. Turns out it was my virtualization host listening on that address. A reboot of the router must have made it also on that address (is that possible?) temporarily.

> virsh net-dumpxml lan_priv <network connections='2'> <name>lan_priv</name> <uuid>567ca017-512e-4211-87c7-ae0193806d20</uuid> <bridge name='virbr1' stp='on' delay='0'/> <mac address='52:54:00:2e:3d:0f'/> **<ip address='10.0.0.1' netmask='255.255.240.0'>** ^^^^^ (oops) </ip> </network> I believe it should be **"10.0.0.0"** for the network ip address. I'll clean everything up and report the results.

Here are the iperf3 tests results:
Test#1
ubuntu:~$ iperf3 -4 -c bouygues.iperf.fr
Connecting to host bouygues.iperf.fr, port 5201
[ 4] local 192.168.5.102 port 45186 connected to 89.84.1.222 port 5201
[ ID] Interval Transfer Bandwidth Retr Cwnd
[ 4] 0.00-1.00 sec 3.33 MBytes 27.9 Mbits/sec 55 260 KBytes
[ 4] 1.00-2.00 sec 2.72 MBytes 22.8 Mbits/sec 0 305 KBytes
[ 4] 2.00-3.00 sec 3.09 MBytes 25.9 Mbits/sec 0 335 KBytes
[ 4] 3.00-4.00 sec 3.65 MBytes 30.6 Mbits/sec 0 352 KBytes
[ 4] 4.00-5.00 sec 3.52 MBytes 29.5 Mbits/sec 0 360 KBytes
[ 4] 5.00-6.00 sec 3.52 MBytes 29.5 Mbits/sec 0 361 KBytes
[ 4] 6.00-7.00 sec 3.65 MBytes 30.6 Mbits/sec 0 361 KBytes
[ 4] 7.00-8.00 sec 3.71 MBytes 31.1 Mbits/sec 0 363 KBytes
[ 4] 8.00-9.00 sec 3.58 MBytes 30.1 Mbits/sec 0 368 KBytes
[ 4] 9.00-10.00 sec 3.83 MBytes 32.2 Mbits/sec 0 381 KBytes

[ ID] Interval Transfer Bandwidth Retr
[ 4] 0.00-10.00 sec 34.6 MBytes 29.0 Mbits/sec 55 sender
[ 4] 0.00-10.00 sec 32.9 MBytes 27.6 Mbits/sec receiver

iperf Done.

Test#2
ubuntu:~$ iperf3 -4 -c bouygues.iperf.fr
Connecting to host bouygues.iperf.fr, port 5201
[ 4] local 192.168.5.102 port 45206 connected to 89.84.1.222 port 5201
[ ID] Interval Transfer Bandwidth Retr Cwnd
[ 4] 0.00-1.00 sec 4.95 MBytes 41.5 Mbits/sec 154 415 KBytes
[ 4] 1.00-2.00 sec 4.45 MBytes 37.3 Mbits/sec 0 481 KBytes
[ 4] 2.00-3.00 sec 4.88 MBytes 41.0 Mbits/sec 0 526 KBytes
[ 4] 3.00-4.00 sec 5.25 MBytes 44.1 Mbits/sec 0 557 KBytes
[ 4] 4.00-5.00 sec 5.50 MBytes 46.1 Mbits/sec 0 574 KBytes
[ 4] 5.00-6.00 sec 5.62 MBytes 47.2 Mbits/sec 0 584 KBytes
[ 4] 6.00-7.00 sec 5.87 MBytes 49.3 Mbits/sec 0 585 KBytes
[ 4] 7.00-8.00 sec 5.69 MBytes 47.7 Mbits/sec 0 585 KBytes
[ 4] 8.00-9.00 sec 5.81 MBytes 48.7 Mbits/sec 0 585 KBytes
[ 4] 9.00-10.00 sec 5.99 MBytes 50.3 Mbits/sec 0 592 KBytes

[ ID] Interval Transfer Bandwidth Retr
[ 4] 0.00-10.00 sec 54.0 MBytes 45.3 Mbits/sec 154 sender
[ 4] 0.00-10.00 sec 51.2 MBytes 42.9 Mbits/sec receiver

iperf Done.

Thanks
N

@heper Thank you. My home network is pretty small and my use cases generally don't put much of a load on anything. Also, I only have a 200 Mbs WAN connection so guessing that pfSense performance on the hardware I have ordered won't be an issue.

That said, it's good to know that some folks may consider EXSi to offer better performance than Proxmox and I will do some research in this area too. Thank you again.

Sounds like you should probably move to a proxmox forum.

I see no problem here.
One nic connected to a v switch of type external (for example called INET). Connect the wan if of the pfsense vm to that. Make sure the host os cannot us it.

create a new v switch of type external (called Internal) and connect one physical nic to it.

last, connect the host os, lan nic of pfsense and any other internal vm to that v switch