@mrbankheadgmail-com

I know this topic is quite old, but I'm experiencing the same thing on multiple proxmox hosts and pfSense. Did you ever find a solution?

@kiokoman Thanks! It's solved!!

Hello epasinetti,

Try to do an outbound NAT rule in Pfsense. It seems azure will not like if the source IP is not the WAN IP. When a packet goes out public (in Azure VM) it wants the source IP to be same as the interface IP.

So in your example, if your pfsense WAN interface IP (in azure) is 10.0.1.4 and if your VM (the one you want to be behind pfsense) LAN IP is 10.0.2.100 You need to setup a NAT rule in pfsnese where:

Interface:WAN
Source:10.0.2.100/32
Port: up to you, you can do wildcard if you like
NAT Address: 10.0.1.4

So what this rule does is everything comes from the VM 10.0.2.100 that tries to go out on the WAN port (internet access) it will turn the source header IP (in the data packet) to 10.0.1.4 (which at that point, Azure would think that the packet is coming from the wan INTERFACE. Which then would allow it to go out.

I am no Azure expert, maybe someone has a better solution, but this is what I am using now.

But FYI, in the end, I am no longer using pfsense as the fireall. I am currently using Azure's firewall. I am simply using pfsense so that in can connect IPSEC with other company as Azure's own Virtual gateway is limited in IPSEC capability.

Lazy me would just throw another whole 512MB RAM (or even 256) at the Hyper-V install and chalk it up to differences in the emulation/implementation of the V-nics. Or just go back to VMWare.

I create a new VM with 1024 MB and now i have zero problem.

Thanks for your help :)

instructions
https://docs.netgate.com/pfsense/en/latest/virtualization/virtualizing-pfsense-with-vmware-vsphere-esxi.html

LAN usually has a Default Allow All rule, so LAN clients should be able to get anywhere. Provide screenshots of your LAN & DMZ network details as well as your LAN firewall rules.

So your saying pfsense without any dns is reaching out to a specific IP? So the IP must be hard coded into pfsense to check for X?

I don't think so to be honest, hard coding IPs is horrible coding!

Lets see these logs, or the IP that its reaching out to.. And we can prob figure out what is going on.. But I would be very surprised if the pfsense dev's hardcoded an IP into anything they are running. Best would also be these sniffs you took.

You have no packages installed?

You sure its just not the ping to the gateway of pfsense wan? That would be reaching out to an IP without dns to resolve it.. You do know that pfsense even if you turn off unbound, will try and grab dns from dhcp on its wan. And then would attempt to use that for dns..

Also how are you sure its not something on the lan side trying to get to X?

What about NTP? If pfsense at any time had dns, it would of resolved some IPs in the ntp.pool and be trying to set time with those, etc.

TL;DR going to need way more info to try and help you figure out what your seeing.

Also, I have a few pfsense vms I could fire up and try and duplicate what your doing/seeing..

i am also having issue with carp running kvm/qemu with libvirt.
the devices see each other and choose master and slave respectively but if i turn one off the clients cannot access the virtual ip anymore.
is this fix applicable in my case and if so how do i do it?