Just plug something else in bypass the vm router to your modem and see what speed you get..

Easy enough to do a speed test with your VM... Put something on wan and something on lan and run say iperf server on wan side, and then run a test from lan side.. This will tell the max your VM can handle for throughput.. Mine when not firewall/nat could do like 200ish on that old N40L..

Vs building a new esxi host, I just went hardware and got a sg4860.. Was cheaper then the esxi host I wanted to build ;) hehehe... I then just got a synology nas, and run a few vms on there that I like to play with. If I add the prices of sg4860 and my Nas and the new sg300-28 switch I got as well it still less then the host I "wanted" to build for esxi... And I use way less power now as well... But I do miss the ease of playing with dev versions of pfsense when it was VM.. But now when I have to reboot my nas for something I still have internet - which is way better then when reboot esxi host the whole network was down, even local routing between vlans, etc.

Hi io,

Hope you can reach me even that this post its quite old. I ran on the same “adventures” as you did. Even that I got the ha configuration on both firewalls I have not been able to show them as a cluster where they share a unique public ip. I have tried to set up an azure load balancer to do so and al the traffic is managed by one of the nodes but when I turn that node off, the ipsec set ups that I have to onpremise are not working. Have you tried to do this set up as well?

It's fairly clear now that the VMware appliance template has been discontinued, but I've still documented the problem at https://redmine.pfsense.org/issues/8787 in case anyone else suddenly runs into this!

When you ping from a static IP are you also seeing packets leave but no replies?

I would definitely try disabling checksum offload. That should work fine with igb but with virtual igb NICs....

That needs to be added to the config usually via the GUI but if you can't access that you can edit the file directly /conf/config.xml.

In the <system> section at the top add:
<disablechecksumoffloading></disablechecksumoffloading>

Reboot to see that change.

Steve

My mistake, thank you for all.

Ok. Thanks for the reply

Does anyone on the virtualization side have any ideas? Ive done pci passthrough via hostdev in libvirt xml and pci stubs in grub. Im under the impression that since the OS has no knowledge of the NIC card then neithier does libvirt since its a user space app. As i posted ealier freebesd sees the actual intel chipset instead of the standard e1000 emulated chip that QEMU provides to the guest. Also the mac addresses that pfsense sees on the NICs are those that are hardcoded on the hardware Additionally, the xml config has no entry for these nics and the centos cant even bring them up via ifup as the driver has never bound itself to the card.

Maybe im missing something on the hypervisor side here but im under the impression that atandard anti spoofing mac address feature shouldnt apply here since libvirt is unaware of the existence or the card. Or is it?

Thsnks

Alright, I figured out the issue. I was too stupid to notice but the issue was that my lovely host hypervisor routing table did not know what interface to use to connect to 172.16.2.0/24 subnet. So my solution was:

ip route add 172.16.2.0/24 via 172.16.1.1

and it worked. SSH, ICMP everything. My host hypervisor (172.16.1.2) was able to connect to the ArchLinux server running in a vm internal network (172.16.2.2).

Thanks @johnpoz for replying. This was pretty educational actually :)

No help, just confirmation that this occurs to more people.

I am running pfSense in a virtual environment. When it works, it works. But randomly pfSense will block any incoming/outgoing traffic without clear warning. A reboot is the quickest method to resolve it.

logs:
Apparent moment of the latest stop:
Jul 19 06:00:00 [] /usr/sbin/cron[15210]: (root) CMD (/usr/local/bin/php /usr/local/www/pfblockerng/pfblockerng.php cron >> /var/log/pfblockerng/pfblockerng.log 2>&1)
Jul 19 06:00:00 [] /usr/sbin/cron[15542]: (root) CMD (/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/pkg/snort/snort_check_cron_misc.inc)
Jul 19 06:00:00 [] /usr/sbin/cron[15454]: (root) CMD (/usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 virusprot)
Jul 19 06:00:00 [] /usr/sbin/cron[15701]: (root) CMD (/usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 webConfiguratorlockout)
Jul 19 06:00:00 [] /usr/sbin/cron[15889]: (root) CMD (/usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 sshlockout)
Jul 19 06:00:00 [] php: [pfBlockerNG] Starting cron process.
Jul 19 06:00:00 [] php: [pfBlockerNG] No changes to Firewall rules, skipping Filter Reload

[IPs sensored.]

Network traffic after this moment seems blocked, strangely logs are still going after this moment. Also web interface is reachable, host machine is fine.

Anyone some clues how to get more things logged?

@blackpaw29
The Proxmox machine is a server. It's never a good idea to have a dynamic IP on a server, of course.

The Proxmox host machine should have a static IP in the LAN where also your management PC has an IP. So there's no need to have the virtualized firewall up and working to get access to the host machine.