Hi, tnx for your response. Solved. My problem was a Realtek NIC bug, disabled all items in windows (system - advanced settings from hardware list) i dont remember english name. All disabled except Flow Control, now i have same download / upload speeds :-)

@Derelict: If CARP won't work neither will VRRP. They use essentially the same network functions, including the same multicast address etc. Not sure what you are seeing on XenServer 7 but CARP works just fine in XenServer 6. Hmm… this and other threads https://forum.pfsense.org/index.php?topic=122588.0 Suggest that they function differently. Where as CARP uses a multicast MAC VRRP uses a single virtual unicast MAC? Either way, I can confirm that the keepalived vrrp implementation works in my environment so I'm hopeful that freevrrp will work as well. Are/Were you using OVS on XenServer6? The  network switch default backend is bridge mode..

@vc6SfV8: Following back up on this - I successfully installed pfSense today on Linode. Follow the directions here: https://www.linode.com/docs/tools-reference/custom-kernels-distros/install-freebsd-on-linode In step 5, replace the curl command with the following: curl -k https://nyifiles.pfsense.org/mirror/downloads/pfSense-CE-memstick-serial-2.3.1-RELEASE-amd64.img.gz | gunzip | dd of=/dev/sda Everything else works beautifully. :) Ryan Hi, I followed your tips however during during the botting of Installer Profile I am getting this error "Cannot Direct Disk boot a disk with no MBR: Linode Configuration Profile problems detected. " Any ideas on how to solve this? Thank you.

Awesome, great to hear that the pesky vmware tools message is going to disappear. I should be carrying out the upgrade soon after backing up my ESXi host. It's quite interesting that Jim uses ESXi… Maybe that's why it's been so stable for me  ::) ::) ::)

Is there any suggestion for this?

It depends. If it's something where performance doesn't really matter (like my lab) I find it easier to just install, boot to single user, add hw.xen.disable_pv_nics=1 to /boot/loader.conf.local, reboot, and configure the re NICs.

My understanding is that the console is only accessible via your 'very secure' vultr username & password? So while it's a potential risk, it shouldn't be a major problem during setup & provisioning. But definitely appreciate the link for securing this. Do you have any feedback on pfsense on Vultr, long-term?

I am running symmetric gig and not using pci-pass through with no issues. I am using a 7 year old Xeon thats barely supported by ESXI anymore, and allowed the VM to have 4 vcpu's. This is probably close to your newer i5. When I am fully saturating the link i get 30-40% useage. Your milage may vary as well depending on what network card your using. I'm using a server grade dual intel NIC that handles just about everything on board. The only real reason anymore to allow anything to use passthrough is using some storage software. When you virtualize storage devices they like to have full control over the bare metal devices, networking not so much.

@johnpoz: Yes or you need to use vlan to break them out - you have 3 ports groups on the same vswitch0.. Unless you create tags for these port groups or setup them to 4095 and set the tags before the traffic hits the pfsense you have placed all of those networks on the same layer 2. I have moved away from esxi.. Just recently wiped that box.. I have hardware pfsense now and just running the few vms I Need on my synology nas. You can do it with port groups on the same vswitch if you set the tags correctly on your physical network.  But its more complex setup. He is right. Unless you are really good with esxi just make different vswitches. 1. Leave your vmk on vswitch0 (this is for mgmt) 2. Make a new vswitch, call it WAN, assign a NIC to it and make a port group called WAN. 3. Make a new vswitch, call it LAN and assign it a NIC, make new port group called LAN. 4. Plug your modem into the WAN NIC, plug your inside switch or whatever into the LAN NIC, and your good. I had to restart my modem for the WAN interface to pull a public IP, once it does I've never had a problem since (including using ipv6 if your ISP supports this)

Only replying because I had a (possibly) similar problem recently.  Maybe it will help a Googler from the future… I had pfSense 2.4.3 64-bit running in a 2012R2 VM just fine, but then the Meltdown/Spectre exploits were announced, so I reverted to my old 32-bit Via hardware box.  I decided to give the VM another shot, but when I booted it up it would occasionally get a WAN IP (but mostly not) but no Internet.  After much hair-pulling, including rebuilding and restoring several times, I disconnected the WAN vSwitch and deleted/recreated it.  Got a WAN IP, no issue.  Then I faced a strange problem that I could not get Internet access from my 2 wireless access points (on the same net as the wired).  I was unable to resolve any DNS addresses from devices behind the wireless, even though I could ping through the pfSense (to, say, www.google.com) by IP.  Nothing in the Unbound logs (Forwarder did not work either).  I could RDP to another wired box across the wireless, and get Internet fine.  Ended up disconnecting the LAN vSwitch from all my VMs and deleted/recreated it as well. All fine now.  Bits, gotta love 'em...  ::) Hope this saves someone some grief.

By default, you can only access WebGUI from LAN. https://doc.pfsense.org/index.php/How_can_I_access_the_webGUI_from_the_WAN

@MrTiberius: Hey guys, I am setting up a virtual security lab environment as part of a senior project at my school using  a VMware esxi host (mostly managed via vcenter). Currently, I have three separate networks I am configuring, a LAN network, a DMZ network, and an external network (this one is outside the firewall and internet facing). The idea is to have students on the external network us Kali Linux VMs to attempt to penetrate the two internal networks (DMZ & LAN). There would be a second group of students on the inside of the network, monitoring traffic on the firewall as wells as hardening and maintaining the internal servers. The internal networks are made up of a mix of windows and Linux servers. I was wondering what would potentially be the steps to configure the firewall for this type of environment? Also I have limited experience with pfSense and was wondering if this could also function as a router? I have also attached a diagram of the lab environment. Ok, some more feedback. I have been playing with this on my own lab and came to some conclusions. I haven't tested NAT yet so nothing there yet. If your networks are composed of just one IP subnet per color then you have a lot less work. The routing will be setup automatically.  Automatic outbound NAT rules as well. The firewall management will be activated on the lan interface so assign interfaces and then only configure the LAN interface's IP address. This will give you access to the webconfigurator (it will show you the ip you can connect to). It will ask you if you want to convert the protocol to http. Don't, https is better for security reasons. Connect on the webconfigurator and go through the wizard. At this point you will probably need to configure the rest of the interfaces ip addresses. If internet access is indeed on the red side, then the next hop on that path should be your default gateway, configured on the WAN interface (red) and on the same ip subnet. Routing should now work between the different ip segments connected to the firewall interfaces. But to access services you need to configurre firewall rules. From what I figured through testing you need to configure floating rules. Make things as specific as possible (use the any option as less as possible). Monitor the firewall logs (provided you checked the logging option in the rules) to see what is passed and what is dropped. The logs are under status->system logs->firewall In case you need more complex static routing, check what you currently have in Diagnostics->Routes, and then add more if necessary in system->Routing. If you can configure the firewalls own internet access correctly, you can check for available packages (addons). These include a lot you may find usufull such as snort, ospf routing, ntopng, etc. Let me know if you need any specific help.

We run multiple sites using pfSense clusters all done in ESXi. Works great.

No reason what so ever to use esxi in your case. You will loose a lot of functionality and the only thing you ll get is a built in representation of the virtual networking which you will still have great difficulty in understanding. Unless you are in a corporate environment and need a dedicated machine (let me say that again: dedicated) for your server virtualization, stick to workstation and the virtual network editor.

FYI- The errors go away with ESX 6.7 and VM version 14 set for "FreeBSD 11 (64-bit)". So maybe the tools got a little bit ahead of themselves.

Your physical pfSense must know that the 172.16.10.x networks are behind 10.0.0.10, otherwise it will direct traffic to these networks to its default gateway. So you have to add static routes for the 172.16.10.x networks and set 10.0.0.10 as gateway. That can be done in System > Routing. On the Gateways tab add 10.0.0.10 as gateway on the LAN interface. Then go to the static routes tab and add a route for each of your 172.16.10.x networks and select the gateway you've added before. If you don't have other subnets in that range you may also conflate all subnets in 172.16.0.0/19.

the OVA appliance comes already with open-vm-tools installed, but no joy. I can't get VMXNET3 to show under interfaces