Been running pfsense on esxi for years.. Hundreds if not 1000 is not 10's of thousands of people run routers/firewalls on VM.. Yes it a standard practice..

Care to document a screen shot of your Virtual Network Editor?

I do this with 2 bridged adapters. One for WAN (VMnet0) and one for LAN (VMnet2).

I changed the vm settings and it seems to be all good now.  :)
After reading the hardware requirements https://www.pfsense.org/hardware/:

501+ Mbps -> Multiple cores at > 2.0GHz are required. Server class hardware with PCI-e network adapters.

I ended up with more cores…

@johnpoz:

What are you hiding here, is that your pfsense setup?  Why would its lan/wan be the same vswitch?

Well, yes… I am hiding the public dns/ip.
Arguably lan/wan on one vswitch doesn't make much sense and I will change that....

What are those other networks on each vswitch.  I don't see more than 1 vm on those switches - so only pfsense?

So what is your Iperf THRU pfsense.. ie that is routing/firewalling..  Testing to pfsense IP is not a valid test of the performance of pfsense as a router/firewall its a test of how fast you could move a file to pfsense directly, etc.

I did a lot of file transfers and watched the traffic graph max out around 950 or something… I will do iperf through the pfsense as you recommend and report back tomorrow.

However I can mark the thread [SOLVED].

Thanks

Use fixed size virtual disk, not dynamic.

offloading IN the virtual machine (esp. RX/TXSUM), you probably should have it disabled all offloading ON the host - sometimes you need to disable it too (but check VM first)

Its work fine

PFsense can access the internet , but loses the connection after 10-20 sec and its not coming back :-(

And i can´t ping my server from my home pc

A quick followup on this issue:

This issue is not related to the virtualisation, it is related to negative drift coefficients. My hardware requires a drift coefficient of approx -15.

The drift file /var/db/ntp.drift is either being removed (due to a negative coefficient?) or is not saved across a system restart. I am not sure which is the case. At this stage I have not had the time to investigate. All I know is that when I log in after a pfsense restart there is no ntp.drift file.

In this situation NTP starts for some reason with +500 as the drift. Given that the hardware requires -15 it takes a very long time for the NTP daemon to sort things out. In my case I can fix the problem instantly by:

1. Stop the NTP service from the pfsense web admin.
2. Create the /var/db/ntp.drift file and put in -15.000 as the value
3. restart NTP from the web admin

If I do this the entire NTP system stabilises in no time (5 minutes) and everything is OK from then on.

Tim

It does help to reboot once the new tools are there indeed :p Then VMW and BSD both know about their capabilities and it actually works ;-)

@lipesmile:

In this case I have two internet network I need 2 one for each, but I need a another card for LAN network ?

If you LAN network needs its own port, then yes. If not, then no.

Well, then let me put it in simpler terms: pfSense doesn't 'read' it's IP anywhere else, other can the config file, or DHCP. Data is never flowing the other way around.

Since you seem to want to preconfigure pfSense boxes, it would probably be better to simply provision the config file instead of trying to use the Hyper-V network interface's uncommon facility to push IP addresses onto machines. I guess they made that for Windows, because on every other OS, it's not supposed to work that way.

You can probably script the following:

MAC adresses for any of the interfaces you want to configure IP addresses for any of the interfaces (identified by their MAC) you want to configure Put them into a proper pfSense configuration XML Put that XML inside a pfSense image Boot the image

What you really shouldn't do:

Hack a script together that reads the IP from the interface and then puts it into the config file

this is because it completely contradicts the pfSense architecture, not a single component will work well, and all of it will work against you. This is because pfSense as a network system is designed to be the authority on what IP goes where. As soon as you try to invert that, you're going to run into problems.

pfSense does have a read-config-on-boot option, it has had such functionality for a long time. All you would need to do is script the XML modification and inserting the file into the VM.

Does any other protocol work? Like SSH and FTP. If not, you probably have a sum offload issue, this is described in the post at the top of the page.

The LAN has em1 but no address (this is fine because I don't have the other end of the ethernet connected to anything yet like a psychical switch yet…

You connect to WebGUI via LAN, and your LAN NIC doesn't have an IP address so you'll never get there.

Give the LAN NIC a static IP address on a different network than the WAN (perhaps 192.168.2.1/24 or 10.0.0.1/24) and then use that LAN IP as the gateway for your LAN clients.  Your LAN clients will also have to be on the same network to use pfSense LAN as their gateway, so if your NIC is going to be at 10.0.0.1 (for example) then your LAN clients will also have to have an IP address in the 10.0.0.0 network as well.

So again how many network devices - 500 kids doesn't tell us much..

So 17 AP, I assume those are rb951-2n devices so 2012 time frame.. They are only 2.4ghz N devices..  They are very cheap even when they came out.. You rented them for how long?  And they are just 1 large layer 2 all as AP on the same network?  With possible client count of 500?

As to proxy you can still filter on url with proxy without having to mitm the ssl traffic..

So are you going to deploy new wifi or use those old 2.4ghz N 1x1 - max wifi bandwdith is 72 PHY.. That is shared with all the clients on the AP… who that must freaking scream performance with all the broadcast traffic going on as well if 500 nodes are all on at the same time on the same layer 2..

What is the internet speed?

I find it highly unlikely that some isp gateway has a /16 mask.. Default networks on all of those devices are almost always 192.168.0/24 or 192.16.1/24 –- always /24

If you want to use it as a switch/AP sure go ahead but your setup is still makes no sense.  Your going to have to port forward if you want anything outside your esxi host to talk to any vms behind pfsense.  Why would you not just leverage pfsense vm as your router/firewall for your whole network?

@CSylvain:

After several tests, it is the Kernel problematic, replacing the /boot/kernel by FreeBSD 10.3, it works !
The question is who is involved ?

Because the Kernel from pfSense includes mostly the modules, which is not the case of FreeBSD which is compiled individually and place in /boot/kernel.
I looked if modules were missing, and everything is present :

............................................. 2    3 0xffffffff819bd000 6d370    vboxdrv.ko (/boot/modules/vboxdrv.ko) Contains modules: Id Name 1 vboxdrv 3    1 0xffffffff81c11000 3831    ng_socket.ko (/boot/kernel/ng_socket.ko) Contains modules: Id Name 484 ng_socket 4    3 0xffffffff81c15000 ba02    netgraph.ko (/boot/kernel/netgraph.ko) Contains modules: Id Name 483 netgraph 5    2 0xffffffff81c21000 29b2    vboxnetflt.ko (/boot/modules/vboxnetflt.ko) Contains modules: Id Name 485 ng_vboxnetflt 6    1 0xffffffff81c24000 4123    ng_ether.ko (/boot/kernel/ng_ether.ko) Contains modules: Id Name 486 ng_ether 7    1 0xffffffff81c29000 3f64    vboxnetadp.ko (/boot/modules/vboxnetadp.ko) Contains modules: Id Name 487 vboxnetadp

Is it because everything is integrated, for this to be a problem ?

I discover every day FreeBSD I'll see if I can make for a pfSense Kernel with non-integrated modules.

Dear CSylvain,

Unfortunately it is very hard to access forums from my country India, as pfsense forums are blocked, i don't know why, but you are bang on, i was following the forum before your first comment very aggressively but once the forum didn't respond well, there was no choice to dig in deep myself, a lot of research led me to kldstat and yes since everything is integrated into kernel itself, i started playing with kernel options, and stripped all the kernel options to find out that it was working then, then i used Binary search algorithm to find out the culprit and it worked and removing NETGRAPH_SOCKET made things working from the kernel configuration, and building the ISO worked.

But still lot lot lot of thanks, for taking the pain for working this out, also i never knew that just re-building the kernel can make things work out, loads loads and loads of thanks mate, for doing so much for me, i know somebody hardly would do so much without any incentive, i just cant thank you much for this.

Thanks,
Anand

@LEXmono:

So after talking to my VPS provider more found out its not a second NIC I need to configure, but an IP Alias. Did it inside the pfSense GUI and all is working.

Glad to hear that you solved your problem

I tried this again and for the life of me, I can't convince hyper-v to dismount the CD with the vm running. The "none" setting can be changed, but as soon as it's applied, there is an error. I tried to dismount the CD during the shutdown phase of the reboot. Any later and it's already booting again from the CD.

FWIW, windows 10 handles this in a very elegant way. Even if the VM is set to boot from the CD, immediately when it boots, there is a message, "press any key to boot from the CD". Otherwise, it boots from the IDE.

UPDATE: I tried again. This time, I applied the "none" setting after the reboot started, during the short interval when the screen is completely black. It worked.

CD.PNG_thumb
CD.PNG

Hi.

Try using the virtio driver, this will help a lot.

On your proxmox use the virtio driver.

net0: virtio=xx:xx:xx:xx:xx:xx,bridge=vmbr0
net1: virtio=xx:xx:xx:xx:xx:xx,bridge=vmbr1

PS! It's still a lot more CPU consuming , compared to running linux under kvm.