Yes, any gateway latency reporting issues that still exist in latest versions (and most in older versions) with Hyper-V are because you have both NTP enabled inside the VM, and Hyper-V's time sync enabled. That does bad things to the system clock, which makes gateway monitoring inaccurate. Disable NTP or Hyper-V's time sync.

@johnpoz:

what setup below?

Meant here, sorry: https://forum.pfsense.org/index.php?topic=110768.msg617019#msg617019

INTERNET -> Firewall (DMZ public IP to 192.168.168.5) -> VMWare ESXi -> pfsense

pfsense WAN: 192.168.168.5
pfsense LAN: 10.0.10.X (DHCP is enabled for the other VMs)

Basically, the 192.168.168.5 address is what the other firewall has setup for DMZ with a public IP. How can I configure pfsense to work with the public IP, do I need to do anything specific? How should any firewall rules be setup for OpenVPN to work with this setup? Any traffic coming into my public IP is being routed to 192.168.168.5 which (I thought) pfsense was setup to receive traffic from. For whatever reason, nothing can connect. I know it works because if I setup another machine and configure the IP to be 192.168.168.5, and it works fine.

However, pfsense does have an internet connection, it can connect out.

There are several threads around for Hyper-V on 2.3 and disk issues – search and you'll find them. IIRC some people have changed the disk controller type in Hyper-V to get it working, others had to set a specific sysctl on the firewall.

Here are some Xen HVM results:

iperf client sends traffic server disgards

iperf test one:
iperf -c 10.100.10.245
iperf -s -i 1

router to client (i3 laptop):
[  4]  0.0-10.0 sec  317 MBytes  266 Mbits/sec

iperf test two:
iperf -c 10.100.10.1
iperf -s -i 1

client to router (i3 laptop):
[  4]  0.0-10.0 sec  182 MBytes  152 Mbits/sec

Who cares what that guy says.  I would set that stuff manually.

I just installed Proxmox, set 4 queues to the VM network interface.

I then put 1 cpu and 4 cores to it.

client to freebsd 10.3
[  3]  0.0-10.0 sec  943 MBytes  791 Mbits/sec

freebsd 10.3 to client
[  3]  0.0-10.0 sec  769 MBytes  644 Mbits/sec

This is on an i3 laptop with 4gb memory.  Also who knows how good the network equipment is between here and there.

I do not know much about proxmox at this point but the only way I could get to to boot virtio with 4 queues was to put 4 cores into the VM itself.

randyrulz it really seems like you should be able to make it run faster.

I am about to install pfsense next.  This was just a freebsd 10.3 test which pfsense 2.3 runs on at this point.

To clarify, based of a question of one of the posters here, I am guessing you want one connected virtual trunk (or LAN/untagged, VLAN99/tagged, VLAN10/tagged) to your pfSense VM so all traffic in an out are expected to be tagged/untagged as normal with no adjustments by VMware, is this correct?  Typically to do all VLANs and pass tagging to the VM, you would use VLAN 4095 on the host level, I have never tested using the VLAN trucking selection option in the dvSwitch setting.  I have done this once a long time ago and had no issues (but tested with just all tagging with Avaya and Cisco gear).  However, research shows that you would be better off letting VMware Host accept the tag and process it for you, sending the VM the untagged packet.  Is this just an exercise?

I believe by default Cisco sends VLAN 1 as untagged (native) when you create a trunk, so specifying is redundant, otherwise if it was a different value, the show config would have noted the different setting.  But these are my recollections if it's IOS.

When you have this setup up on the trunk port, do any of the VLANs ping at all?  I guess I am asking for connectivity status for each VLAN from the pfSense perspective.  Do you have CDP enabled and confirmed the port/switch connectivity?  I know dumb question, but have to get the simple ones out of the way first.

I ask all this, because I found this note:

"Caution: Native VLAN ID on ESXi/ESX VST Mode is not supported. Do not assign a VLAN to a port group that is same as the native VLAN ID of the physical switch. Native VLAN packets are not tagged with the VLAN ID on the outgoing traffic toward the ESXi/ESX host. Therefore, if the ESXi/ESX host is set to VST mode, it drops the packets that are lacking a VLAN tag."

Trying not using the Native VLAN on the Cisco, try create VLAN 2 on the switch (if it doesn't exist) and then set the native VLAN to 2 instead of the default of 1.

I had a problem with Proxmox and pfSense. Network speeds were slow and the only way to fix it was to install ethtool, change to Virtio NICs and by adding two lines on the Proxmox host /etc/network/interfaces file.

pre-up /sbin/ethtool -s eth1 speed 1000 duplex full autoneg off pre-up /sbin/ethtool -K eth1 tx off

After host reboot the speeds were back to several hundred Mbs.

Sam

you would have to verify that on the switch.. I have not used HP in many many years..  But assume there is a way to see which path in a lagg/etherchannel a specific connection is using.  something along the lines of

test etherchannel load-balance interface port-channel 1 ip 10.10.10.2 10.10.10.1

That explain a lot of things !

I've check the bug report and it does not seem to catch the attention or get any priority at the time of writing.

Is there any way to put pressure or ask for a possible ETA for this bug ?

I think that if many people "push" the bug report, we could get a resolution soon.

The ruleset is generated from config.xml, where the rules are strictly associated with wan/lan/opt. The back end writes out the ruleset automatically replacing wan/lan with hn0/hn1/etc. based on what your assignment is. Other than WAN -> hn0, LAN->hn1, etc. there is no mention of hnX in the config.

If you want to use more of your NICs, I would set up a portchannel between ESXi and your Cisco switch. (This is what I've done with my own ESXi host.) You could either trunk all the VLANs over this portchannel to let pfSense do the routing (and record logs, and apply firewall rules, etc) or you could let your intra-VLAN routing be handled by your Cisco, as you suggest… or a combination of these. If a combination, make sure that the Cisco has no IP in the VLANs that should be handled by pfSense, or a host in that VLAN could set the Cisco as its gateway to get around whatever firewall restrictions you put in place (unless of course you want this capability!)

If you want the Cisco to handle the routing, just set up pfSense so that it has a static route to 10.0.0.0/8 pointing to the Cisco. (You don't want this traffic going out anyway, so no harm in making this overly broad.)
If you want pfSense to handle the routing, only give the Cisco a management IP, and turn off routing. (no ip route) then it will act as a layer 2 switch.

Hello everybody,

I fix it as shown in this article: https://forum.pfsense.org/index.php?topic=85797.0

The download speed from the pfsense console doesn't rise, but the virtual machine placed behind it can now download at full speed.
So do not trust the speed shown by the fetch command :-)

Have a nice day,
Ivo

Are you the OP??  Who are you thanking??

It doesn't exist by default, create it. Probably unnecessary for VM.

Packet capture traffic from the host that's having issues while you're seeing an issue. What's it look like? DNS queries getting answered fine? HTTP/HTTPS connections establishing and failing some point later, or sending SYNs repeatedly with no reply, or?

The default rules on WAN do not allow ICMP packets so you can't ping WAN unless you add a rule.

@Boredom:

pfsense is only concerned with the NICs you present to it in VMWare.

Under Virtual Machine settings I get this:
network adapter  Host only
Network  adapter 2  Nat
Network  adapter 3  Bridged (automatic)

I have found that the order / number they are present is not always the order they will appear in pfsense:
It looks like, for you, the bridged NIC is WAN interface in pfsense, and possibly the host only is LAN.  If you are just testing install of packages, they likely will work for you, but if you want to put traffic through this VM, that may be tough with only one NIC.

Thank you Boredom for your help. As soon as I have a chance I will give your suggestion a try and post back. Yes , all I want to do is test different packages before I install on my pfSense router/ firewall.

is this the type of network interface you intended to assign?

http://www.virtualbox.org/manual/ch06.html#network_hostonly

"….and the virtual machines cannot talk to the world outside the host since they are not connected to a physical networking interface."

Your setup is radically different than but I also have a pfsense VM on a Hyper V server and have no issues running openVPN on it. I use the virtual hyper-V adapters, etc.
The issue is not on the Hyper-V or pfsense.

As other have suggested it could be a NAT issue