Chris/anyone,

Is there any feedback at all on how the discussion with Microsoft went on this issue?

@cmb:

That's just how the hn network driver (written by Microsoft) functions, though it's a bit unusual in that regard. It could pose issues for traffic shaping. We'll be talking to Microsoft next week actually, I'll make a note to bring that up then.

If not, what hypervisor has the best support for pfSense (and is reasonably easy to get up to speed on)?

We have been using Hyper-V on the rest of our customer servers for five years, so we were comfortable with it and did not want to move. Don't want to get into any religious wars on what is the best hypervisor - we knew Hyper-V and it worked for us. But giving up traffic shaping is probably too high a price to pay.

Our customers are all in the "under 20 user" category. We've been trying to standardize on a 1U box running a hypervisor that handles pfSense, their FreePBX phone system and an outgoing CentOS mail server. We actually run a second mirror and let Hyper-V's replication provide us with a (non-immediate) failover. It's worked well except for the traffic shaping part.

Any input at all is appreciated.

Thank you - Richard

I might as well just run it as a standalone on the hardware.

Well sure, if you want to forego all of the amazing benefits of virtualizing the server.  That's the whole point of virtualizing.  Backups & snapshots have saved my ass so many times.  Being able to move the VM while live from one box to another.  Cloning the VM so that I could play in a sandbox without affecting the network.  No more hardware worries, and if the ESXi host dies, I can spin pfSense back up on another host in a minute or two.

You need to check the Connect at power on box.

If you run it in a VM, then settle your management network on a seperate physical NIC.

And dont run the latest and greatest. Wait for updates and error reports.

Logs and some details..  So using vmware what, player, workstation, esxi (version) what?

So do you have these dmz and lan and wan in different vswitches?  What nic are you using for pfsense e1000, vmx3 ?  Are you using native or tools driver?

So your saying everything works fine and then you can only ping pfsense interface in lan from a box in lan?  Are these other VMs are physical boxes?  Sounds to me from ping being the only thing that works like your using tools driver for vmx3net interfaces..

What flavor of pfsense are you using 2.2.2? 64 or 32? etc..

thankx for the solution it worked.

Intel gigabit cards probably your best bet. Easy to find, inexpensive (especially if you want to go the ebay route for used), and reliable.

We sell two different options that'll work great with Windows too.
https://store.pfsense.org/accessories/

Well, ESXI isn't the only thing in the world. There is Xen, and KVM, which both work perfectly fine. XenServer is free nowdays, and KVM is easy with Proxmox, which also happens to be free.

What CPU are you using specifically? I have no such problem on Xeon v3's. (yes, the v3 version of the E3's and E5's).

It doesn't bring optimisations, it brings 'support'. The problem wasn't performance, it was that VirtIO wasn't supported at all.

@stephenw10:

Great, thanks for the feedback.  :)

That error is probably expected (though I haven't reviewed the code changes there). In general syncing between different versions of pfSense is not supported, the format may have changed slightly. It's better to disable syncing when upgrading a CARP pair to avoid that.

Steve

Hi, Stephen,

I did upgrade both nodes to the 2.2.3 development snapshot, but the sync error still appears after each reboot. I haven't actually tested to see if it impacts anything, but it does show up once after each restart.

I'm not too worried about it, since it's just a proof-of-concept at this point. I'll wait for the full 2.2.3 to deploy in production. Hopefully 2.2.3 stable isn't too far away.  :)

I have switched back to e1000 from vmx3 - even though freebsd has native support now.  I don't like that it only shows autoselect for speed and was giving errors with cdp reporting half duplex..  While e1000 works fine and don't have these issues.

I use the ladvd package to have pfsense report via cdp and lldp, etc..

While there is most like a bit of performance benefit with using vmx3 over the e1000, not an issue for me since only routing traffic for home network with a 50/10 internet connection.  While I wish it could have more bandwidth between segments.  The testing I did between vmx3 and e1000 was so small better to get my cdp and lldp info

So clearly if you have 1 IP and expected both pfsense and esxi vmkern to share that you were doing something wrong ;)

Your vmkern is going to have to be behind pfsense, so as I showed in my drawing it has a rfc1918 address BEHIND pfsense.  You then setup pfsense to forward to your vmkern IP when you hit port X on pfsense wan IP.

Yeah but at first after i changed both NICs to bridge win2k8 still could not get IP from pfsense till i did the above reconfiguring

@kapara:

Just out of curiosity and why would you want to set up CARP in hyper-v sense both virtual machines are on the same physical hardware?  Unless you are setting up two separate hyper -v hosts and putting a PF sense on each.

Correct.
It is two separate hosts, with their own network cabling.
Sorry if that was not clear in the original post. (updated)

Yak.

I can push 1000Mbit.