I don't use HAProxy, I couldn't really say how that might affect it. But anythijng that applied to I would expect to equally affect traffic from external IPs and it is not. The only significant difference there is the source IP used which I guess some of those might see. But I wouldn't expect a delay, it would just reject it instantly.
Just how 'slow' is it from internal clients?

@SteveITS cheers :-) muchly appreciated

That leaves me with the other option of me at some point configuring the OPT1 and OPT2 rules, in a way which I wouldnt normally configure them, then forgetting about it. Trip to the docs on the cards......

Labbing multiple scenarios and builds can mess with your head - at least I have an answer now!

@john24634
So you might want to be able to communicate with the outside world without limits.

So you should create a bridge in Debian first and then connect the VM to the bridge.

NAT means that the VM is on another subnet and the host nats the traffic.
Isolated means that the subnet cannot talk to the outside world, but only to other VMs, which are connected to the same virtual network.

Consider that you can add multiple virtual interface to the VM even if you have only a single physical NIC. For instance an isolated network to communicate with other VMs.

@DEHAAS I had a similar problem with a windows vm in proxmox. So I guess this is not specific to the VM OS, just Proxmox.

@eiger3970-0 I have never used OpenVPN because I don't allow any access to my internal network from the Internet, I just know that such access is best achieved through a VPN. I can't help you with OpenVPN config.

Regarding passing through the NIC, this is straightforward and explained here. After IOMMU setup, simply add a new PCI Device to your pfSense VM and pick your NIC [port] from the list. After rebooting pfSense, re-run the network configurator and choose the passed-through device as your WAN interface. Note: this directly connects the NIC (port) device to your pfSense VM, it will no longer be available to any other VM - this is usually preferable because everything on the local network should be behind the firewall.

The best way to intuitively understand VPNs is by imagining that the Internet doesn't exist and you have a really long Ethernet cable connecting the external device directly to the internal network i.e. it should pick up an internal IP address from your LAN's DHCP server.

Another point about OpenVPN in particular is that it supports 'split-tunnelling', which means that you can choose which traffic on your external device is routed through the VPN. All traffic is the default option but remember that this will increase latency and use up more of your home network Internet bandwidth. Maybe you only want Remote Desktop type software to route through, or SSH apps?

@jmaffie said in Slow bridge on proxmox:

I get a slow speed ~4GB/sec.

Only 4GB/sec... Don't run a firewall-appliance I guess.

@Patch Thanks, this is working now, just need to sort out some port forwards.

Hello @MikeFromOz,

Indeed, I went to Orange with the Max 2 Gbps/800 Mbps offer, which is extremely stable, in my area anyway.

I use the 2.5 Gbps port of the Livebox 6 with pfSense to benefit from the 2 Gbps, even if I have a ready installation with an ONU SFP GPON 2.5 Gbps module because I sometimes had problems with the link re-establishing during a physical disconnection test. I totally agree that Free's hardware is very good and much more "flexible".

@Khoomn Proxomx management port needs to be connected to your lan.

If you are using pass through for the pfsense NIC that will need to be done by connecting a third NIC on your Proxmox box to your physical network switch.

If you are connecting the pfsense VM to virtual NICs then you will be connecting each virtual NIC to a bridge (software switch) in Proxmox. You can then connect your Proxmox management interface to the LAN virtual switch (define an IP address for it in the Proxmox network tab)

@yobyot said in Do you have performance tips for Proxmox virtualized pfSense?:

Actually, no.

pfSense was running on an external Vault. When I migrated it to Proxmox, I put it on vmbr1. I haven't found a way to renumber the bridges so that it "looks" right and now I kinda like it.

Well, if it works for you, hooray...I just shared what the pfSense document says...like I installed using UEFI for pfSense on Proxmox, as well as, install Proxmox on ZFS.

I waited for 2.7.0 but the issue remains there. That's very, very bad. Seems to be an issue with underlying FreeBSD as this is recognized there too, also in OPNSense. Irritating is for me the fact that there are different amounts of LAN interfaces causing this issue. Clean booting a newer pfSense image hits the same issue...

@NollipfSense Thanks for the reply. Ifconfig doesn't have a setting for FEC, but fortunately I found the solution by using the intel driver specifically for the E823-L which offers a wide range of tunable parameters.

Unfortunately that driver doesn't compile correctly using the the latest FreeBSD 14.0 CURRENT release and the RELEASE version has been delayed. So it looks like I'm stuck on pfSense 2.6 until I can compile a driver for the latest update.

@Patch said in Some packages fail to start after issuing "reboot VM" command on Proxmox:

Try it.
When watching the process on the Proxmox console for pfsense it proceeds cleanly.

I actually did, a boot up though using Proxmox...just can't see myself doing a shutdown.

@viragomann

I didnt change anything, its set to VMX3, not e1000