Even idle with no one home, no devices on and very little traffic, less than 1 mb, shows 10% cpu on a single core.

hello ,
i would like to  modify my architecture because the firewall of database Greensql it'is not free now :(
so in the dmzgreensql i will change it by dmzFW . In fact in will have in my archirecture 2 différent firewall (A security issue so there must be two different firewall in series ) and this second firewall is had 2 interfaces ( interface wan which is related to dmzFW ,  and interface lan for the dmz bd ) tt
the second firewall it is EndianFirewall .
now i can't log on net with the interface lan of the second firewall . I think that maybe it is error of configuration of the interface dmzFW , but i make rule any ..>any !!
thank's to answer me again

Okay, some details about my config:

System: Fujitsu Primergy TX140S1p
OS: CentOS 6.5 x64
CPU: Intel XEON E3-1230 v2 (Sandy Bridge)

I tried to set up a 64 bit pfSense the same way, but when I chose qemu64 I got an error about my CPU not supporting 'svm' which is a virtualization feature of AMD cpus.
The equivalent feature for Intel is VM-X.
To my surprise vmx was not in the listed features in /proc/cpuinfo (CPU support is given). I checked in the BIOS and also saw it supported there, but I missed the configuration dialog to enable/disable it. Some investigation later I flashed back my BIOS version and now have VTX in the /proc/cpuinfo again. I'll have to check if this bug really came in with the last BIOS or something else was amiss. For now I'm running the older BIOS version.

Even after this, however, I could not start with qemu64 bit CPU because of the same error. This seems to be a http://www.redhat.com/archives/libvir-list/2010-January/msg00053.html

I decided to do a pfSense 32bit installation from scratch (without virito, had some problems with DNS packages when using virito on the NICs), but I still have the high load issue.

Here's my VM configuration:

<domain type="kvm"><name>pfSense</name>   <uuid>a3106783-4d62-2344-ec01-011922e4339b</uuid>   <memory unit="KiB">1048576</memory>   <currentmemory unit="KiB">1048576</currentmemory>   <vcpu placement="static">2</vcpu>   <os><type arch="i686" machine="rhel6.5.0">hvm</type></os>   <features><acpi><apic><pae></pae></apic></acpi></features>   <cpu mode="custom" match="exact"><model fallback="allow">qemu32</model></cpu>   <clock offset="utc"><on_poweroff>destroy</on_poweroff>   <on_reboot>restart</on_reboot>   <on_crash>restart</on_crash>   <devices><emulator>/usr/libexec/qemu-kvm</emulator>     <disk type="file" device="disk"><driver name="qemu" type="raw" cache="none"><source file="/srv/virtualization/pfSense.img">       <target dev="hda" bus="ide"><address type="drive" controller="0" bus="0" target="0" unit="0">     <disk type="block" device="cdrom"><driver name="qemu" type="raw"><target dev="hdc" bus="ide"><readonly><address type="drive" controller="0" bus="1" target="0" unit="0">     <controller type="usb" index="0"><address type="pci" domain="0x0000" bus="0x00" slot="0x01" function="0x2">     <controller type="ide" index="0"><address type="pci" domain="0x0000" bus="0x00" slot="0x01" function="0x1">     <interface type="bridge"><mac address="52:54:00:f6:d7:01"><source bridge="br1">       <model type="e1000"><address type="pci" domain="0x0000" bus="0x00" slot="0x03" function="0x0">     <interface type="bridge"><mac address="52:54:00:00:32:99"><source bridge="br99">       <model type="e1000"><address type="pci" domain="0x0000" bus="0x00" slot="0x04" function="0x0">     <serial type="pty"><target port="0"></target></serial>     <console type="pty"><target type="serial" port="0"></target></console>     <graphics type="vnc" port="-1" autoport="yes"><video><model type="cirrus" vram="9216" heads="1"><address type="pci" domain="0x0000" bus="0x00" slot="0x02" function="0x0">     <memballoon model="virtio"><address type="pci" domain="0x0000" bus="0x00" slot="0x05" function="0x0"> I guess the versions from Proxmox and CentOS are not quite the same. The CentOS ones might be outdated. I think I'll have another try with either CentOS 7 or switch to Proxmox. Just need to get some hardware for the change … :) </address></memballoon> </address></model></video></graphics> </address></model></mac></interface> </address></model></mac></interface> </address></controller> </address></controller> </address></readonly></target></driver></disk> </address></target></driver></disk></devices></clock></domain>

What CPU type are you using for your VM's config under proxmox?

You should maybe use Qemu64.  At first I was using kvm64 thn tried various flavors or CPU drivers then somebody on proxmox's forums recommended to use Qemu64 for 64bit FreeBSD based machines…

Not sure though why but on my server, my pfsense VM uses at MOST 30% of its single core at 3.1GHz with Gigabit traffic and all kind of of apps running (snort, HAVP, Squid, etc)..

Even if this is kind of old. I experienced the same problem with pfSense 2.1.3 x86 which runs as KVM VM on CentOS 6.5 x64. When using the virtio NICs I can't access the internet from my KVM host system - at least not fully.

Pinging from the host system to the internet is working, however no kind of other access (yum update, http, https, dns…). This really drove me nuts until I realized that everything works fine with e1000 emulation.

tnx so much podilarius ;)

Hi

Maybe bit late, but here is my general setup which may be something in your direction.
The evil WAN (cable-modem) directly attached to the core switch. The core switch get all untagged packages and assign the VLAN 666 to it. from this point the evil VAN traffic is limited to this VLAN.
This is the minimal setup on the WAN side.
Then i.e. with an ESXi host on the other side running a pfSense vm appliance, just route the evil 666 WAN tagged to the ESXi vSwitch and to a dedicated WAN portgroup configured to VLAN 666.
The pfSense VM has two virtual interfaces, one LAN and one for WAN. The WAN interface is attached to the WAN portgroup and the LAN interface is attached to a LAN portgroug.
In this case pfSense can act like any physical installation as router for NATing etc.

The cool thing is… if you have multiple host and using vSphere you can move the running pfsense from one host the the other without any interruption of the WAN link to the network :)
This all with just a single NIC. I use an Intel NUC by the way for running my minimal required VMs like the pfSense.  So if I'm on holidays, I just shutdown all other hosts which consumes a lot more of power and still can access by VPN and do some stuff.
This setup is also useful if have to debug your ISP connection... just attach a VM directly to the WAN... debug.. and then just destroy the VM to be sure to not contaminate your LAN.

Additional Note about security:
My first fear was, that on a core switch failure due any reason and he is falling back to his default configuration, I would have the evil WAN in my local network. Depending on how much you trust your switch, you can minimize the chance for this by putting a cheap VLAN capable switch between your cable modem and your core switch. I did this, just let the cheap VLAN capable switch tag everything on the "WAN" port to VLAN 666. Then configure the core switch to only allow tagged VLAN 666 on the incoming port.
With this setup, only the hopefully rare case where both switches resets to the default configuration, would be a BIG problem.

In the case of the cheap switch fails and sends unexpected untagged packages, the core switch would drop it on the incoming port.
In the case of the core switch fails and reverts to default configuration, the incoming port would not allow the incoming tagged packages.
For me it's the few bucks worth for the additional cheap switch to handle this cases, because even the switches runs fine... the human factor (me in this case) is the biggest thread :)
I don't have to care if I reset one of the switches to factory default due any reason.

For sure most would say, don't let the traffic from the internet flow over the core switch, but in my home lab i don't care, as long as you know what you are doing.
And as always, the human is the biggest risk here.

Hope this help someone or maybe someone can give some feedback about this setup besides it's not best practice :)
It's running now for about 2 years without any problems.

Would you mind posting the contents of you pfsense.cfg file?

@rpitchford:

Every forum has them…

Another possibility:
If you search for pfSense on the Virtual Marketplace, it comes back to Netgate, who is selling the virtual template for $900. Maybe the freebie version was cutting into their sales...

It's supported, too.

I run pfSense under ESXi 5.5 without any problems.  However, if security is your top priority then I would avoid virtualizing it and instead buy an ALIX board or pfSense-ready router hardware between your ESXI boxes and your ISP's router.

@deagle:

Another downside to VMware FT is you can only use one vCPU. Also keep in mind FT is not application aware and can't failover if something goes wrong inside the guest OS.

That's another good point. Our HA will handle that, as well as other potential problems that FT may or may not detect. Like if there is a network connectivity issue on a single NIC or VLAN of the primary VM firewall, the secondary will take over. FT, and any other similar hypervisor-level HA, may have no means of detecting such issues.

Just solved it.

Problem was a wrong Gateway. :-)

I don't virtualize pfsense but there seems to be more support for ESXi. I think there is also a vmware appliance prebuild available. Check out the Download section.

Sure your box has not been compromised and infect with some sort of redirect for searches and traffic?

Why would you have changed over to manual nat?  There is rarely a need to do this, and not suggested unless you fully understand what your doing ;)

If your install is pretty much default it should just work.  What I would suggest is do a sniff (packet capture) on pfsense - say the wan and lan at the same time via tcpdump watching the traffic.  do you see your dns queries and answers for sites that are not working?  Do you see the traffic come back after you do your http get to the site?

Could you have some issue with using ipv6 vs ipv4?  Are you using ipv6?

viragomann,

Indeed, it depends on what you're comfortable using and your environment. It is the old question of dedicated HW vs virtualizing, just applied to the firewall.

While it is nice to have dedicated routers, it can get expensive to deploy server class HW for them. While using CARP might  forgo needing to implement some redundant HW (maybe no HW RAID, no teams), setup and ongoing maintenance might be simpler when virtualizing them.

If you have HA requirements for your other VMs (ie, you likely implement a cluster with a SAN), moving the firewall into the cluster is a way to better allocate your resources. Instead of having to purchase separate and dedicated HW for the firewall that might be underutilized (or become obsolete over time while the rest of your network is being upgraded), you can just virtualize it and use the same HA infrastructure you are using for the rest of your network (with the same procedures for monitoring and maintenance, rather than an exception that might break or require tweaks when there are HW changes).

If using a cluster (specially with a HW SAN), IMO a hypervisor solution is far simpler and as powerful as CARP. For planned failovers, live migration solutions don't miss a beat (CARP might), and in the case of an unexpected failover, the underlying OS logic should be sufficient - and while it might take longer to spin up the replacement VM, it also has to start your other VMs (ie, the cost of a nearly instant firewall failover might be too high considering the rest of the environment is down anyway).

Well, at least this is something, now I have an idea about why all this is happening.

Thanks for clarifying tester :)