Thanks for the reply and link!

I've solved 1) and 2) by using the setup wizard and adjusting IP's - somehow settings stuck that didn't when I entered them bypassing the wizard.

I have the adapters right now for WAN and LAN, and after getting NAT working, will read that link thoroughly and look at making the firewall transparent by bridging WAN and LAN.

But for now I've decided NATing/port-forwarding will be more flexible in the short-term eg should I want pfsense to handle redundancy/load-balancing.

And it means I won't have to mess about with virtualbox adapters again for a little while! ;)

The problem I currently have appears to be concerned with nat-reflection…

As I wrote earlier, I can access the public IP from the mac host (and externally) without pfsense integrated.

This includes both the webserver over port 80 and my squirrelmail on email server over 443.

But with pfsense being port 80 forwarded to by the modem, I keep getting redirected to my modems web admin page over https (whereas normal access to it is over http).

The public ip isn't resolving externally, at least from my testing via a proxy, so I'm really confused/frustrated…bleh.

I've set up NAT and port-forwarding rules, tried the auto-generated ones from setting up NAT rules and auto-generated Easy Rules added from the firewall logs, as well as my own tweaks to each.

Before I used pfsense, I fixed the same issue with my modem to allow locally resolving the public IP, by telneting to the modem, enabling nat loopback and trying to delete the relevant wan http/https admin rule.

(For some reason I can't delete the https rule even as admin user as it does'nt recognise the wan group in the rule - though 'wan' is one of the actual group options for their ifdelete command! #)

None of the pfsense rules I've setup or are auto-generated redirect from http to https, and none of my reverse proxy rules could cause this redirection.

So… is the problem how nat-reflection is setup somewhere in pfsense?

I've tried 2 ways to fix this:

i) enabled Nat Reflection settings in my NAT rules (and tried disabling/system default)
ii) using split-dns by enabling dns-forwarding and adding host and domain entries for servers the reverse proxy listens for.

Perhaps I'm doing each wrong??

Once I have this solved, I should have pfsense doing everything needed including dns.

I hope someone has encountered this problem and has advice to fix it.

Thanks

I managed to get it working by using the setup wizard and not bypassing it by clicking the logo above it.
From a comparison, I entered the same information manually as I did in the wizard, so I'm not sure why it now works.
But it does.

Thanks for your reply.

Use the pci passthrough feature. It will come at a cost (upped power consumption, because freeBSD NIC drivers appear to do that compared with linux). I am running xen with a pfSense VM, and I found that the CPU time went up when moving traffic that went through my LAN interface (which was the shared interface, the WAN interface already had a passthrough NIC). Because all traffic that came in to the LAN interface was inevitably destined for the WAN, I didn't hit a transfer limit cap, but I estimate I would have been capped at somewhere between 50 and 100MB/s. No good. So I installed a third NIC and also passed that through as the LAN interface, Power consumption went up by 2W, but the CPU never goes up for network transfers now.

The reason is that  (in linux+xen anyway), when running a purely HVM virtual machine (required, since BSD + paravirtual drivers don't really work yet), qemu-dm is used to emulate the device. This process uses a lot of CPU-time (read: it's crap) and is a major cap for network and disk I/O. Disk I/O will still suffer the same limitations, but one doesn't expect too much disk I/O for this to be a serious concern, unless you have lots of logging (then use a remote log server I guess?). A linux virtual machine doesn't have this limitation, because paravirtual drivers do work, and this allows a HVM guest to control the I/O device directly (indirectly) through some PCI front and and back end drivers in the guest and host that doesn't rely on device emulation, like qemu-dm.

So basically, if you want a high throughput firewall system, its absolutely possible. You'll probably need a remote logserver, your hardware must support VT-d (or AMD equivalent which provides IOMMU, don't know its commercial name, and its essential bother motherboard and CPU support this properly), and your hypervisor should support using IOMMU (I imagine all paid hypervisors do by now, xen and by extension citrix xenserver, most certainly do).

I'm surprised it only happens every minute.  This is DHCP traffic, as heper has said.  It's cable modems obtaining or renewing leases.

If I leave on the Log packets blocked by the default rule I see the DHCP requests and replies for every cable modem on the same segment of cable.

Might be related to this:

http://forum.pfsense.org/index.php/topic,50863.msg271703.html#msg271703

yeah you can do vlan's for your wan's either on esxi or pfsense. I've done both.

I found something that shows some promise for getting this out of the box

http://wiki.freebsd.org/FreeBSD10

But that probably wouldn't materialise and trickle into pfSense 'til 2013, maybe 2014 ..

"172.6.0.1"

You mean 172.16 ? 172.6 is not a valid private IP range.

So you say your vmware intefaces 1 is bridged, 2 is Custom: Specific virtual network: VMnet2

That doesn't really tell me much about interface 2, and what is connected to what?  your wan of pfsense is connect to vmware 1 and is bridged to your physical interface, and what network is that on?  You can not assign your pfsense a IP of 192.168.2.19 and expect it to work if its bridged to a physical network of 192.168.1.0 etc..

Again - are you running workstation, server, esxi ?  How are you vmware interfaces connect to your physical network?  What physical ip ranges are you using.  Can not help you if we do not understand how your trying to set this up.

Are you wanting to use this pfsense install as the actual router for your physical network?  Are you want to just play with it?  What networks do you want to route/firewall between?  2 virtual networks, which one do you want connect to your physical network - if any?

Your in the visualization section, so I assume your asking how to visualize your router (pfsense) and have another VM that runs xmbc.  Sure that would not be an issue at all.

I currently run my pfsense on a N40L box as VM, and have multiple other VMS running on that same hardware N40L - I installed the free ESXI 5 from vmware on the n40l.  Then created whatever vms I need, one is router - then others for my NAS, my test workstations, couple linux distros, couple bsds, test 2k8r2 server for active directory testing, etc.  There should be no issues running a xmbc vm.  I currently stream all my moves from my NAS vm.

So what hardware do you have to work with?  And what virtual software are you most familiar with?

After a power cut,

uptime 14 days, 15:29

which I think it means that this is a fix/workaround. before it would fail within a week and need to be restarted.

Check out the other thread on this - I have uploaded a modified dhclient that has ttl set for 128 vs 16.  Still not understanding why it would be set so low?  Why not just use the OS default setting for ttl.  For freebsd that would be 64.

http://forum.pfsense.org/index.php/topic,51803.0.html

Cool! Did you have to install pfsense youself or did the product come with? I'm most concerned about installing the drivers for it to work in KVM.

Realtek and anything is a nightmare.

Open Solaris also has issues, I had to swap it with an Intel PRO 1000 CT to fix my fileserver access issues.

"I basically have to assign the second nic with a public IP."

Your kidding right??  And there is no firewall between this second nic and the internet other than some host firewall your running on each machine?

Why would you not just route internet access from your vlans.  Do you put these public IPs on the devices because they need INBOUND traffic from the internet, or to access the internet.  Are these servers your running providing services to the public net?

What do you have currently connected for internet? How many public IPs do you own?  How is the internet connected into your network - you just have some router that connects your public ip netblock?

A simple diagram showing your current setup of these test machines and how they interconnect and then what gets you to the internet.  And we can design a better setup.

And sure pfsense running on a vm would more than likely work just fine.  But a current layout of your network and devices that connect them and the internet would be helpful.  What router do you have that connects you do the internet?  I am amazed there is no firewall between your devices and the public net??

@Supermule:

You can do that in 4.1 as well :)

The only problem is that if you run HA/DRS then the USB doesnt follow the VM. So if it moves of the server, then the USB is lost….

I dont know if they fixed that issue in V.5

First, HA and DRS are -very- different, not sure they should be lumped together like this.

As far as HA goes, I don't think you -should- expect any software to carry a hardware connection to a device through a hardware failure like that.  In an HA event the Host itself died (or rebooted) so the hardware host to your USB device is no longer functioning.

In 4.1 USB connectivity can be retained through a vMotion as long as the original host maintains connectivity and power and the VM Guests themselves remain powered on and not suspended.

A DRS event shouldn't break the connection, similar to a vMotion.  I have not directly tested this, if you're seeing otherwise, that may be a good reason to call VMWare support to possibly troubleshoot something that could be a bigger problem.  Otherwise, your DRS events should be triggered by performance issues, which I would presume other VMs should/would be moved first.  If you have a bunch of USB connected VMs on one host that seem to be heavy, manually vMotion them to balance the load, if needed.

Unless you're using Distributed Power Management and it shuts off a host that your USB devices are connected to, then obviously, that'll break it.

Basically, I don't think the loss of USB connection through an HA event complaint is all that valid.  You should not be -depending- on a directly attached USB device like that.  HA is all about recovering from hardware failures, and if you're depending on certain hardware, you're breaking that hardware ambiguity.  I know there's certain software that can require a USB "dongle" or key, but there are other USB over IP solutions that might work better in that situation.  (For the most part, that's pretty much what ESXi is emulating, anyway.)

Nevermind, I figured it out.

This is what I did:
1. login into the firewall webgui
2. go to Firewall -> Virtual IP
3. Update virtual IPs
Type: Proxy ARP
Interface: WAN
IP addresses: single IP
Address: 22.22.22.10

Edit your virtual IPs with the new IPs provided
4. go to Firewall -> NAT
5. Select the Port Forward tab
6.  Create new rule:
Interface: WAN
Protocol: TCP
Source: NA
Destination: Type: (select your previously created VIP)
Destination port range: from: MSRDP to: MSRDP
Redirect target IP: 192.168.1.166
Redirect target port: MSRDP
NAT Reflection: Use system default
Filter rule association: Rule NAT

Hope this helps someone!

Cheers!

I have a very similar setup (pfsense under VBox on a Ubuntu 11.04 host) and have noticed the very same behavior.

Apparently we'd have to wait for pfsense to move to FreeBSD 9.0 which has decent virtio net driver support.