Wow, that's weird. Well, thanks for posting your results and I'm glad you were able to (eventually) resolve it all.  :-)

I'd like to echo what Cry Havok said.  Running virtually means that your threat threshold increases to encompass not only your virtual machine's potential vulnerabilities but the vulnerabilities of the underlying Hypervisor (and its associated utilities).  The rule I try to adhere to is not to run machines requiring different security postures on the same VM.  This is the same policy I try to use when running VLANS on a switch.  For this reason I don't run firewalls virtually, and certainly not on the same host machine as I would run the machines the firewall is meant to protect.  If you assume the worst case scenario in an attack (ie: if the virtual host is compromised then the underlying host machine is also compromised) and structure your network accordingly, the threat of a compromise beyond a certain acceptable threshold (ie. the entire DMZ is owned) is mitigated.

"On 2008 you need to enable routing and remote acces as a service to forward the traffic from the physical nic to the VM" How is that since 2k8 is not doing any routing nor would I want it too.  Its currently working for traffic going OUTBOUND from all the vms to the internet, and the host to the internet without it. Same goes for changing the subnets.. of the nics..  If I did that – then something would have to route!! I appreciate the attempted help - but unless your specifically running vmware server on a windows host, with pfsense as a VM, and your forwarding to other VMs on the same host as pfsense is running you might as well just not respond.. Or have run this setup in the past? It has to be something with the vmware bridging into the physical nic. Before I moved back to virtual -- I did this test. So on the host running windump I watched for traffic to ubuntu on port 22 on the motherboard nic that is bridged to vmnet0. At the same time Im watching for traffic on the vms nic inside ubuntu with tcpdump - tied to same physical nic through vmnet0 So I generate a ssh connection from the outside (my webhost shell account) to my public IP.. The packet travels through pfsense - can see on the firewall log that it passed the traffic.. And changed to go to 192.168.1.6 Now watching windump which is listening on the vmnet0 nic -- the HOST sees the packet.  But tcpdump running inside ubuntu does NOT. So something in the bridge protocol is not passing that packet to ubuntu. Now I can hook it back up virtual pretty quickly -- but until someone has some actual advice that makes any sense at all.. It pointless for me to do so. As to 2k8 routing -- What should it route??  Why should I have to put another router behind pfsense to route traffic to another subnet for?  Like I said port forwarding is working through the VM pfsense - as long as it to a differnet physical box.. Not the HOST or guests. To be honest I find it unlikely it has anything to do with pfsense - cuz I can see that it sent the traffic through.. It seems to be a issue with the vmware server bridging protocol.  Now I have the same question with same details on the vmware boards -- and have not heard squat from that post either. Is no one running vmware server with pfsense as virtual on it per the tutorial of how to run pfsense virutual on the pfsense site??

Also, doesn't the appliance use the Open Source version of the VMWare tools, not the VMWare released ones. If so, and memory serves me correct, they always show as "out of date". Cheers.

I had the same issue.  Only solution I found was to use a smaller virtual disk (I think 10 GB worked for me).

Now I feel really dumb.  I just installed Linux and got that right.  That was the problem.  Some times the answer is staring you square in the face and you don't see it. Thanks for the help, you rock! -V

I use voip in VmWare…..no issues at all. If you have issues, you have set it up the wrong way.

@Pootle: I have installed 1.2 under KVM on Ubuntu and am still running it quite happily.  Are your virtual NICs hooked up to bridges on the linux host OK? Yes, I have a standard shell script to invoke the VMs.  Here is the script for my pfsense VM. #!/bin/bash export KVM_DIR=$HOME/KVM generate an unique MAC address for each NIC nic0=00:07:43:2c:b8:01 nic1=00:07:43:0d:c5:04 qemu-kvm -vga cirrus -m 512 -drive file=${KVM_DIR}/vdisks/pfsense.vdd,index=0,boot=on -net nic,model=rtl8139,macaddr=${nic0} -net tap,ifname=tap2,script=no,downscript=no -net nic,model=e1000,macaddr=${nic1} -net tap,ifname=tap5,script=no,downscript=no -daemonize \ devices "tap2" and "tap5" are bound to bridges "br0" and "br1" respectively in the host OS (openSUSE 11.2).  I am using the above strategy to evaluate ClearOS, ebox, Untangle etc.  and they boot up fine with the 2 NICs.  Needless to say, I boot the VMs only one at any given time and not all at the same time. Please see attached screenshot where the LAN/WAN configuration go into never land. [image: pfsense_screenshot0.png] [image: pfsense_screenshot0.png_thumb]

@scoop: I have no experience with KVM whatsoever but AFAIK the virtio drivers haven't been ported to FreeBSD. I figure your only option is to run pfSense with full virtualization. I am trying to do the same with rtl8139 and e1000 NICs - no issues with the Installer.  I am experiencing other problem which I plan to post separately.

Does it log the startup somewhere, the error code scrolls very quickly out of the screen?

Thank you that did the trick! Wow 2.0 is pretty!

I never had any issues, I have 3 MB / 512 KB and got max throught put without any issues. RC

I have not seen a kernal for it yest.  I have seen a Citrix with a pvm kernal but nothing yet for the public. RC

Hi jonnytabpni ,     Another thing you could try is to run this following command on Dom0 :- ethtool -K eth0 tx off Test this if it shows any sign of improvement. If it does then add it to your network scripts e.g. :- Debian or Ubuntu /etc/network/interfaces :- iface eth0 inet static               address 206.124.146.177               netmask 255.255.255.0               post-up ethtool -K eth0 tx off

Hi black0ut,     You can assign other names to the bridge under debian. What is the config file in you made for the network-bridge? My example is like this but for xen 3.3.2 :- #!/bin/sh dir=$(dirname "$0") "$dir/network-bridge" "$@" netdev=eth0 "$dir/network-bridge" "$@" netdev=eth1 "$dir/network-bridge" "$@" netdev=dummy0 hope this helps Eric

I've done it before by connecting my DSL modem directly to my switch, so the router can communicate over the internet connection and the local network through the same physical connection (with two virtual interfaces on the virtual router).  If your internet connection is configured by DHCP, you may need to disable the DHCP server on LAN and manually configure the systems on the network (including the host, if you want internet access on it) to use addresses on the LAN subnet, use the router's LAN IP as the default gateway, and as the DNS server. If your connection does not support configuring by DHCP (if it is PPPoE, PPTP, or requires manual configuration to even work), you might be able to configure the local network with DHCP.

@athompso: Looks like EddieA is collecting some real data, here: http://forum.pfsense.org/index.php/topic,21510.0.html. I gave up on that shortly after I posted, because I moved my pfSense off the ESXi box onto it's own, dedicated, thin client. Cheers.