@viragomann the 1st post with the /etc/network/interfaces file is no longer used, as the VMM's GUI setup the bridges nicely.
Here are the current /etc/network/interfaces files I have tried to ping 192.168.1.1 on the VM router from 192.168.1.120 on the VMM host machine are:

# interfaces(5) file used by ifup(8) and ifdown(8) # Include files from /etc/network/interfaces.d: auto lo iface lo inet loopback auto enp3s0 iface enp3s0 inet static address 192.168.1.120/24 gateway 192.168.1.1 # interfaces(5) file used by ifup(8) and ifdown(8) # Include files from /etc/network/interfaces.d: auto lo iface lo inet loopback auto enp2s0 iface enp2s0 inet static address 192.168.1.120/24 gateway 192.168.1.1 # interfaces(5) file used by ifup(8) and ifdown(8) # Include files from /etc/network/interfaces.d: auto lo iface lo inet loopback auto macvtap1@enp2s0 iface macvtap1@enp2s0 inet static address 192.168.1.120/24 gateway 192.168.1.1 # interfaces(5) file used by ifup(8) and ifdown(8) # Include files from /etc/network/interfaces.d: auto lo iface lo inet loopback auto macvtap1 iface macvtap1 inet static address 192.168.1.120/24 gateway 192.168.1.1 # interfaces(5) file used by ifup(8) and ifdown(8) # Include files from /etc/network/interfaces.d: auto lo iface lo inet loopback auto vtnet1 iface vtnet1 inet static address 192.168.1.120/24 gateway 192.168.1.1

I updated the network topology a little to make it clearer?
alt text

@jonko Not enough info presented so others can help. How about providing a network diagram and explanation of what you want to achieve...

@cneep said in I can't get VLANs to work / No DHCP:

Virtual Switch/port groups:
If I had a (non-pfSense) virtual machine that needed access to any given LAN, I had a port group defined for that particular VLAN (1-4094).
For a pfSense virtual machine, I had a port group defined for VLAN 4095 so that all VLANs would be passed through to pfSense in the VM. I also needed to enable Promiscuous Mode for ONLY this VLAN 4095 port group.

Thanks. Been trying to get this to work for past 2 days, and finally started looking here and found this!

@f4-0 I'm not hosting a dhcpd guest with libvirt so can't comment on that issue, but I tried various bridging techniques including libvirt's virtual networks and openvswitch. All worked. But in the end I found the simplest (for me to implement and understand) was to bring up the bridges on the host using Ubuntu's netplan and networkd. I only have one NIC on this machine (desktop) and it receives tagged and untagged traffic.

#/etc/netplan/01.vmbr.yaml network: version: 2 renderer: networkd ethernets: enp0s31f6: {} vlans: vlan100: accept-ra: no id: 100 link: enp0s31f6 vlan200: accept-ra: no id: 200 link: enp0s31f6 bridges: br0: interfaces: [enp0s31f6] macaddress: 00:01:02:03:04:05 addresses: [192.168.30.11/24] routes: - to: default via: 192.168.30.1 nameservers: search: [local.lan] addresses: [192.168.30.10] br100: interfaces: [vlan100] link-local: [] br200: interfaces: [vlan200] link-local: [] $ networkctl list IDX LINK TYPE OPERATIONAL SETUP 1 lo loopback carrier unmanaged 2 enp0s31f6 ether enslaved configured 3 br0 bridge routable configured 4 br100 bridge carrier configured 5 br200 bridge carrier configured 6 vlan200 vlan enslaved configured 7 vlan100 vlan enslaved configured

Then with libvirt, dispense with virtual network definitions and assign guest interfaces to the bridges:

<interface type='bridge'> <mac address='00:00:00:00:00:00'/> <source bridge='br200'/> <model type='virtio'/> <address type='pci' domain='0x0000' bus='0x01' slot='0x00' function='0x0'/> </interface>

Also, check iptables configuration.

@anita-0 by default pfSense LAN has rules to allow all IPv4 and 6 traffic.

How/from where are you connecting to the web GUI?

Can pfSense ping out from its Diagnostic menu?

There are providers in the web which allow the usage of virtualized NICs. In this case, it is easy because you can clearly assign one NIC as WAN interface to your VM and one NIC as LAN interface to your VM.
This means everything is very similar to a setup which you would do when doing it at a machine locally.

The only task for you is to find a provider which allows the usage of virtualized NICs. But there are many of them in the web!

@viragomann so I used route -n and it was indeed missing a gateway. I updated the VMs interface and added pfsense as the gateway. Now when I ping the gateway (10.10.1.1) I'm getting From 10.10.2.2 icmp_seq=1 Destination Host Unreachable whereas before it just said Network Failure

Edit: nvm I got it.

I gave the VM's network interface a static IP with /etc/network/interfaces and had to set its gateway as the IP of the linux bridge on the VE.

Do you know what they changed? It would be nice to know in case someone else hits this.

@heper OK. I realized my ISP also has iperf3 server listening so I tried that instead of speedtest. I attached a virtio vtnet interface to pfsense and made a better comparison with single vs. parallel flows, IPv4 vs. IPv6, and coming from physical port (ix) vs. virtio (vtnet). WAN is always physical port.

You had right, I think it is related to tx/rx queue issue you also linked above.

My test results show a single flow (ix or vtnet) can support around 5Gb/s on my system (packet filtering enabled). If I enable parallel, ix reaches to 9Gb/s, it does not matter IPv4 (NAT) or v6 (no NAT), and it consumes around 70% CPU (4 cores). However, when using vtnet with parallel flow, neither throughput nor CPU use changes and it is still around 5-6Gb/s (similar to single flow). It is actually very good for a single flow (as good as physical) and CPU consumption is not different (only a few percents higher maybe).

@viragomann I can confirm your diagnosys, removing the "10" IP, now the sessions from external "10" to "100" work and are stable.

Thank you very much again.

Hi,

I have pfSense 22.05 virtualized in proxmox 7.3: I had strange network performance issue with it and also with a plain debian install.

Turned out issue was NIC used (intel 210) belonged to a PCIE card, while in proxmox grub I had pcie passthrough option active: once removed all back to normal.
Not sure if that could be related though

@ar-ptg-co I would suspect that it doesn't come with support other than here at the forum since it's a Microsoft product...anymore and you should expect to pay; let hope that support staff verify.

@gulzoa712 You need to provide a diagram of your network.
Why are you using two routers on the same segment?
Separate the pfsense network from your other segment.