I've localized the problem, it is in OpenVPN over PPTP. I created new  thread in OpenVPN forum
http://forum.pfsense.org/index.php/topic,9168.0.html (hope it allowed by forum rules :) )

Everything seems to be working just great over here!

I have now the 3 internet connections working of a single pfSense router on a VM, and all with only one physical NIC on the computer. I have one connection for WOW, Warcraft3, Quake3, UT, Guild Wars, Warsow, and some more, another connection for BF2, Steam games, CS, TF2, and a third one with more bandwidth but worse latency for web, IM, and any kind of unknown traffic. I love it! :D

When I have the time I will take a look if it is possible for me to implement failover, so if one connection is offline traffic can be redirected automatically to another one, and I would also like to try to use pfSense on a physical computer, to see if there are good improvements vs running it on VM.

Many thanks!
Aitor

Ah ha! You are right. That is the piece that I was missing. Cool. Thanks for your help.

Whitney

Hi,

I'm not sure if you have this resolved or not, but if not I have one piece of advice. I noticed that you have your two pfSense networks configured on the same network segment (182.168.1.0/24). Since pfSense acts as a router, this will not work. You need to have two different network segments. It looks like 192.168.1.0/24 is the network you are getting from your (other) router. So this can be your WAN network. For your LAN network you could set up a host only network. That is what I did. You will need to configure vmware to use host only networking. It will give you another (virtual) network that you can use. Then you will be able to put vms that you want behind pfSense on that network. This works for me.

Let me know if you need more information about this.

Whitney

i want to set up the radius server using the pfsense in vmware. but i don know how to configure the network interface for vmware and window xp. can some1 show me the guide/tutorial how to setup radius server?

Yes, if it does not exist and you want e1000 or vmxnet you should add it manually.

No, that's the point.  All you have to do is break the security of the virtualisation layer, which may be easier with local/interactive access to the pfSense host, but it won't be required.

For instance, take a look at the vulnerability found in the MacOS wireless layer (last year ISTR).  That kind of approach would allow somebody to target a (theoretical) vulnerability in the VMWare networking layer, completely bypassing the pfSense (or other OS) install to gain access to the underlying host.

This has been discussed in depth on various forums and mailing lists - if you're really interested go look at the paper written by Theo (as mentioned by submicron).

I think i solved the problem now.

The vmNet2 adapter was supposed to get an IP from pfSense´s DHCP server but it didnt obtain any. The solution was to go into the "Propterties" of vmNet2 network connection i windows and select "TCP/IP" Properties and under "Advanced". Here I added a gateway, the IP number of pfSense´s DHCP server. Then Windows was able to accuire an IP adress.

Both the physical network cards are bridged directly to a virtual adapter. The only options checked under windows properties is "vmWare Bridge". This to isolate the host from the world and forcing all communications to go through the firewall.

Thans for trying to help me out!
/zonar

PS
Its proberbly a good thing to set up the host with a static IP. This since it cant obtain a IP at startup since the firewall must be started first…

I had to bridge the created vmnet 2 to one of my physical network adapters and put it on the same ip range :/

and the default u/p is admin/pfsense :/

pfSense is not disk I/O intensive, so making a dedicated partition will not improve anything.

Throughput is your problem, and the vmxnet driver provides the fastest throughputs in Vmware.
All the information on how to get vmxnet working is provides in this thread, and is 2 minutes work, so good luck ;)

Look at this thread: http://forum.pfsense.org/index.php/topic,7424.0.html
Network speed problems are common in Vmware when you don't use the right virtual network device(and driver) for your OS.

le0 as driver means AMD vlance driver, and this is not good for performance.
See this guide how to install faster drivers: http://forum.pfsense.org/index.php/topic,7271.0.html
This installs the Vmware native vmxnet driver.

As an alternative, you could edit your VM's .vmx file, and change the ethernet driver to e1000, for example:

ethernet0.virtualDev = "e1000"

This works with pfSense out of the box, and is much faster.

The speed of NIC's in Vmware is always virtual. Vlance is 10Mbit, but can actually go much faster(limited by CPU).

See http://forum.pfsense.org/index.php/topic,7271.0.html

Although the above solution did provide the ablity to show the NICs as VLAN capable in pfSense, it still presented an issue with the number of VLANs that I could configure.  In order to send multiple VLANs to the ESX vSwitch I would have to create a port group for each VLAN and add these to the pfSense VM.  ESX does not allow more than 5 PCI devices to be mapped to a VM so I could not assign more than 3 VLANs to any one VM. (the SCSI controller, 1 WAN, then 3 VLANs for the VMs)

ESX2 offered a solution involving editing some files manually to allow the passing of VLAN tags to the gueast called VGT mode.  In ESX3 they made this much easier by simply specifying the VLAN tag as 4095.

On the ESX side…
  - Using the VI Client, select the server and go to Configuration --> Networking
  - Click Add Networking to create a switch mapped to the NIC you are going to use as the LAN NIC for pfSense (In my case I used one of the Intel NICs)
  - Go to the properties of the vSwitch and set the VLAN tag for the port group to 4095.  You will notice that the VLAN ID will say "All" when you apply the change.
  - Make sure the this port group is assigned to the pfSense VM and edit the VMX file to use the e1000 device (see above postings)

From here you should be all set to add all of the VLANs you need from the pfSense interface.  You will, of course, need to configure the port you are using on your physical switch that goes to the pfSense LAN NIC (Dell 5012 in my case) as a tagged port.

Two excellent ESX3 VLAN'ing documents...
  - http://www.vmware.com/pdf/esx3_vlan_wp.pdf
  - http://download3.vmware.com/vmworld/2006/tac9689-b.pdf

Hope all of this helps someone else...

Rick

You will have to simulate a nic up and down event by right clicking on the nic in the vmware console and turn it off and back on.  Otherwise you'll need to type in the interface names and not do the auto assign feature.

Why do you have your VM win2k box on the WAN side.  The WAN side should only be dedicated to your cable modem or adls modem.  All other systems should be on the LAN side.

Details

pfsense VM picks up appropriate information on WAN via DHCP, and webgui interface status window shows that it is getting a proper IP, within the right subnet, and the right gateway / dns IPs

The above sounds good.  My pfsense does this as well.

another VM, running Windows 2000, is set to the same Default Bridged config as the pfsense WAN interface, and picks up the correct info across the board as well; further, it can browse the web just fine

Why do you have this on the WAN, the only thing on the WAN side should be pfsense especially if you're connecting a cable modem or dsl modem.  Are you setting up some sort of DMZ area?  Do you have another router infront of pfsense?

only difference in IP configuration between Win2K VM and pfsense VM is a different host IP from DHCP… they are getting all other settings from DHCP and they are identical on both (gw, dhcp, dns, etc) setting pfsense's WAN interface to static IP in the appropriate range instead of DHCP, and manually entering appropriate IP info for gw and dns, does not resolve the issue Win2K VM can ping the DHCP provider, and can ping the physical host box as well; as mentioned, it can browse the web fine cannot ping the pfsense WAN IP from any machine on the subnet pfsense cannot ping any other machine on the WAN's subnet whether by IP or by DNS name, nor can it ping the IP from which it says it is receiving its DHCP info(?!?) issue does not lie with host machine IP stack or network config, and disabling all but for VMware Bridging protocol on the host machine's adapter does not resolve the issue Host machine is Win XP Pro SP2, with all patches installed, and firewall has been enabled/disabled without changing anything whatsoever.

Here is my setup, kind of like yours but I don't use Win2k VM..

I have a Host Machine 2 NIC's
1 WAN ---> Cable Modem only
1 LAN ----> GigE Switch ----> Internal Network Client Machines

I have 2 VM's
1 VM pfsense, configured with 2 Virtual NIC's, that Map to Physical WAN, and Physical LAN.
1 VM Debian configured with 1 Virtual NIC Mapped to Physical LAN

I never use host-only or NAT (Ok I use NAT if im going to patch a new build.)

LAN is like vmnet2 which I point to my Physical Broadcomm GigE Nic in windows
WAN is bridged vmnet0 which points to my Physical Broadcomm Ethernet Nic in windows.

LAN 192.168.1.x
WAN is received from cable modem.

Now on my Windows HOST system, I statically IP my Ethernet NIC to 1.1.1.1 so it doesn't DHCP to the cable modem.
I IPed on my HOST on the GigE interface 192.168.1.10, and from there I can ping 192.168.1.1 my pfsense VM.  Sweet.
My Debian box is mapped to the LAN interface which is the GigE NIC on the host system.  I can ping 192.168.1.255 -b and I see everything, or nmap -n -T5 -sP 192.168.1.0/24.

I'm not sure if this helps but I hate seeing a message out there with no response, especially when I'm kind of doing the same thing I guess.

You have 2 NICs in the server, correct? The pfSense virtual machine needs to have 2 network adapters. One bridged to the NIC connected to the ISP and the other bridged to the NIC going to your LAN.

It works this way correctly!
Tnx! :)

@no1youknowz:

Has more support than VMWare Server 1.3!

Maybe but pfSense and other BSD platforms run on VMware correctly.  ;) Never heard of VirtualBox though and will have to give it a look at.