Pfsense with XEN

tec

Install:
created Xen-HVM Domain. The importand thing here is, that you first two Network Bridges. These Bridges are then passed to the HVM Domain.
Then install the HVM Domain from a downloaded ISO File.
Right now it is not possible to pass directly the NICs to HVM-Domain it works only with PVM if the Kernel in PVM-Domain supports the PCI-Backhide Function. But what you can do is, that you assign in youd Dom-0 the appropriate Nics exclusive to the Bridges. Oh before I forgot, right now there is the limitation of 3 virtual Interfaces per DomU.
Hope this Helps
Regards Marco

outsidre

That's what I was thinking… Just wanted to ask to make sure I was on the right path.
I am getting a quad nic card in the next few days, and will be trying this out. I'm running xen 3.1, so should have no problem with 4 network interfaces.

As for the limitation of 3 virtual network interfaces, you should upgrade to XEN 3.1. The limit has been increased to 8 network interfaces.
http://wiki.xensource.com/xenwiki/XenFaq#head-9896478cf65a16f43ab4fb066f74c0e0d67a16ac

Joris

I was also very interested in this setup (pfSense is just great!), unfortunally I do get the BTX error that psymon already mentioned. Since I did read someone never finished vmxassist on the Intel, my question is what hardware platform are you running (AMD I guess?) a HVM FreeBSD?

Joris

sullrich

Try checking "Use grub" on the installer bootblocks screen during installation.

Joris

I don't get the option to do anything. I cannot seem to get the ISO file started.
Can anyone help me on a disk image that uses the grub bootloader? Is vmware the way to go and transfer the disk image?
Already many thanks in advance…

outsidre

I don't know about the other guys, but my server is an Athlon64 X2 4000+ with 3 gigs ram running a SuSE10.3 Dom0, with Xen 3.1.0_15042
I chose "Other" as my environment in the setup wizard ('virt-manager'), and was able to install pfSense as a HVM (full virtualization) without a problem. No error messages came up, and the iso booted and installed on the virtual HD just fine. I created 2 virtual network cards (both of which were bridged to the since real nic) and assigned them as WAN and LAN without problems.
I now have pfSense running and am able to play with it.

What version of XEN are you running? What dom0 OS? What architecture (Intel I presume?)

@Joris:

I was also very interested in this setup (pfSense is just great!), unfortunally I do get the BTX error that psymon already mentioned. Since I did read someone never finished vmxassist on the Intel, my question is what hardware platform are you running (AMD I guess?) a HVM FreeBSD?

Joris

heiko

BTW…

Intel and AMD doesn´t have the same architecture....

Intel designed VT in a strange way, such that only protected mode instructions are allowed or be virtualized.
Anything done in real mode must be emulated...every instruction. The Xen and KVM folks have emulated enough to get things working, but have not handled every instruction, including apparently some of the fancy (VBE?) graphics isolinux (Ubuntu CD´s for example), and in my tests FreeBSD's btx loader also has problems with Intel VT.

For reference, AMD's SVM analogue does, in fact, virtualize real mode instructions on the processor, and I'm able to boot all install CD's just fine on an AMD machine. Maybe, this is an Intel VT problem.....

Joris

My system is an Intel Core 2 Duo E6750 with 8 GB, with Gentoo 2007.0 running Xen 3.1.2, all AMD64 software.
Indeed, I think the differences between AMD SVM and Intel VT-x are the main problem in my case. Unfortunally most of the world has problems with FreeBSD on Xen (on Intels I believe). It seems that the emulation is called vmxassist (or vmx_assist) and was broken at some point, but the author is not really interested into fixing that any more (probably has other priorities).

Hence I like to give Grub a try, but unfortunally the ISO files use the BTX loader and I cannot get them running. I'll try to get it installed on vmware with grub and hope to get it working. If I have some success, I will let you know…

jhavers

Hi all,

After a long search for Linux compatible hardware I ordered a new system for my new CentOS / XEN server. It is Intel based (P35 chipset with ICH9R and Core 2 Duo E6750 processor). I chose this because I needed good support for my SATA drives (fast access for Mail & File server in guest domains). In another guest domain pfsense was planned.

From this tread I make up that Intel is not the right hardware voor a XEN server. I still have a change to cancel or change my order. Can anyone who got pfsense running in a guest domain tell me their hardware configuration. The components I am interesting in are mainly the motherboard and CPU. Moreover I like to know if the onboard SATA controller, graphics card and nic where recognized by Linux.

Hope to hear from you, I like to have a good XEN server with a cool firewall for the comming 3 years.
Joost.

Joris

I have the same processor and it seems Intels have broken support for some HVM emulation. Windows runs fine, nevertheless. I use Linux with paravirtualization only.
I bought a system with a G33 (onboard video) and ICH-9R. I use Linux RAID instead of Intel's, but I put the controller in ACHI mode. This allows hotplugging of disks. My board (gigabyte) has 8 sata ports. I did need a recent linux version, like 2.6.20, to get my hard disks recognized (hence Gentoo). I believe Debian Etch has a recent version in backports but did not try. Don't know about RHEL/CentOS or SUSe.
I never got FreeBSD to run on the box, unfortunally. vmWare on Xen is also out of the question. Didn't get qemu to compile too. Trying to get FreeBSD running with Grub at this point…

outsidre

Since I've had no problems with Xen yet, I can tell you my exact configuration:
Mobo: Asus M2N-E
CPU: Athlon64 X2 4000+

The on-board nic, sound card, usb, and SATA controler were detected by SuSE10.3 with no issues (SuSE 10.1 and 10.2 also detected everything with no problems)
There were no issues with detecting ANY of the hardware in dom0 setup.
The Mobo is using the nForce chipset, which is well supported in linux, which I persume is why everything worked out of the box.

hope that helps.

@jhavers:

Hi all,
…
From this tread I make up that Intel is not the right hardware voor a XEN server. I still have a change to cancel or change my order. Can anyone who got pfsense running in a guest domain tell me their hardware configuration. The components I am interesting in are mainly the motherboard and CPU. Moreover I like to know if the onboard SATA controller, graphics card and nic where recognized by Linux.

Hope to hear from you, I like to have a good XEN server with a cool firewall for the comming 3 years.
Joost.

tec

Hi I a running Xen 3.1 on Debian Etch.
3GB Ram, AMD Athlon64 X2 BE-2350 EE; MSI K9AG Neo2-Digital RS690G
There reason why I am running only 3Gb of Ram is because there are some Problems with the 690Chipset an 64Bit Addressing. Therefore I have chosen the safe path.
I could install Pfsense in HVM without any Problems.

Regarding the 3Network Interfaces, seems that I had some old INfos.
Thanks for the updated Information!

jhavers

Hi, thanks for the reactions.

I just removed the Intel hardware from my order and replaced it by the following AMD hardware:
Asus Moederbord M2N-SLI Deluxe
AMD Athlon 64 X2 5200+ 65 Watt
Asus VGA GeForce EN7200GS/HTD 128 MB

Its a slower configuration (with less headroom to expand) than the Intel hardware, but since virtualisation has to work with Linux, FreeBSD and Windows guests I see no other way. I will report back on my findings when I get everything…

Regards, Joost.

Joris

One short comment on your hardware: If you are going for a pure server, remove the video card and take on-board. It doesn't give any performance hit and saves money on purchase and on your power bill (arround 20+ Watts for those cards).
Its the reason I selected a G33 chipset, but I'm a little disapointed with getting FreeBSD on Xen running.

jhavers

Joris, thanks for your comment.

I really would like to have onboard video, because I don't care for fancy graphics. But the problem is that the Nvidia nforce 570 SLI MCP chipset works well with AMD and Linux, but doesn't have onboard video. If you have another suggestion for an AMD and Linux compatible chipset, I really like to know. I didn't know a simple videocard like that consumes 20W.

Regards, Joost.

Joris

It seems grub only allows chainloading the FreeBSD, so it seems BTX is the only way to go. So choose AMD if you desire to run FreeBSD on top of Xen.

@Joost: If your from Holland (name suggests that), look at www.alternate.nl. Their site is very good and makes it quite easy to find an board that suits you needs. But maybe you don't get the peripherals & chipset you desire as a nice single package. If you look for power consumption, toms hardware includes this in their benchmarks.

outsidre

I think most if not all nforce chipsets work well with linux, since nvidia is quite supportive of the linux movement, and they even provide their own nforce driver.
Anyway, as for a 20W video card, why don't you look at getting an old PCI video card. Some 2D card like a Mtrox millenium or something like that… Those things couldn't have sucked up very much power.
Just a thought.

@jhavers:

Joris, thanks for your comment.

I really would like to have onboard video, because I don't care for fancy graphics. But the problem is that the Nvidia nforce 570 SLI MCP chipset works well with AMD and Linux, but doesn't have onboard video. If you have another suggestion for an AMD and Linux compatible chipset, I really like to know. I didn't know a simple videocard like that consumes 20W.

Regards, Joost.

jhavers

Hi all,

Last week I got the harware for my new server:
Asus Moederbord M2N-SLI Deluxe
AMD Athlon 64 X2 5200+ 65 Watt
Asus VGA GeForce EN7200GS/HTD 128 MB
Samsung Spinpoint F1 750 GB (RAID 1)

CentOS 5 installed without problems and everything was detected. The write performance on the motherboard/drives is good also (85 MB/s average during mirror rebuild). The only thing is that the power consumption during installation was a nice 80W, but after reboot it constantly stays on 110W. I think it is the XEN kernel that does not allow for frequency scaling. And about the video card's power consumption that isn't to bad either, less than 9W.

But what is really inportant to this thread: pfsense work on this configuration as an HVM guest!!!

I just asked the core team to add a howto about Xen and pfsense to their site. When that is possible I will write down the steps to make pfsense working on your (RHEL/CentOS) machine.

In the mean time I will play around with the guest and try to get it configured properly. Another thing I have to look after is the stability of the pfsense guest. I already ran into an unresponsive pfsense guest twice. But this is not reproducible, and the last 2 days there were no problems. If anybody else has experience with pfsense & XEN stability I really like to know.

I will report back when the howto is ready or when I find out more about the stability (the later takes a while :)).

Regards,
Joost.

outsidre

As of this past weekend, I am now using pfSense as my main router running in a HVM machine.
I bought a 4 port NIC, and after a bit of setup (to get the hardware nics assigned as virtual nics for all VM machines to see) all is running smoothly.
I just have to learn how to use pfSense now.

I was debating about how I should set the LAN side of things. My two options are:

Use the internal bridged interface (which connects all the VM's together) as the LAN port
Use one of the ports on the 4nic card as a LAN, and connect that to my switch, to which the server (and all the VMs) are hooked up to through.

I decided to use the spare nic port as the LAN, since I had the option.
I don't know if this was the best choice.

Any thoughts?

jhavers

Hi all,

After a lot of stability problems, I finally got it right by creating a completely new XEN configuration file. The only thing that the pfsense HVM guest can't handle is when I start copying large (>2GB) files on the host system. Then the guest crashes and I have to destroy it before I can start it again. The weird thing is that my Windows XP HVM guest can handle this and is always stable just like the para-virtuelized guests.

Outsidre, the best option is to delegate the WAN interface to the pfsense guest alone. This way the WAN interface only connects pfsense to the WAN. HOWEVER, right now this can only be done for para-virtualized guests (so we have to wait for HVM support and use a bridge for now).
For your LAN interface you can use a bridge. This way you can also connect the other guests on the pfsense host to the LAN. In addition you can (physically) attach a switch and other computers.
I also have a few questions for you. Which OS is installed on your XEN host? Do you also have problems copying large files?

Regards,
Joost.