Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Pfsense HVM domU: bridging help

    Scheduled Pinned Locked Moved Virtualization
    2 Posts 2 Posters 3.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      black0ut
      last edited by

      I've got pfsense2.0 running as an HVM domU with Debian as the dom0 on Xen4.0.  My hardware doesn't support PCI-passthrough, so I'm trying to make do with just bridging.  I have 4 physical NICs named wan, safe, unsafe, and wifi.

      I have a few problems with networking:

      1. I would like to dedicate wan to the pfsense domU.  It has to obviously pass through the dom0, but I read that since it is simply bridged, there is no security threat (?).  What I've done is create the bridge pfsense-wan from wan, which I then add to the xen cfg of the pfsense domU.  The problem is that pfsense is unable to receive a dhcp lease on the wan NIC.

      2. I would like the safe NIC to also be passed to the pfsense domU.  I've created a xen-safe bridge from safe, and passed that to the xen cfg.  I would also like the dom0 to be a DHCP client of the pfsense domU.  I found that the tapX.1 interface that xen creates when the domU is created can receive a DHCP lease, but I couldn't ping it from the gateway.

      Here is my /etc/network/interfaces on the dom0:

      # This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# 3Com 100Mbit PCI NIC (wan)
auto wan
iface wan inet manual

# Onboard Realtek Gigabit (safe)
auto safe
iface safe inet static
address 192.164.4.1 #this is the LAN ip in pfsense (and safe is the LAN NIC)
netmask 255.255.0.0

# DGE-530T Gigabit PCI NIC (unsafe)
auto unsafe
iface unsafe inet manual

# Atheros Wireless-G PCI NIC (wifi)
auto wifi
iface wifi inet manual

# Bridging for Xen

# bridging wan to pfsense domU
# no other interface has access to this bridge
auto pfsense-wan
iface pfsense-wan inet manual
        bridge_ports wan
        post-up /sbin/iptables -A INPUT -i wan -j DROP
        post-up /sbin/iptables -A INPUT -i pfsense-wan -j DROP

# bridging safe for use by xen
# more than one domU will be connected to this internal bridge
auto xen-safe
iface xen-safe inet manual
        bridge_ports safe

      and the relevant part of the xen cfg for the pfsense domU:

      
vif = [ 'bridge=pfsense-wan', 'bridge=xen-safe' ]

      If I can figure out these 2 NICs, I can figure out the other 2 on my own (I hope!)

      1 Reply Last reply Reply Quote 0
      • C
        cougarmaster
        last edited by

        Hi black0ut,
            You can assign other names to the bridge under debian. What is the config file in you made for the network-bridge? My example is like this but for xen 3.3.2 :-

        #!/bin/sh
        dir=$(dirname "$0")
        "$dir/network-bridge" "$@" netdev=eth0
        "$dir/network-bridge" "$@" netdev=eth1
        "$dir/network-bridge" "$@" netdev=dummy0

        hope this helps
        Eric

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.