Configuring VMWare Workstation 8 for PFSense Installation
-
Adrian, I had also considered ESX for full hardware control, because if I could get it working I could distribute and control the wireless from PFSense as a VM. However, that hinges on "if I could get it working", and all I have heard are horror stories due to the HLC really being for businesses and not consumers. I am a consumer, I don't own "server" products, so for me it was just an easier choice to go with VMware Workstation.
I can say that the Internet speeds are great, but I haven't tested for intranet speed bottlenecks as I don't know exactly how to go about doing that. I do have CAT6 cabling so if you have any good suggestions I would love to test them, same goes for any knowledge of ESX support for consumer model products.
Well…
The way i look at it some retired server hardware still has enough muscle for the home user if "ported" properly!Downfall is that most people are green eared hippies and they want performance out of tiny plastic boxes which isn't gonna happen easily.
My DL360 is a G4 and has 2x 3.8Ghz Xeon's and 8Gb of RAM.
I'm going to use the embedded NICs for uplink to the modem and the other port for management.
Also i tossed in a Melanox 10G card that gives me 2x 10GBe CX4 ports and I might add another for redundancy
So far, all my backbone devices have 4x 10GBe Ports, and the backbone will be a mix of LACP and SPT protocols. -
I am a self confessed green eared hippie - yes I was around in the sixties …
I have several Dell server boxes I could use but I don't for three reasons - they are large, they are NOISY!! and they use way too much juice, efficient they aint, the PSU's burn 200 Watts even when the server is shut down if you leave power on them.
So like the OP I run my pFSense in a VM (workstation not ESX) on a watercooled e6600 CPU based box alongside the website VM and mailserver VM all sitting under windows 7 enterprise. A major league advantage of this is that I keep copies of all the VM's, anything gets messed up I simply copy the image back and I'm good to go (a lesson I took from Acronis True Image).
I also didn't use ESX because frankly it is even fussier than Windows servers used to be - don't have time for that crap either so I'm with the OP here.
For what it is worth I run three NIC's in the box that I run VMWare on, two have everything unticked except the VMWare bridge protocol - and I do mean everything unticked IPV4, IPV6 etc etc.
These I use and set VMWare networking to bridge them on VMNet0, VMNet1 respectively, one is for the PPPoE, one is the host/gateway connection and are alocated specifically to the pFSense VM and nothing else. The third NIC I set to VMNet2, also bridged but in windows NIC settings everything is ticked, this third NIC means that the server looks like another box on the network (Windows can't use or allocate IP's etc to NIC's 1 & 2). I will be putting in a 4th NIC to serve the Web and EMail servers.
If you are going to use pFSense in a VM then the host machine needs at least 3 NIC's (in my opinion anyhow).
Performance is every it as good as it was on dedicated hardware, if anything I'd say it was slightly better (was on a miniATX motherboard with an e5700 cpu and 2Gb ram). I retired the PC hardware and went VM because I am a self confessed green eared hippie, whilst I don't care about the size of the hardware I do care about the size of my energy spend.
-
Hi,
Great guide~
This is really similar what I did at home. I am running an ITX D525 with 4GB memory and it works great.
I have just one question, your host PC has two interfaces and you assigned to PF as WAN and LAN. So you can’t access the host in remote, am I right? Like this:
Interface 1 –> WAN
Interface 2 --> LAN --> SwitchActually I have the third interface card, I was trying to use it to access the host with Windows Remote Desktop. Like this:
Interfaces 2 --> Switch --> Interface 3There problem here is when I used RDP in LAN, it will be fine.
When I access the host PC from WAN, the network will be down. Then I disconnected the RDP, everything will just be fine.I tried a lot but there is no information about this issue.
Now I am using VNC, it seems to be OK, but it seems to be slowly…
I will be appreciated if you have any experience on similar issue?
Thanks.
-
You will need to use the third NIC and use NAT / Port forwarding into the host IP, I do this regularly and use WinVNC to do so. If you allow Windows to do anything to the first two NIC's things get really messed up based on my experience. No windows client, file sharing, IPV4, IPV6, QOS - nothing only the VMWare bridge on the first two NICS, everything on the third - this will be used to access your host (at least it is in my config).
You need to edit the VMWare network too and set bridging to each available NIC, you must then set the appropriate VMNet to use manually in ALL virtual machines or VMWare will select the first in the list.
Part of your network loss though could be caused by how RDP works. RDP never provides access to console session 0 regardless of what anyone tells you it simply doesn't and no /admin or any other switch will bypass this. This means that any autostart apps you have will start up for each and every terminal services session you open - damned ugly and causes mayhem (plus I have some applications whose notices cannot be viewed in terminal services session they always display on console 0). Your alternative of course is to have a different username for 'external' access.
If you must use RDP from outside use a non standard port, I regularly see external sources trying to RDP onto my boxes. Personally I'd stick to VNC but again don't use the default ports.
Thinking about it without port forwarding you shouldn't be able to RDP from the WAN pFSense should block you.
-
You will need to use the third NIC and use NAT / Port forwarding into the host IP, I do this regularly and use WinVNC to do so. If you allow Windows to do anything to the first two NIC's things get really messed up based on my experience. No windows client, file sharing, IPV4, IPV6, QOS - nothing only the VMWare bridge on the first two NICS, everything on the third - this will be used to access your host (at least it is in my config).
You need to edit the VMWare network too and set bridging to each available NIC, you must then set the appropriate VMNet to use manually in ALL virtual machines or VMWare will select the first in the list.
Thanks for your explanation, I can totally understand your configuration because I did the almost same.
Part of your network loss though could be caused by how RDP works. RDP never provides access to console session 0 regardless of what anyone tells you it simply doesn't and no /admin or any other switch will bypass this. This means that any autostart apps you have will start up for each and every terminal services session you open - damned ugly and causes mayhem (plus I have some applications whose notices cannot be viewed in terminal services session they always display on console 0). Your alternative of course is to have a different username for 'external' access.
I was always suspecting it's the problem of RDP but I can't find any reference. it does make sense with your explanation. I will continue to use the VNC instead of RDP.
If you must use RDP from outside use a non standard port, I regularly see external sources trying to RDP onto my boxes. Personally I'd stick to VNC but again don't use the default ports.
Thinking about it without port forwarding you shouldn't be able to RDP from the WAN pFSense should block you.
Thanks again for your hints. :)
-
Once again I am confused about my network especially when PF running under VM Workstation, the host PC will have a very poor performance if I connect from WAN.
I am trying to setup a FTP server on the host PC (windows2003).
When I connect to the FTP server within LAN, it will be totally no problem.
The speed is extremely fast (around 1000M/s).When I connect to the FTP server from WAN, it will be very slowly (3xxbit/s).
I have a fast Internet connection from my host to Internet (up to 20M/s), there should not have this performance.
-
Sorry, I haven't been to the forums in a bit so this reply may be a bit late.
Local access will always be substantially faster. Most ISP's provide two speed ratings, one for download and one for upload. Consumer speed ratings tend to be purely focused on download speeds. For example, at $80 a month I can get a consumer plan with 30Mbps download speed, but only 5Mbps upload speed. Also, notice the lowercase b, which means Megabits not Megabytes. 8 bits to a byte, which means 5Mbps is 0.625MBps.
Without even taking performance into consideration, I have yet to find a simple, secure, multi-platform file sharing service that works natively on common platforms over WAN.
Ben is correct about the NAT port forward needed for WAN access via RDP. However, with Windows 7 you do not need a 3rd NIC.
On the first NIC you disable all the services, this is your WAN NIC. This is primarily so that Windows does not steal the single gateway IP.
The second interface you leave alone. Provided it has a cable plugged into it, the port will be active, and will be treated as a virtual bridge before heading to your switch. Windows will receive its LAN IP from there, and in my case I have a second Linux Web Server VM that also receives a LAN IP via my 2nd NIC.
Problems only occur if you unplug the NIC, because windows turns the device off, which kills the connection.
If you are worried about security, you can create a separate LAN in PFSense, but in my case I use it for file sharing so I wanted my Intranet to be able to access my host.
What you are doing with the 3rd adapter currently is a manual loop back. However, Windows lets you add a virtual loop back adapter, which solves the security concerns and unplugged port problem. For security, you can bridge a new PFSense LAN to the new virtual device. For potential cable problems, you can bridge it to your 2nd NIC instead.
This configuration worked for me for over 6 months without a single problem. However, I decided to try looking at more advanced virtualization solutions this week, including ESXi and Xen, so I just recently unplugged my Windows server.
-
Once again I am confused about my network especially when PF running under VM Workstation, the host PC will have a very poor performance if I connect from WAN.
I am trying to setup a FTP server on the host PC (windows2003).
When I connect to the FTP server within LAN, it will be totally no problem.
The speed is extremely fast (around 1000M/s).When I connect to the FTP server from WAN, it will be very slowly (3xxbit/s).
I have a fast Internet connection from my host to Internet (up to 20M/s), there should not have this performance.
I have solved this problem by coincidence. I recently switch the NIC's ports, I mean I delete all the bridge settings in VM Network Editor, and then add them again. then I found the problem gone.
Anyway, for me it's now totally no problem.. Thanks for your hints.
-
Good Morning (I'm in Italy) :) to all….
I've done an entire virtual infrastructure, for testing VMware View service over a satellite internet connection.
I have a phisical machine wich runs CentOS 6.2 which has two network adapters (eth0 is on the hom LAN, and eth1 has a pubblic IP addres), on wich I have installed Vmware Workstation 8, on the workstation there is an host ESXI.
Over the host ESXi there are a lot of VM that I needed for the infrastructure of Vmware View.
Everyone of this VM has an IP like 192.168.x.x, and for completing this Home LAN infrastructure, I would like to create a firewall and a router (pfsense) so I can access this infrastructure from the Web, using lastone pubblic IP address i have.
I hope i've explained well the infrastructure, but i come to the question...
How to set uo the Nic for the Pfsense? How many virtual Nic i have to give to it's VM? Which one I've to NAT and which one i have to bridge, and on which connection or network?
I was forgetting....the networking of the WOrkstation is obviusly bridged over the eth0 (over the home LAN)....
Thanks to every one who will answer me... -
Next we want to adjust your network adapter settings. Since we are taking the assigned WAN adapter and giving VMWare full control over it, if you skip this step it will not work right because Windows will attempt to use this connection, and if you have only one IP it will fail (It may function, although queerly, if you are connected from a DHCP Router and not directly to a Modem).
So go to Control Panel > Network & Sharing Center > Change Adapter Settings, and change the properties of the port you are using as your WAN:
Does that make all traffic from/to the WAN-interface go straight to the virtual machine and it will not leave the host directly exposed to the world wide web?
Other Thoughts:
I would love it if Wireless NICs could be shared to guest machines, then I could ditch my airport. Not sure if this will ever happen.
That would be great if that would ever be possible. I'm curious what would be the best way now to set up a WAP with a mPCIe card in combination with pfSense in VMWare on a XP host. My guess is, let pfSense handle DHCP and the traffic, but use http://www.virtual-ap.com/ to set up the actual access point. Not sure if it will work this way though.
Ps. All the pictures in you're howto seem to be down ???
edit: Would it be a problem if the CPU of the system in question does not support any hardware visualization? From what I managed to find, that shouldn't be a problem with 32bit guest OS'ses….
-
Hey, thanks for the message.
You are correct, by turning off all Windows controls you are telling Windows to ignore the device and all traffic on it. I'm sure there are steps you could take to secure it further, but I had no trouble using it like that for about a year.
I was able to create a third bridge to a wireless card, but I had to use a third party tool to act as a second DHCP server, in the end I chose not to as it separated components on my network (not to mention Double NAT).
Even now (6~ months past my original post) there are no Wireless N drivers so even if you could give it direct access you would run Wireless G speeds at best.
For now if you are setting up a WAP you would want to use a router in bridged mode. Virtual-ap would work but then PFSense isn't acting as the DHCP server, and you have little control over traffic on the Wireless NIC before it gets to PFSense.
I apologize for the loss of photos, I made the mistake of not setting up an account with IMGUR and took my server down for retinkering about a month and a half ago.
You can run virtual machines without VT-x but performance may be sluggish since you are emulating hardware commands.
I only expected my server to be down for a week, and was going to setup Xen. What a mistake that was, took me from early March until just now and I finally have a Xen version of the same configuration. Just finished all the tweaks an hour ago.
With Xen, a hypervisor, I can pass hardware to a virtual machine, which would allow me to provide Wireless G from the machine directly. It was NOT easy to setup and I don't recommend it if you value your sanity, but I will be posting a short tutorial on PFSense with Xen in the future, as well as some benchmarks.
I can't seem to modify the original post, so I will place the imgur album here in case I have to take my server down again:
http://imgur.com/a/zxJBZ -
While I was waiting for a response I've been doing some more research and emailing with the manufacturer of the wifi-card I got. I can forget setting up a WAP with Windows as OS with that card, there's no support what so ever for that in the Windows drivers, Virtual AP wouldn't work because of that (so I've been told) plus there's a serious lack of settings in that program. Installed it on my laptop, you can barely change/set anything and there's no support for multiple wifi-cards as far as I can see. That's a problem since I want one setup as a 2.4GHz WAP and a 2nd one as a 5GHz WAP (can't do both with one card unfortunately). The 5GHz is a bit difficult though, regulatory domain issue, the whole 5GHz band is being blocked by some region/country code programmed into the wifi-card eventhough some 5GHz channels are free and legal to use here. Still looking into that.
Anyway, right now I'm considering Linux Mint LXDE as router OS, using Firestarter to get the right settings for the firewall. With hostapd there shouldn't be any problems setting up a WAP, got hostapd working without problems with IPFire (not counting the regulatory domain issue I mentioned). Only thing still on my mind is that I use 2 programs that are made for Windows, not Linux. Hope Wine would work for those, Davis Weatherlink and an eMule mod if you're curious. If everything works out, I won't be needing a virtual machine after all.
ps. The pics are working now :) , but http://cdelorme.com/images/journal/WorkstationHomeTab.png and http://cdelorme.com/images/journal/WANConfig.png are way to wide for the forum, those two are being cut off on the edge of the forum…
-
I expected the forum to automatically limit image sizes to the width of the post columns, but I guess my faith in software was misplaced.
I wanted them large so they would remain readable, but the post is too old so I can't edit it now even if I wanted to shrink them.
Did you find a package that can create Wireless N WAP's? If so please do share, everything I have read for most router packages says they only have Wireless G WAP support still.
-
Ah okay.
Well, if you want to set up a N WAP, then you need a Linux based OS (IPFire for example, running that right now) and hostapd (there's a hostapd addon for IPFire), that's it. And of course drivers that support it, but that would be stating the obvious I guess, the ath9k driver has support for that, don't know about others.
Ohw, if you are gonna use IPFire, please don't be surprised if you don't get the WAP working after reading/following the hostapd-addon/wifi wiki page, there's a lack of certain essential info there to get things going… Already mentioned that on the IPFire forum in a topic I created.
-
Ive had some stability issues since updating to 2.0.1 on AMD architecture. Prior to this my WMware+Pfsense setup worked flawlessly.
Since the update after a couple of days of uptime it starts acting up (can't access various pages of the webgui, ssh goes down, WAN goes down but WAN2 stays up, all sorts of odd behaviour). After a reboot things clear up for a few days then rinse and repeat.
I found another PFsense thread by someone with a similar problem: http://forum.pfsense.org/index.php?action=printpage;topic=47354.0
I tried to fix located here: http://doc.pfsense.org/index.php/Tuning_and_Troubleshooting_Network_Cards - but whoever wrote the fix in the wiki was mistake, you cannot do as he suggests and set "hw.em.num_queues=1"
Any ideas? Should I just go back to 2.0 or should I perhaps try one of the new experimental builds? The funny thing is that I can generally fix the problem even when I'm not home by remoting into the Windows 7 Machine through WAN2 and rebooting the VM. However, I would much rather just see it work all the time.