VMWare Pentest lab: Extremely high CPU on host
-
There are XSS and CSRF vulnerabilities in 1.x's web interface. Though if you follow general best practices for managing any web-administered device (use a diff browser than you ever use for Internet), that's a non-issue. Every web-managed device has had some XSS and CSRF issues, and many commercial security-related products have a number of known unpatched XSS and CSRF. Some have released updates fixing them. There isn't anything imminently exploitable in any pfSense version, but I wouldn't recommend running anything prior to the latest stable release.
We and many, many others run most or all our production firewalls on ESX. This very site runs behind firewalls in ESX, and can route gigabit wire speed between internal VLANs, without any excessive CPU usage on the host. All of our production colos run their firewalls in ESX without any issues at all, and they're pushing significant loads. Why a minority of people see this, I don't know, but it's something we plan to investigate post-2.1 when time permits. It may be something that just goes away when we get to a newer FreeBSD base.
Note you do need to make sure you're on the latest ESX (5.0U1 or 5.1 should be fine), while I'm not aware of any ESX issues exactly along these lines, they have patched several bugs related to FreeBSD guests over the years, and there is at least one ugly one in 5.0 pre-update 1.
-
[…]I'm about to revert from 2.0.1 to 1.2.3 this month due to high CPU usage on 2.0.x. I will be canceling the 3G backup route so 1.2.3 will be more than enough.
Reverted last month. Runs perfectly smooth. Right now 42 Mbps makes the guest drive up the clock to 506 MHz(out of 2,66 GHz) on the host. Perfect!
You guys that run your large setups on ESXi without any CPU utilization issues, what type of motherboard, pCPU and pNIC are you using?
-
Use IBM X3550M4 with Intel 10GbE cars X520-T2.
-
Use IBM X3550M4 with Intel 10GbE cars X520-T2.
If you are running at 10 Gbit/s uplink, do you use DirectPath I/O with the pNIC's to pfSense or do you virtualize them to pfSense?
Otherwise the platform is a more current generation than mine. -
I dont see any issues at all related to high CPU on 2.0.2 release.
Running 3 seperate FW's on 4.1 U3.
Packages:
File Manager
Open VM-Tools 8.8.1
PFBlocker
Snort
-
I am not. I only use 10Gbit internally and use the build-in 1Gbit for PF WAN.
No directpath, but virtualized through VmWare.
:)
I am running the 32bit version of Pfsense and VM version 7.
2vCPU and 1GB of memory. 11% memory used at the moment and 37% disk.
Use IBM X3550M4 with Intel 10GbE cars X520-T2.
If you are running at 10 Gbit/s uplink, do you use DirectPath I/O with the pNIC's to pfSense or do you virtualize them to pfSense?
Otherwise the platform is a more current generation than mine. -
Are people still having this issue with the latest esxi 5.1?
I am running 4.1 at the moment and basically any sort of large download kills access to every VM running on the host until it is complete! :(
I have tried everything I can think of and is listed on here, I am getting it on all versions of pfsense from 1.2.3 up to the latest.
It has got to the point now, I am either going to have to setup Pfsense on some dedicated hardware or switch to monowall but I really need openvpn :(
So is upgrading to esxi 5.1 a fix for this?
-
Try to limit the download bandwidth. ;)
Currently seeing ~2% CPU on the ESXi host on 2.0.3 REL.
-
I have tried that, even if I limit to 20 meg it still plays havoc :(
What version of ESX are you on?
-
4.1 U3.
Dont want to upgrade to 5.x since I dont need the new features in 5.x.
-
Looks like my only option is to move to hardware in that case :(
-
When use to running vm's then hardware is a pain in the ass…. :(
-
I know there are going to be vlans everywhere but what else can I do, I cant get any version of pfsense to play nice.
-
Have you tried 1.2.3?? Just for testing?
-
Yes I got exactly the same, the problem is as everyone is accessing the environment via ipsec tunnels or the ssl vpn all it takes is for one user to do a download and everyone's sessions jump about or die totally :(
-
Have you read this?
http://doc.pfsense.org/index.php/VPN_Capability_IPsec
No overlapping networks….
-
Yeah deffo no overlapping networks
-
Allright :) Do you have a 4.x vmware test platform??
-
Yeah
-
Can you test there to see if its a 5.x issue then?
Rather keep it in a VM than on physical hardware for the flexibility :)