PfSense VM doesn't know that a NIC is down
-
Hello,
My setup: PFsense virtualized on ESXi 6 and connected to physical NICs through a virtual switch. If you pull a cable on a NIC, PFsense doesn't know it because the connection to the virtual switch is still up. Is there a solution other than passing the NICs directly to the VM? -
I am not aware of a easy way to do something like this. Your problem is the vswitch is not down, so the vnic connection from pfsense should still show a link. When the physical adapter is unplugged from the network only the uplink of the switch is down.
On a physical switch you would run into the same problem, just pulling the uplink on a switch does not disable all the switch ports.
What you could do is run a script that disables pfsense vnic when you detect loss of network connectivity. Assume your doing something with carp to why you need something like this?
What switches are you using, something like this might be possible with the fancier switches distributed switches? I know you can shutdown the vmnic via esxicli but not sure if you can just down the individual vnic of a vm?
You could setup a monitor in pfsense to ping something through that network so pfsense would know the link is down even though the vnic is up, like the wan monitor.
-
For the exact same reasons pfSense implements gateway monitoring by pinging the gateway address (configurable in case needed) and does not use the interface status. Imagine if you have a switch on the WAN side between pfSense and the device that brings the internet to you (modem, ISP router etc). Pull the cable from this device and pfSense wouldn't know what happened if it looked only at the interface status because pulling that cable would still keep the WAN interface up because it still has a link with the switch.
-
Thank you for the replies.
Yes, running CARP. Not sure how other people report this as working. Yes, if you shut down one VM the other takes over. But, if an interface goes out, the backup never fully takes over, leaving a non-functioning Internet.
Yes, thought about scripting but not sure how to do it. And wouldn't want to bring down the whole vswitch.
I looked at the Gateway settings and monitoring is on.
Anyway, the easy solution is to pass through the NICs, which is what I've done. Works perfectly this way.
Thought maybe I was overlooking something.
