PfSense on Linode (KVM) - create sub interface and restart network services



  • Linode does not officially provide support for any OS other than Linux. Some guides for installation of FreeBSD do exist and the install does work.

    I'm installing pfSense v2.3.2 on Linode (KVM) VM in paravirtualized mode (have also tried full virtualized). The installation completes.

    Linode VMs are provided a public IP (WAN) and and optional private IP. The problem is that a single network interface is used (single MAC). On Linux the public and private IPs are configured as "eth0" network interface and "eth0:1" sub interface.

    When pfSense boots on Linode VM only a single network interface is configured "vtnet0". I can then manually create the sub-interface as follows:

    "ifconfig vtnet0.1 create"

    I then configure the private IP address as follows:

    "ifconfig vtnet0.1 inet 192.168.180.200/17"

    If I launch the Webconfigurator, I can see both network interfaces, so I know I'm going in the right direction. My questions are:

    1. In pfSense, how do I manually restart the network and routing services following the creation of the sub-interface and private IP assignment?

    2. How do I save the above sub-interface configuration and private IP assignment so that they persist following a reboot?

    3. In Webconfigurator, I can assign the sub-interface "vtnet0.1" as LAN. I disable IPv6 and assign an IP. When I try to ENABLE the sub interface an error comes up the DHCPv6 Service is running. I attempt to disable IPv6 from the WAN interface and the Webconfigurator appears to hang and lose the configuration entirely.

    4. Lastly, is use of pfSense with two interfaces where one is actually a sub-interface an security concern (essentially a FW on a stick) - it is not intended for any production use.

    Any guidance/suggestions appreciated.



  • @firefly:

    1. Lastly, is use of pfSense with two interfaces where one is actually a sub-interface an security concern (essentially a FW on a stick) - it is not intended for any production use.

    The main problem is the single MAC address.  In effect you have two interfaces plugged into the same collision domain at layer 2.  This means that both interfaces will see all frames which will give ARP a headache for starters!  There is a checkbox in system -> advanced -> networking to turn off ARP messages which will paper over the cracks a bit.  Many other bits will not work but the firewall (layer 3) should work OK.

    As to the rest of your questions, pfSense doesn't work like that.  It needs two "real" interfaces of some sort.  You could create a tagged VLAN interface on your one interface and use that for LAN.  Any other VMs that you want to route through your pfSense would need to also tag on their LAN.  You might get away with the tagged interface on WAN and hope that traffic ends up on the default VLAN anyway.

    So when you get to assign interfaces after initial install answer Y to setup VLANs and add one say tag 2 or 10 or whatever.  Then put vtnet0 on WAN and vtnet0_vlan2 on LAN.  Assign IP addresses and off you go.  You probably don't need the eth0:1 interface on the VM at all.



  • @firefly:

    Linode does not officially provide support for any OS other than Linux. Some guides for installation of FreeBSD do exist and the install does work.

    I'm installing pfSense v2.3.2 on Linode (KVM) VM in paravirtualized mode (have also tried full virtualized). The installation completes.

    Linode VMs are provided a public IP (WAN) and and optional private IP. The problem is that a single network interface is used (single MAC). On Linux the public and private IPs are configured as "eth0" network interface and "eth0:1" sub interface.

    When pfSense boots on Linode VM only a single network interface is configured "vtnet0". I can then manually create the sub-interface as follows:

    "ifconfig vtnet0.1 create"

    I then configure the private IP address as follows:

    "ifconfig vtnet0.1 inet 192.168.180.200/17"

    If I launch the Webconfigurator, I can see both network interfaces, so I know I'm going in the right direction. My questions are:

    1. In pfSense, how do I manually restart the network and routing services following the creation of the sub-interface and private IP assignment?

    2. How do I save the above sub-interface configuration and private IP assignment so that they persist following a reboot?

    3. In Webconfigurator, I can assign the sub-interface "vtnet0.1" as LAN. I disable IPv6 and assign an IP. When I try to ENABLE the sub interface an error comes up the DHCPv6 Service is running. I attempt to disable IPv6 from the WAN interface and the Webconfigurator appears to hang and lose the configuration entirely.

    4. Lastly, is use of pfSense with two interfaces where one is actually a sub-interface an security concern (essentially a FW on a stick) - it is not intended for any production use.

    Any guidance/suggestions appreciated.

    Hello, I am in the same situation, I need to have a firewall in front of my other vm, but I need two interfaces wan and lan .

    Have you made any progress?

    my best regards!