Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Virtual Infrastructure and 2 pfSense

    Scheduled Pinned Locked Moved Virtualization
    7 Posts 3 Posters 6.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      SSamir
      last edited by

      Hello

      I want to install a fully virtualized environment of the attached pic in a our server physical server running XenServer 7 in a server hosting company.
      I will protect both LAN and DMZ with dedicated pfSense virtual instances.

      2 questions please:

      • what's your recommendation and your comments/critics  if any
      • I installed the pfsense instance but traffic is not going to Internet from LAN. Is there special routing that must be configured on both FWs ?

      Thank you :)

      ![Virtual Infrastructure Public.png](/public/imported_attachments/1/Virtual Infrastructure Public.png)
      ![Virtual Infrastructure Public.png_thumb](/public/imported_attachments/1/Virtual Infrastructure Public.png_thumb)

      1 Reply Last reply Reply Quote 0
      • S
        SSamir
        last edited by

        Forgot to say that communication between both FW is working fine, iedge FW is accessing the Internet too to retrieve package list.
        But no access to machines in the DMZ or in the LAN.

        1 Reply Last reply Reply Quote 0
        • V
          viragomann
          last edited by

          @SSamir:

          • what's your recommendation and your comments/critics  if any

          Delete the second FW and connect the LAN to an additional interface on the first one. It makes no sense to run two instances of pfSense providing just one network area on the same Hardware.

          1 Reply Last reply Reply Quote 0
          • S
            SSamir
            last edited by

            Dear Viragomann,

            Of course it's easily faisable by one FW having 3 branches (multi-arms).
            However, it's often recommended to have a DMZ (with its multiple services inside) between 2 distinct FW and better if from 2 distinct brands.

            What I'm trying to replicate is a micro-environment in virtual infrastructure of a real world enterprise class architecture.

            Thank you for your reply :)
            Samir

            1 Reply Last reply Reply Quote 0
            • H
              heper
              last edited by

              @SSamir:

              Forgot to say that communication between both FW is working fine, iedge FW is accessing the Internet too to retrieve package list.
              But no access to machines in the DMZ or in the LAN.

              i guess you are not running NAT on i-edge FW & are using it as a router/firewall? ==> you might be missing NAT for the 192.168.49.x/y subnet on the e-edge-FW then

              1 Reply Last reply Reply Quote 0
              • V
                viragomann
                last edited by

                So you have a double NAT setup.
                For getting internet access from LAN you have to set 192.168.59.1 as default gateway on i-edge FW.
                Also ensure that an outbound NAT rule is set on the DMZ interface.

                1 Reply Last reply Reply Quote 0
                • S
                  SSamir
                  last edited by

                  Hi Guys,

                  Thank you all for your reply.
                  The guilty was the couple BSD/Xen.
                  I disabled TX offloading on pfsense but forgot to do the same on the hypervisor (XenServer 7).

                  The following did the trick :)

                  xe vif-param-set uuid= <vif uuid="">other-config:ethtool-tx="off"
                  xe vif-param-set uuid= <vif uuid="">other-config:ethtool-tx="off"

                  Thank you again</vif></vif>

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.