Win 10 Hyper v, Multiple issues Need help please.
-
Okay so I really want to get this working. Been fooling with it for the past week now, had it working last night but not how i wanted it or how its supposed to work "in my head". So here is the map im going for, im going to try to be as detailed and correct as i can be. Also note that the nic is a single intel pro 1000 card with two ports and then there is a built in nic on the motherboard.
Modem"issues ip via dhcp from isp to the router/firewall"–>WAN on pfSense VM"1st port on intel nic set up as external vswitch not shared with host OS"-->LAN on pfSense VM"2nd port on intel nic set up as internal to talk to host OS"-->Switch"theoretically this should go right to the switch"-->clients"including host OS through the built in nic"
Now this was working last night but heres the catch. For some reason the vLan hyper v switch and the actual "Lan, second port on that nic" show as two separate ports on the host machine. and I had to bridge them together in the host OS"win10" and have pfsense use that as the lan port? I guess lol. But more annoying is that the host is using that connection as its way to the wan. When i went to check active dhcp leases in pfsense the ip that the host had "192.168.1.115, it showed up as expired but online.
I dont really know what i did to make this work but it just did. I read some more stuff this morning and did some more diving, and noticed that 2.4.1 is out and allows hyper to run in gen 2 mode instead of gen 1 mode. I dont know if this is gonna help or not im going to check it out when i get home and see. I have verified that all my drivers work and that everything is up to date as well. So im certain its not any driver issues.
i just need a few questions answered and some feed back about this would be appreciated.
First question is. Is the map that im trying to create possible?
Second one is. Can that nic just be used by the Vm and not the host machine, I tried setting lan up as an external only not shared with host os and it wasnt working, or atleast how i set it up it wasnt. pfsense shouldnt have to go through the host os or have to get bridged to talk to that switch. it should just give an ip to that port which would be 192.168.1.1 and then go to the switch to hand out dhcp to the EAPs and hardwired devices.
Third question is would have I better luck using windows server and hyper v in that or is it just gonna be the same experience as win10 hyper v.
and finally is anyone else running a similar set up? the reason i have this set up and want to do this is because i want to be able to host game servers/other vms on this machine while running pfsense too. I dont want to have to use two machines "one for pfsense and one for vm stuff" if i can just do it all on one system and manage it from one machine it makes things so much simpler.
Thank you all.
ReplyQuoteNotifyRemove -
Are you still around?
-
Are you still around?
Yes I still I have my network up and running but still not as right as it should be.
-
I saw your post and took the time to read through it, but unfortunately I found your grammar rather difficult to penetrate - I'm really struggling to understand what you've done here.
So what I'm going to do is quickly outline how you should be doing this.
First, you don't detail what the onboard NIC is. If it is Realtec, I strongly recommend buying another Intel card. If it is an older Intel NIC, I also recommend upgrading, as the older cards are not supported with current virtualisation extensions (or even currently supported drivers). Basically all Intel controllers prior to the 'i' series (i210, i340, i350 etc) are unsupported. We have a number of older servers with on-board Intel NICs that we've upgraded to i340/i350 or above when they were repurposed from single-use servers to run Hyper-V.
So, that said, you have three physical network ports. If you're running pfSense, you need one port for WAN and another for LAN, which leaves you with one for your host. You also wrote that you're running Hyper-V on Windows 10, is that correct? If so, I can only hope that you're just testing pfSense out in this virtualised environment on Windows 10, and don't plan to actually use it to run your network - that would be a Very Bad Idea
. If you only have the one physical computer, then pfSense is not for you, sorry - if you want to virtualise it, run it on a dedicated hypervisor (it doesn't have to be too beefy, but does have to have enough performance to run pfSense plus any other VMs you want to run concurrently). If you really just want this for pfSense, then just run it on bare metal - there's no need to complicate your life unnecessarily. Virtualisation is a brilliant solution if you need to run lots of different workloads (that would otherwise be run on different machines) on a single box, but if you're only virtualising pfSense so you can run it on your PC and save yourself some dollars, you're really asking for trouble here. pfSense really doesn't need very much grunt - you could put a box together for a few hundred clams brand new, or repurpose some old or second-hand hardware much more cheaply.You also asked if it would be better to run the VM from Hyper-V on Windows Server. I think it's pretty clear what I think about running it on Windows 10, but assuming you actually have good reasons to need a hypervisor running multiple VMs, then Hyper-V Server is a good option, because it's free. And it can be managed from Windows 10. Windows Server licensing is quite expensive and isn't necessary unless you actually need to run Windows Server. Which it doesn't seem like you do. For just virtualisation, all you need is Hyper-V server, which is free to download, install and run, forever. But it doesn't have a GUI - you need to control it from Hyper-V Manager on Windows 10, and you'll need to understand how to set it up to get them to talk to each other without Kerberos authentication, which is tricky for anyone new to it. But it can be done, and is certainly very cheap.
Moving along, let's say you actually have a good reason to run a pfSense VM on Hyper-V. As above, you need one physical port for pfSense's WAN and another for the LAN. Yes, you could create two Virtual Switches based on a single NIC port and pass them both through to pfSense and it would work, but that's far from ideal - keeping them on physically separate ports minimises potential issues and is the better design. Besides, you have three network ports available, so you've got one left for the host anyway.
Now, what should happen when you dedicate a network port to a Hyper-V switch and tell it not to share it with the host during the Virtual Switch creation process, that NIC stops being available to the host OS. So once you've provisioned your two Virtual Switches, you should have one NIC (your onboard one) still available to your host, but the other two can no longer be assigned an IP. No bridging or other schenanigans should be required - your onboard NIC should work as normal, and once you've assigned your NICs to the WAN and LAN interfaces within pfSense you can then configure them from there.
As for connection, your WAN port should be connected directly into your modem (of whatever sort you have) and should be configured to control the connection, with your modem reconfigured as a mere bridge. Alternatively, if you have a modem/router providing DHCP to your network, you could continue to have that provide the IP to the pfSense WAN port, but the downside to this is that your router is doing a lot more work than it needs to, and unless it is made by Cisco, Juniper or Ubiquiti (or a few other enterprise vendors) it is going to be less reliable than pfSense for staying alive.
So, let's say you leave your router alone - it is providing DHCP leases on the 192.168.1.0/24 subnet. You connect pfSense's WAN port directly into the router - it no longer connects to your switch or anything else on your network. Your configuration so far is Internet –> Router --> 192.168.1.0/24 --> pfSense WAN (which has a lease provided by the router, something like 192.168.1.101). Your pfSense LAN port is then configured as a DHCP server, to provide IP address leases to the rest of your network. You connect the pfSense LAN port into your switch. This network absolutely cannot be on the same subnet as your router is providing. So, for example, if your router is providing addresses on 192.168.1.0/24 subnet to the pfSense WAN port, your pfSense LAN DHCP server could provide addresses to the rest of your network on the 192.168.2.0/24, or even 192.168.0.0/24 subnet - absolutely anything but the same subnet that's being provided by your router.
Now, the rest of your network is connected to your switch, and is being assigned addresses by the LAN port from pfSense. Let's say you have no switch - that it's just your PC, you're running pfSense in Hyper-V on top of Windows 10, you have a router and a PC with three NIC ports. You plug the pfSense WAN port into your router, then you connect your onboard NIC port (that you're using for Windows 10) directly into the pfSense LAN port. The problem with this configuration is that you will not only have no Internet, but you won't even have a working network until the pfSense VM boots up, well after your Windows 10 OS has finished loading. Because it can't get an IP lease from an active DHCP server, it will probably also take absolutely ages to boot into Windows - maybe as long as 10 minutes. By the time pfSense has finished booting, you may still have no network connection - if you run ipconfig from the command line, if you have a network IP beginning with '169', it hasn't automatically been assigned a new lease once the DHCP server has come online, and you will need to manually obtain the address by running 'ipconfig /renew'. Once you've done that you should have a new lease on the correct subnet, and you're good to go from there.
But as I said, this is a terrible configuration, and should only be used for testing because you absolutely have no viable alternative. If you want to run your network/PC through pfSense on a daily basis, run it from a separate device. Please.
-
I am running Intel 1000 chips, PT and VT, on a Win2k16 Hyper-V. The VT was a little hassle to install, but everything seems to be running great now.
The old cards have slightly higher power consumption, but you can get them for virtually nothing used on eBay or specialized used-server-hardware vendors.
(Get rebranded Dell or other cards to pay even less.) -
I've been running a router on a hyper-v server for several years. I have separate nics for the wan and lan, respectively. Each nic is connected to a virtual switch. All guests are connected to either or both of the switches, as required. I have two instances of pfsense on the server. The only other guest that ever gets connected to the wan switch is a pc that I use for wireshark. Normally it's not running. The wan nic is connected to a bridged port on the modem / router. I'm using the setting "allow management operating system to share this network adapter" on the lan nic. There is a third nic that is connected to an unbridged port on the modem, which I use to access the modem gui. This setup has been rock-solid.
-
@bimmerdriver : what OS are you using and how is your Hyper-V configured please ?
I would like to create the same setup but it is my first time with a virtualization.
Do you use the system for other purposes than internet gateway ? -
@Georget27:
@bimmerdriver : what OS are you using and how is your Hyper-V configured please ?
I would like to create the same setup but it is my first time with a virtualization.
Do you use the system for other purposes than internet gateway ?I'm running hyper-v on windows server 2012R2. There are multiple guests of various OS including 2 x pfsense, openvpn AS, linuxes and windows 10.
There are three nics.
One nic is for the wan, connected to bridged port on modem on the outside and to virtual switch on the inside. It's also enabled to mirror the source for wireshark for the pfsense guests.
One nic is for the lan, connected to physical switch on the outside and virtual switch on the inside. This nic is shared with the hyper-v server.
One nic is connected to an unbridged port on the modem, so I can manage the modem from the bridged port.
Does that help?
-
That helped A lot. Did you use PPPoE by accident to authenticate the WAN ?
-
@Georget27:
That helped A lot. Did you use PPPoE by accident to authenticate the WAN ?
Glad to help. My ISP does not use PPPoE, but rather RFC 1483 via DHCP. "Authentication" is done by only allowing RA after DHCP solicit. I am one of the users who tested that feature while it was being developed. (Thanks again, marjohn56!) Good luck wiht pfsense. Welcome to the club.