Xen, pfSence, no web connections.

  • I feel dumb.
    I've reinstalled pfSense several times now and just can't get it working properly.

    Xenserver 7.4, pfSense attached to one of the physical networking ports and a virtual server-only port.

    Linux VM on same server attached to virtual net, can talk to pfSense ok.
    I can get a CLI to ping by name (shows the DNS is working), but the browser keeps timing out.

    Will eventually put a VPN on this, but first I need it to work.
    Why does a basic installation not seem to pass traffic properly?
    Set up as a basic router first, then add security would seem the optimal way to go.

  • Netgate Administrator

    Waaay more information needed.

    Missing default gateway/route?

    Conflicting subnets?

    Incorrect firewall rule?

    It could be a lot of things.


  • Alright...
    Starting from scratch:
    Create VM on Xenserver 7.4
    Set up VM with 2G memory and a 2G drive with pfsense-CE-2.4.3-RELEASE-amd64.iso as boot media
    Networking port 0 = physical port 1
    Networking port 1 = single server private network
    default keymap
    no manual modifications
    No vlans
    WAN=xn0 - Xen port 0
    LAN=xn1 - Xen port 1
    Set LAN IP address to
    no gateway, no IPV6
    enable DHCP server, range -
    don't revert weconfigurator to HTTP

    open Ubuntu 16.04 desktopVM
    Network assigned address
    open Firefox, direct to
    accept un-secure certificate
    start webconfigurator setup
    hostname and domain at defaults
    set primary DNS, secondary
    overide DNS checked
    set timezone
    leave WAN/LAN settings as is
    Set admin password
    open CLI on Ubuntu VM,
    ifconfig -
    ping Google.com - no reply.
    Firewall/NAT/Outbound - disable outbound NAT
    ping google.com - get reply.
    open webpage to google.com - "connecting to google.com" - connection times out.

    There's a notice on the webconfigurator
    Filter reload: There were errors loading the rules: /tmp/rules/debug:18: cannot define table bogonsv6: cannot allocate memory.

    So... why does the default configuration not allow for outbound communication?
    After disabling outbound NAT rules, PING works but the web browser doesn't.

    What else needs to be edited to allow for full outbound communication?

  • LAYER 8 Netgate

    Probably the checksum stuff.

    The easiest thing to do is to install a new one fresh, reboot it, go into single-user mode and add this to /boot/loader.conf.local:


    You can probably also do this at the shell prompt if you open one after the install is done instead of rebooting to single user mode.

    Reboot again and run through the setup. You will notice you have reX NICs now instead of xnX NICs.

    See if that works closer to how you expect.

    You can disable checksumming on the VMs that have PV NICs but I have to dig it up. This is easier to try first.

  • LAYER 8 Netgate

    @chaosmstr said in Xen, pfSence, no web connections.:

    Filter reload: There were errors loading the rules: /tmp/rules/debug:18: cannot define table bogonsv6: cannot allocate memory.

    Yeah. There's a reason that notice is there. It needs to be fixed.

    That should not be the case if you are using version 2.4.3_1. If you are not, why not?

    You can increase the Firewall Maximum Table Entries in System > Advanced, Firewall & NAT. Use 400000 there.

  • 2.4.3 is what is available as an ISO on the dl servers... from what I can see.

    Thank you, the disable_pv_nics worked. It also allowed me to run the update to 2.4.3_1.

    Now, off to bigger and better things!

  • LAYER 8 Netgate

    Right. you have to upgrade CE to 2.4.3-p1. I don't think this info has been refreshed on the new forum yet. There are other threads on it.

    Here are the basics for what you need to do for the PV NICs:

    Install it, shut it down. Add the NICs you want, then in XenServer:

    Get the VM's uuid
    # xe vm-list name-label="pfSense B" | grep "^uuid" | awk '{print $NF}'


    Get the UUIDs for the NICs
    # xe vif-list vm-uuid="43fdd0da-73ca-22c0-97f6-0ac47ae82360" | grep "^uuid" | awk '{print $NF}'


    Turn off the checksum checking in the NICs. Run this for all of them:
    # xe vif-param-set uuid=6c9cb724-705a-0449-2176-505dd332431d other-config:ethtool-tx="off"

    Boot the VM and the traffic in should flow through fine on the PV NICs.

    The other major caveat is the HV NICs (reX) support altq shaping. The PV NICs (xnX) don't.

Log in to reply