Pfsense with XEN

Dortje

Does pfsense run with Xen as DomU (Guest), does it need any modification to the kernel or anything like that? sullrich wrote some day that maybe with 6.2 (which pfsense later snapshots are based on) will support it, so does anyone have some information on that?

sullrich

FreeBSD 6.2 does not have xen support as of yet.  It's not possible unfortunately without kernel modifications, etc.  And honestly I have never even touched Xen so I wouldn't be of much help.

Dortje

Okay i see. Is there any way to (para)virtualize pfsense and make it run besides other operation systems on the same hardware? Its just that the idea of having a firewall running with dedicated nics on the same machine as some server services do is pretty amazing. But i dont want to switch to ipcop or some other linux based firewall for that.

billm

@Dortje:

Okay i see. Is there any way to (para)virtualize pfsense and make it run besides other operation systems on the same hardware? Its just that the idea of having a firewall running with dedicated nics on the same machine as some server services do is pretty amazing. But i dont want to switch to ipcop or some other linux based firewall for that.

vmware, parallels, xen on modern hardware that supports virtualization in the processor, ms virtual pc (although there are comments that it doesn't work quite so well)

–Bill

simoncpu

I have tried running FreeBSD 7 as a domU on top of a Fedora Core dom0.  Theoretically, pfSense can be run as a domU using a xenofreebsd kernel.  As it is still experimental, we can't expect it to be stable enough for production use.

AFAIK, xenofreebsd only runs on i386; there's no amd64 port yet.  For more details, kindly check http://www.fsmware.com/.

[ simon.cpu ]

Psymon

pfsense and bsd distros don't work on hvm full virtualization domains, the BTX loader fails booting from virtual cdrom (device or iso) or virutal hard disk; howover i tested that it works fine on a standar qemu on a normal machine, i'm still testing methos for make them boot properly or import an hard disk image with a different boot manager, i'll make you know if i make any advance.

Regards.

Dortje

Great to hear. But qemu wouldnt be of any advantage compared to VMware, right? When it comes to performance they should be equal as far as i know. XEN would be much better. I will also try to get more into this this weekend.

simoncpu

@Psymon:

pfsense and bsd distros don't work on hvm full virtualization domains, the BTX loader fails booting from virtual cdrom (device or iso) or virutal hard disk; howover i tested that it works fine on a standar qemu on a normal machine, i'm still testing methos for make them boot properly or import an hard disk image with a different boot manager, i'll make you know if i make any advance.

Regards.

I have googled for info on HVM, and it seems that some people have success with it.  My amd64 workstation boxes don't support SVM though, so I'll have to wait for our test servers to become available before I can experiment… :)

[ simon.cpu ]

tec

Okay, want to give a small update for this Topic.
According to a previos post which states that FreeBSD does not run on HVM Domains I disagree. Right now i finished installing a Pfsense-1.2RC2 installation in HVM Domain. The networdcars are reported es ed0 and ed1. Will keep you updated. Of course you need an VT oder Pacifica enabled CPU.
Cheers

outsidre

Any details on how you did the install?
Was it a straight forward install like any other HVM domain, or did you have to pull any tricks to get it to install?
Did you pass the network cards directly to the HVM domain, or are they virtualized nics?

tec

Install:
created Xen-HVM Domain. The importand thing here is, that you first two Network Bridges. These Bridges are then passed to the HVM Domain.
Then install the HVM Domain from a downloaded ISO File.
Right now it is not possible to pass directly the NICs to HVM-Domain it works only with PVM if the Kernel in PVM-Domain supports the PCI-Backhide Function.  But what you can do is, that you assign in youd Dom-0 the appropriate Nics exclusive to the Bridges. Oh before I forgot, right now there is the limitation of 3 virtual Interfaces per DomU.
Hope this Helps
Regards Marco

outsidre

That's what I was thinking… Just wanted to ask to make sure I was on the right path.
I am getting a quad nic card in the next few days, and will be trying this out. I'm running xen 3.1, so should have no problem with 4 network interfaces.

As for the limitation of 3 virtual network interfaces, you should upgrade to XEN 3.1. The limit has been increased to 8 network interfaces.
http://wiki.xensource.com/xenwiki/XenFaq#head-9896478cf65a16f43ab4fb066f74c0e0d67a16ac

Joris

I was also very interested in this setup (pfSense is just great!), unfortunally I do get the BTX error that psymon already mentioned. Since I did read someone never finished vmxassist on the Intel, my question is what hardware platform are you running (AMD I guess?) a HVM FreeBSD?

• Joris

sullrich

Try checking "Use grub" on the installer bootblocks screen during installation.

Joris

I don't get the option to do anything. I cannot seem to get the ISO file started.
Can anyone help me on a disk image that uses the grub bootloader? Is vmware the way to go and transfer the disk image?
Already many thanks in advance…

outsidre

I don't know about the other guys, but my server is an Athlon64 X2 4000+ with 3 gigs ram running a SuSE10.3 Dom0, with Xen 3.1.0_15042
I chose "Other" as my environment in the setup wizard ('virt-manager'), and was able to install pfSense as a HVM (full virtualization) without a problem. No error messages came up, and the iso booted and installed on the virtual HD just fine. I created 2 virtual network cards (both of which were bridged to the since real nic) and assigned them as WAN and LAN without problems.
I now have pfSense running and am able to play with it.

What version of XEN are you running? What dom0 OS? What architecture (Intel I presume?)

@Joris:

I was also very interested in this setup (pfSense is just great!), unfortunally I do get the BTX error that psymon already mentioned. Since I did read someone never finished vmxassist on the Intel, my question is what hardware platform are you running (AMD I guess?) a HVM FreeBSD?

• Joris

heiko

BTW…

Intel and AMD doesn´t have the same architecture....

Intel designed VT in a strange way, such that only protected mode instructions are allowed or be virtualized.
Anything done in real mode must be emulated...every instruction. The Xen and KVM folks have emulated enough to get things working, but have not handled every instruction, including apparently some of the fancy (VBE?) graphics isolinux (Ubuntu CD´s for example), and in my tests FreeBSD's btx loader also has problems with Intel VT.

For reference, AMD's SVM analogue does, in fact, virtualize real mode instructions on the processor, and I'm able to boot all install CD's just fine on an AMD machine. Maybe, this is an Intel VT problem.....

Joris

My system is an Intel Core 2 Duo E6750 with 8 GB, with Gentoo 2007.0 running Xen 3.1.2, all AMD64 software.
Indeed, I think the differences between AMD SVM and Intel VT-x are the main problem in my case. Unfortunally most of the world has problems with FreeBSD on Xen (on Intels I believe). It seems that the emulation is called vmxassist (or vmx_assist) and was broken at some point, but the author is not really interested into fixing that any more (probably has other priorities).

Hence I like to give Grub a try, but unfortunally the ISO files use the BTX loader and I cannot get them running. I'll try to get it installed on vmware with grub and hope to get it working. If I have some success, I will let you know…

jhavers

Hi all,

After a long search for Linux compatible hardware I ordered a new system for my new CentOS / XEN server. It is Intel based (P35 chipset with ICH9R and Core 2 Duo E6750 processor). I chose this because I needed good support for my SATA drives (fast access for Mail & File server in guest domains). In another guest domain pfsense was planned.

From this tread I make up that Intel is not the right hardware voor a XEN server. I still have a change to cancel or change my order. Can anyone who got pfsense running in a guest domain tell me their hardware configuration. The components I am interesting in are mainly the motherboard and CPU. Moreover I like to know if the onboard SATA controller, graphics card and nic where recognized by Linux.

Hope to hear from you, I like to have a good XEN server with a cool firewall for the comming 3 years.
Joost.

Joris

I have the same processor and it seems Intels have broken support for some HVM emulation. Windows runs fine, nevertheless. I use Linux with paravirtualization only.
I bought a system with a G33 (onboard video) and ICH-9R. I use Linux RAID instead of Intel's, but I put the controller in ACHI mode. This allows hotplugging of disks. My board (gigabyte) has 8 sata ports. I did need a recent linux version, like 2.6.20, to get my hard disks recognized (hence Gentoo). I believe Debian Etch has a recent version in backports but did not try. Don't know about RHEL/CentOS or SUSe.
I never got FreeBSD to run on the box, unfortunally. vmWare on Xen is also out of the question. Didn't get qemu to compile too. Trying to get FreeBSD running with Grub at this point…