Pfsesne 2.0.1 and VirtualBox



  • I've been reading how-to's and watching videos for the last couple of days and I just cant quite get this right.

    What I have now is a physical system with pfsense 2.0.1 that has been running for quite some time.  I'd like to move it to my VirtualBox system and power down the physical box.  Current network is this:

    Cable modem in bridge mode  -  pfsense box with 2 NICs.  WAN port to the modem, LAN port to the switch.  WAN port is assigned a static IP, LAN port is also static, 192.168.0.1

    The VirtualBox system also has 2 NICs.  One (eth0) is assigned an internal static IP - 192.168.0.2, the other (eth1) would be the potential WAN port but has no assigned IP at this point. all of the Virtuals on this system are bridged to the internal IP.  I would have to switch the modem cable to the unused port on the VirtualBox system..

    So far, I the virtual pfsense comes up and I've been able to get into the dashboard and do everything I need to do.  The only thing I can't get working is the WAN port.  The host OS on the system is CentOS 6.3.  For the life of me, I cannot figure out what IP address to assign to the new WAN port (eth1) on the physical side.. I have it configured to host-only in VirtualBox for the pfsense virtual.
    How should the physical NIC (eth1) be configured for an external static IP?

    Hope I explained that right.
    Any pointers would be appreciated.



  • Is your VirtualBox new enough to support PCI Passthrough? Is the CPU sufficiently capable to support PCI passthrough?
    If yes to both, I would configure VirtualBox to "pass through" the currently unused NIC to pfSense (meaning pfSense has exclusive use of the NIC) and then configure the "WAN static IP" on the pfSense WAN port.



  • The CPU is an AMD Phenom II X6 1055T, so I'd hope the CPU was powerfull enough.. There are a total of 3 VMs running.  4 when pfsense is going.
    The VirtualBox version is 4.2.4 r81684, which I think is the latest version.

    OK, so don't assign an IP to eth1 on the physical hardware?  Just leave it unassigned and then assign the WAN static on em1 in the pfsense virtual?



  • @derwood:

    The CPU is an AMD Phenom II X6 1055T, so I'd hope the CPU was powerfull enough.

    It is not a matter of CPU power - it is whether the CPU has the necessary "hardware assists" to support PCI device passthrough. Off hand I don't remember the capability name.

    @derwood:

    OK, so don't assign an IP to eth1 on the physical hardware?  Just leave it unassigned and then assign the WAN static on em1 in the pfsense virtual?

    Yes, but you will probably have to tell VirtualBox that eth1 is to be "passed through" to the pfSense VM. Sorry I can't be more specific. It is a while since I read about the mechanism, and since I haven't used it yet I don't recall the details. If I recall correctly, a search in the VirtualBox User Manual for "pci passthrough" should turn up some explanation of the configuration steps and name of the CPU capability.



  • @wallabybob:

    @derwood:

    The CPU is an AMD Phenom II X6 1055T, so I'd hope the CPU was powerfull enough.

    It is not a matter of CPU power - it is whether the CPU has the necessary "hardware assists" to support PCI device passthrough. Off hand I don't remember the capability name.

    @derwood:

    OK, so don't assign an IP to eth1 on the physical hardware?  Just leave it unassigned and then assign the WAN static on em1 in the pfsense virtual?

    Yes, but you will probably have to tell VirtualBox that eth1 is to be "passed through" to the pfSense VM. Sorry I can't be more specific. It is a while since I read about the mechanism, and since I haven't used it yet I don't recall the details. If I recall correctly, a search in the VirtualBox User Manual for "pci passthrough" should turn up some explanation of the configuration steps and name of the CPU capability.

    OK.. I read up on it.. First, the PCI Passthrough is a VirtualBox extension that has to be installed.  Then, the motherboard has to have an IOMMU, and the CPU has to support the IOMMU, which must be enabled in the BIOS.  Plus the Linux Kernel has to be 2.6.31 or higher, and has to have IOMMU support compiled in.  The VM has to support VT-x or AMD-V nested paging.  The last problem is that support with pci-express cards is spotty.  The NIC is pci-express so this is probably not going to work for me.

    Is there some other way to get this working?  I just need to know how to set up the physical NIC (eth1) on the server.  Does it need an IP?  just a bogus internal IP?



  • You could setup eth1 to be bridged in the VirtualBox host with the pfSense WAN interface and assign the static IP address to the pfSense WAN interface.

    I presume the static IP address under consideration is a public IP address and you have only the one public IP address. Correct?

    I suspect you don't want the VirtualBox host to be  doing too much with the traffic from the Internet before that traffic gets into pfSense (else why have pfSense?) The PCI passthrough suggested earlier provides more isolation between the VBox host and the internet. If you put your public IP address on the Vbox interface then you allow traffic from the internet direct access into the VBox host which (unless there is something you have not yet written about) means pfSense provides considerably reduced protection.

    @derwood:

    The last problem is that support with pci-express cards is spotty.  The NIC is pci-express so this is probably not going to work for me.

    I suspect that in the PCI Passthrough section of the manual PCI includes PCI Express. It is not clear to me that the software will see some significant feature on a PCI EXpress devices that isn't also on a PCI device.

    Why do you want to do this? Would you still want to do what you propose if it diminished your "security"?



  • @wallabybob:

    I presume the static IP address under consideration is a public IP address and you have only the one public IP address. Correct?

    Correct.. I have a /30 from Time Warner.

    @wallabybob:

    I suspect you don't want the VirtualBox host to be  doing too much with the traffic from the Internet before that traffic gets into pfSense (else why have pfSense?) The PCI passthrough suggested earlier provides more isolation between the VBox host and the internet. If you put your public IP address on the Vbox interface then you allow traffic from the internet direct access into the VBox host which (unless there is something you have not yet written about) means pfSense provides considerably reduced protection.

    Also correct.  I'm just trying to virtualize the pfsense system to reduce power consumption.  The vbox system has plenty of cpu and memory for this.  This also isn't some major production environment.  This is my setup at home that I use as a lab for educating myself plus some light hosting activity.

    @wallabybob:

    I suspect that in the PCI Passthrough section of the manual PCI includes PCI Express. It is not clear to me that the software will see some significant feature on a PCI EXpress devices that isn't also on a PCI device.

    Why do you want to do this? Would you still want to do what you propose if it diminished your "security"?

    Quoted from the VirtualBox manual about PCI Passthrough:
    "Essentially this feature allows to directly use physical PCI devices on the host by the guest even if host doesn't have drivers for this particular device. Both, regular PCI and some PCI Express cards, are supported. AGP and certain PCI Express cards are not supported at the moment if they rely on GART (Graphics Address Remapping Table) unit programming for texture management as it does rather nontrivial operations with pages remapping interfering with IOMMU. This limitation may be lifted in future releases."

    I don't know how that works for the NIC.. It's an Intel, but I'm not enough of a programmer to know whether the card would be supported or not.  However, its all moot because the motherboard does not have an IOMMU..
    Like I mentioned above.. I'm kind of doing this just to see if it can be done.  Plus, to reduce power consumption from the systems I have in my rack here.



  • Thanks for the additional information.

    @derwood:

    I have a /30 from Time Warner.

    As previously suggested in VirtualBox I would bridge the physical NIC available for connection to the modem and an emulated interface available to the pfSense. That emulated interface will become the pfSense WAN interface and be assigned your public static IP. Thus pfSense will talk with your modem over the software bridge in VirtualBox and the "eth1" physical NIC.


Locked