Hyper-V integration installed with pfSense 2.0.1
-
SO HAPPY to see 2.1-RELEASE is available now. :) Currently running 2.1RC0, but looking to upgrade to the RELEASE. I've tried, unsuccessfully, to create an update/latest edition. Loving Pfsense in Hyper-V! Looking forward to moving beyond these incremental 2.1 releases and having the "final" 2.1 edition to troubleshoot with everyone.
nlitend1
-
Admin edit: Removed outdated, incorrect advice others were linking to. Everyone using Hyper-V should be using 2.2 (or newer if available, if you're reading this in the future).
-
AFAIK, you can't use these ISOs as an update source.
As you suggest, I usually make a backup of the config of the current router. Then use the ISO to make a clean install on a new VM (use a fixed size VHD, add 2 synthetic network adapters), give it an unused IP in your LAN, and connect to it using the WebConfigurator and restore the backup config (shutdown existing router before clicking on restore to avoid having duplicate IPs - also make sure to configure mac spoofing on the VM network card if it applies).
You just have to make sure to match the interfaces to the correct virtual network card, that you assign them the same way you had them on your prior router in the VM Hyper-V config. Or you can edit the config XML file manually.
If coming from a pre-Hyper-V VM with legacy adapters, the config file will have it's interfaces named de0, de1, etc.; and it will have an interface mismatch with the synthetic adapters (hn0, hn1, …), so it will prompt you what interface corresponds to which network port. Or you might have to edit the config using the "Assign Interfaces" option in the console menu.
-
hi!
i'm still on 2.0.3 with no problems so far (except ntp time client errors appearing during boot process sometimes).
anybody can comment how stable 2.1 release is at this moment?
essentially, interfaces are working properly with traffic shaper in 2.1? ntp errors still appearing during boot?
in advance, thx for all the hyper-v compiled images!
-
Icmp on the wan side doesn't work for me.
I've created a new rule in the firewall, but it doesn't seem to work.
Does someone have the same problem?
-
I'm up and running with pfsense on hyper-v 2012. Here is my question, i've enabled trunk mode on the hyper-v nic and pfsense doesn't seem to want to see that as a vlan-capable interface. So my question is, with 2.1 is there an easy fix for that? is that feature coming in 2.2?
-
gemmiu,
ICMP on the WAN side is working fine for me, using a rule as described in http://www.cdavis.us/wiki/index.php/Allow_WAN_ICMP_requests_with_pfsense.darkytoo,
As you point out, the synthetic driver doesn't seem to support vlans (you'd have to specify a single vlan in the host). It would be up to the FreeBSD team working on the integration services drivers to add this functionality to the codebase, and for it to make it into pfsense (far too early to talk versions).(Just to write it down, since it's an interesting nugget of info for future use) By "enabled trunk mode", I'm guessing you mean you used PowerShell to configure the vnic and vlans being passed to the VM? As described in VLAN Tags and Hyper-V Switches:
Add-VMNetworkAdapter -SwitchName Switch -VMName "VmName" -Name "TrunkNic" Set-VMNetworkAdapterVlan -Trunk -AllowedVlanIdList "100,101" -VMName "VmName" -VMNetworkAdapterName "TrunkNic" -NativeVlanId 1
-
gemmiu,
ICMP on the WAN side is working fine for me, using a rule as described in http://www.cdavis.us/wiki/index.php/Allow_WAN_ICMP_requests_with_pfsense.darkytoo,
As you point out, the synthetic driver doesn't seem to support vlans (you'd have to specify a single vlan in the host). It would be up to the FreeBSD team working on the integration services drivers to add this functionality to the codebase, and for it to make it into pfsense (far too early to talk versions).(Just to write it down, since it's an interesting nugget of info for future use) By "enabled trunk mode", I'm guessing you mean you used PowerShell to configure the vnic and vlans being passed to the VM? As described in VLAN Tags and Hyper-V Switches:
Add-VMNetworkAdapter -SwitchName Switch -VMName "VmName" -Name "TrunkNic" Set-VMNetworkAdapterVlan -Trunk -AllowedVlanIdList "100,101" -VMName "VmName" -VMNetworkAdapterName "TrunkNic" -NativeVlanId 1
correct. Basically I have a ESX server here specifically to host PFsense due to the VLAN trunking issue and the compatibility. Now that the compatibility has been ironed out for the most part, I was hoping to remove ESX and host it on hyper-v. So i enabled the VLAN trunking in powershell and see that the trunking doesn't work anyway, little aggravating. I spent a couple of hours trying to find an alternative with the pfsense features that would be more compatible and failed, so now i'm going to try and pair-down my VLAN usage and just add a bunch of NICs to the VM and limp along until I find an alternative or the issue is fixed in pfsense.
-
I am having a horrible time with the clock on 2.1 on Hyper-V. It appears to be moving much faster than actual time. (a.k.a gains about 8 hours every day and therefore the time is getting farther and farther ahead every day. I have checked NTP service and it loads and runs. It appears to work for a few minutes after boot and then gives me the unreach/pending error under status. Restarting the service does not seem to help.
I have tried the default time servers, and many other with no noticeable differences. Any advice?
nlitend1
-
With 2.0.3, I used to see variations of 1/2 hour or more sometimes using pool.ntp.servers (even when I changed to using 1.us.pool.ntp.org, 2.us.pool.ntp.org, etc.). I ended up changing pfsense to use NIST NTP servers in the US (use the closest to you first, add a couple for good measure). This seemed to solve the problem with 2.0.3 and I haven't had issues with 2.1 so far.
Being in the West Coast, I ended up using nist1-la.ustiming.org time-nw.nist.gov nist1-chi.ustiming.org nist1-ny.ustiming.org 1.us.pool.ntp.org (added 1.us.pool.ntp.com for good measure, but is shows as outlier in the pfSense NTP status page). If in another country/continent, you might need to use a more reliable nearby list (or try a country specific list from pool.ntp.org)
I'm using the same NTP servers on the AD server, and the Hyper-V host is set to sync to the AD Infrastructure (it might be better to have the Hyper-V host sync to the NTP servers directly). Also, a common recommendation when you have a virtualized AD is to turn off guest VM time sync in Hyper-V for the AD VM, but that is not recommended by MS. More info at Ben Armstrong’s Virtualization Blog - Time Synchronization in Hyper-V.
{Edit to add link to Ben Armstrong’s Virtualization Blog}
-
Hello!
Thanks for sharing the virtual machine with the Integrations Services, but still seems to be unstable, I have here a link of 50Mb internet and when I do a speed test the pfSense restarts, I use here FW + Squid (NTLM) + squidGuard + OpenVPN, the machine virtual this with 10Gb Memory and 8 processors.
The problem always occurs when you have a high traffic internet, restart all the time, if I switch to version "stable" for the problem to occur, but must use the legacy network.
know how to fix?
Thanks, sorry for my English.
-
Try and give us more details on your HW and host, so someone with a similar setup might help (and so when developers/testers read this thread, they know what to look for).
What CPU family and model? It sounds like an octa-core. How much memory assigned to pfSense? What OS on the host? What network card? Is it teamed? What type of teaming technology (for example, Broadcom BACS/BASP, Intel ANS, or Win 2012 LBFO)? VLANs? Are you using VMQ and/or SR-IOV? Any other hardware acceleration options in use?
Just a stab in the dark. If your network card supports it, you might want to try with and w/o hardware acceleation, to see if that has an impact.
-
I am having a horrible time with the clock on 2.1 on Hyper-V. It appears to be moving much faster than actual time. (a.k.a gains about 8 hours every day and therefore the time is getting farther and farther ahead every day. I have checked NTP service and it loads and runs. It appears to work for a few minutes after boot and then gives me the unreach/pending error under status. Restarting the service does not seem to help.
I have tried the default time servers, and many other with no noticeable differences. Any advice?
nlitend1
Well it appears to be a weird issue/conflict with traffic shaping. Does anyone have traffic shaping (particularly HSFC) working in pfsense on hyper-v and have NTP working?
NTP syncs just fine without traffic shaping enabled.
To enable traffic shaping (as previously discussed on page 6 of this thread) you need to add "hn" to /etc/inc/interfaces.inc in order to the the interfaces to show up for traffic shaping. The single lan muli-WAN wizard completes just fine, however after the changes are applied, all new connections don't work…aka, cannot browse to any new webpages etc....I found out that specifying the bandwidth of the LAN interface (in my case 1000Mb/s) seemingly fixes that issue and allows new connections to be made. At that point status->queues shows traffic being routed correctly. However, NTP is broken at that time and NTP status is then unreach/pending. I have tried numerous external ntp servers and even setup my local server as a NTP server to test and it does not work locally either.
Any ideas? Thanks.
nlitend1
-
Try and give us more details on your HW and host, so someone with a similar setup might help (and so when developers/testers read this thread, they know what to look for).
What CPU family and model? It sounds like an octa-core. How much memory assigned to pfSense? What OS on the host? What network card? Is it teamed? What type of teaming technology (for example, Broadcom BACS/BASP, Intel ANS, or Win 2012 LBFO)? VLANs? Are you using VMQ and/or SR-IOV? Any other hardware acceleration options in use?
Just a stab in the dark. If your network card supports it, you might want to try with and w/o hardware acceleation, to see if that has an impact.
Hardware Configurations:
S.O. Windows 2012 STD
Host Hyper-v
PowerEdge 420
2. Xeon E5-2430 8.4 Ghz
98 Memory
12 Network Adapters Broadcom NetXtreme Gigabit EthernetVirtual Machine
30GB HDD
10GB Memory
3 Network Adapters Broadcom NetXtreme Gigabit Ethernet (dedicated) VMQ DisableToday I installed pfSense on physical machine, it worked perfectly. The problem is I have about 20 servers on Hyper-V, need to fix this problem, whenever I test speed and high traffic, the server shuts down by itself.
Thanks,
dcgoes -
I have been testing the release build under Hyper-V Server 2012. There have been a few issues.
First, it is randomly crashing and rebooting. The crash log reports a kernel panic due to a sleeping thread. I'm not sure what to do to fix that. If that was the only issue, I could probably live with it.
The main issue I'm having is that when it reboots due to the crash, the interfaces are switching. For example, I set WAN to hn0 (mac xx::45), LAN to hn1 (mac xx::46). When it reboots, it is changing hn0 to the interface with mac xx::46 and hn1 to the interface with mac xx::45. So I have to reassign the interfaces. Does anyone know why it would do this or how to ensure that hn0 stays with a specific virtual network interface?
The last thing I've noticed, is that if the WAN is set to hn1, when the DHCP lease is ready to renew, it only does it for hn0 regardless of how I have the interfaces assigned. The LAN interface (set to hn0) will get a DHCP lease from the local DHCP server. Yes, it is set for static IP of 192.168.1.1, but when this happens, it will change to say 192.168.1.196.
-
I have the version pfSense-LiveCD-2.1-BETA1-amd64-hyperv-kernel-20130119-0948 installed on a two 2008 R2 Datacenters and as I posted above had reboot issues with it, I was looking at the System Logs at about the time it rebooted to see if there was anything to point me in the right direction and I noticed the familiar "RRD graphs responding to fast" and thinking that the version pfSense-LiveCD-2.0.3-PRERELEASE-amd64-hyperv-kernel-20130119-0048 had no RRD graphs unless reinstalled I thought perhaps there is a connection.
So I disabled RRD graphs in each of the installs and have been running for over 24 hours without a single hiccup.
Before trying this both routers wouldn't make it an hour without rebooting.I hope this helps.
Hello,
I have exactly the same problem. My pfSense Crash, and i have to reboot the VM for pfSense work again.
I am to in 2012.
Anyone have an idea ?
Best regards
Julien -
i dont't know wether my pfsense reboots automatically after a system crash or my vm reboots, but i don't need to do anything manually when that happens.
it runs on windows server 2012.
-
I am having a horrible time with the clock on 2.1 on Hyper-V. It appears to be moving much faster than actual time. (a.k.a gains about 8 hours every day and therefore the time is getting farther and farther ahead every day. I have checked NTP service and it loads and runs. It appears to work for a few minutes after boot and then gives me the unreach/pending error under status. Restarting the service does not seem to help.
I have tried the default time servers, and many other with no noticeable differences. Any advice?
nlitend1
Well it appears to be a weird issue/conflict with traffic shaping. Does anyone have traffic shaping (particularly HSFC) working in pfsense on hyper-v and have NTP working?
NTP syncs just fine without traffic shaping enabled.
To enable traffic shaping (as previously discussed on page 6 of this thread) you need to add "hn" to /etc/inc/interfaces.inc in order to the the interfaces to show up for traffic shaping. The single lan muli-WAN wizard completes just fine, however after the changes are applied, all new connections don't work…aka, cannot browse to any new webpages etc....I found out that specifying the bandwidth of the LAN interface (in my case 1000Mb/s) seemingly fixes that issue and allows new connections to be made. At that point status->queues shows traffic being routed correctly. However, NTP is broken at that time and NTP status is then unreach/pending. I have tried numerous external ntp servers and even setup my local server as a NTP server to test and it does not work locally either.
Any ideas? Thanks.
nlitend1
Well i figured out a workaround to my issue of horrible clock timing and NTP not working. I changed the kern.timecounter.hardware=TSC to kern.timecounter.hardware=i8254 in advanced>system tuneables.
That allowed ntp to work correctly with traffic shaping. I do get the neverending calcru message in the console…but it's seemingly "harmless" to overall function.
Info was from this thread:
http://forums.freebsd.org/showthread.php?t=14924 -
i'm using kern.timecounter.hardware=TSC from ages and never get a calcru message after that.
i'm on server 2012 and pfSense 2.0.3 yet.
Yesterday i changed my ntp time server to my win server 2012 (local ip address) and the ntp message hang at boot seems that gone away.
-
i'm using kern.timecounter.hardware=TSC from ages and never get a calcru message after that.
i'm on server 2012 and pfSense 2.0.3 yet.
Yesterday i changed my ntp time server to my win server 2012 (local ip address) and the ntp message hang at boot seems that gone away.
Right. TSC does get rid of the calcru message and I was using that prior to settng up traffic shaping. However; if you want to use traffic shaping and still have an accurate clock, TSC can't be used because it essentially breaks the ntp server and the clock is never right after that.