Pfsense kvm guest and host/guest internet connectivity
I have a strange situation at the moment that I have been trying to resolve for some time and I'm hoping there is someone out there who may have come across the same, or similar issue.
I have a single host running ubuntu 13.10 with bridged network interfaces living on top of an lacp bond. KVM is configured to use these bridge interfaces for guest connectivity. All guests are using the virtio drivers for nic/block devices.
pfsense is up and operational and if I connect a laptop to the local lan then i can browse/ping/ftp to devices on the internet.
However, the host itself, and all kvm guests on the local system are only able to ping out on to the internet via the pfsense kvm guest, no other traffic appears to get a response back to the guest via pfsense.
for example, another guest is able to ping and recieve responses to ftp.heanet.ie, however, if i try to ftp to ftp.heanet.ie i get a connection timed out.
I can see some states in pfsense relating to the ftp request, but it does not appear to be responding back to the requestor.
has anyone come across anything like this? Any pointers/tips would be greatly appreciated.
I was reading through some older posts and came across someone mentioning weird NAT issues with the Virtio drivers when (s)he was testing pfsense in KVM.
Anyhow, I changed my NIC models to e1000 and everything works as expected now.
So, it appears there may be an issue with the if_vtnet drivers in the current pfsense version? (I am running v2.1 RELEASE).
Thanks for reading and I hope this helps someone else down the line
I am using pfsense 2.1 on proxmox ve 3.1 which uses KVM.
I have to physical NICs installed to pfsense - when both running as VirtIO I do not have http access from LAN. If there is only my WAN NIC in VirtIO mode and the LAN NIC is E1000 everything is working.
So if you do not have bandwidth problems with the E1000 NICs I would not worry if they can be used as VirtIO or not. Probably newer versions of FreeBSD support VirtIO better.
Hello, have you been able to solve this?. I'm having this very same problem.
Just had the same problem (and it's 2018!)
After looking online for some time, I found this article that suggests that the problem goes away by disabling hardware checksum offloading in Advanced / Networking:
I'm going it tomrrow and see what happens.
Now it's 2019 and this is still a problem :-)
I have been struggling with this for a week; I couldn't work out why ICMP from the host and another VM through the pfSense VM would work, but nothing else. I could only SSH into the host if I SSH to the pfSense VM first. In order to have the host be able to connect out I installed Squid and set it up as a transparent proxy, but I shouldn't have had to do this.
Researching, I finally found this thread. I'm replying because I just wanted to say that after I enabled "Disable hardware checksum offload" and pressed save, immediately traffic started flowing to/from the host, and the other VM which had basically been unreachable. No reboot or reconfig or anything else was required.
I now see it's fairly well documented here.. https://docs.netgate.com/pfsense/en/latest/virtualization/virtio-driver-support.html
Perhaps it would be nice if pfSense could automatically disable hardware checksum offload on the virtio driver/NICs :-)