VMWare VM with 4 ethernet NICs, can it be done?
-
I assume you didnt add a static route to your LAN on this router, did you?
In this case this router does not have a clue that your LAN-subnet even exists.
–> It can not answer to anything you send over it.Add a static route on this router pointing to your OPT2 interface for your LAN-subnet.
-
I assume you didnt add a static route to your LAN on this router, did you?
In this case this router does not have a clue that your LAN-subnet even exists.
–> It can not answer to anything you send over it.Add a static route on this router pointing to your OPT2 interface for your LAN-subnet.
Mmmh nope, I did not add anything, no static routes. I am not sure I understand though, I need to add a route on the 192.168.4.113 router? Or on pfSense? If I configure OPT1 interface to make use of the 192.168.4.113 router it does work ok, so I did not think I would have to modify anything on the router… I did not have to add anything on the other 2 routers for the other 2 connections when I originally setup pfSense, any hints on what exactly do I have to do will be appreciated.
Thanks Gruens!
-
This is what I have on the 192.168.4.113 router (Comtrend) that relates to routing. Destination 192.168.4.0 traffic goes out on br0 interface, so I think that should be ok. Otherwise it would not be responding to pings from the pfSense router on 192.168.4.228?
On Advanced Setup -> Routing -> Static Route I have no info.
Thanks!
-
On your WAN you're NATing traffic from the LAN.
Meaning for the "real" router it seems as if the traffic comes from an IP in a known subnet.
On the OPT interface no traffic is NATed.
So for the "real" router the traffic seems to come from an unknown subnet.You can either configure pfSense so it NATs traffic on the OPT interface,
or add a static route on the "real" router (192.168.4.113) with as destination 192.168.4.228 for the subnet 192.168.1.0/24 -
On your WAN you're NATing traffic from the LAN.
Meaning for the "real" router it seems as if the traffic comes from an IP in a known subnet.
On the OPT interface no traffic is NATed.
So for the "real" router the traffic seems to come from an unknown subnet.You can either configure pfSense so it NATs traffic on the OPT interface,
or add a static route on the "real" router (192.168.4.113) with as destination 192.168.4.228 for the subnet 192.168.1.0/24Now I feel so stupid…
You are completely right. I didn't have a clue that traffic on OPT interfaces was not NATed by default, and I was asuming that if it was working ok on OPT1, it would also work ok on OPT2 . What I was failing to remember was that I actually configured it that way when I set up pfSense multiwan months and months ago.
So traffic was coming out of 192.168.4.113, but incoming traffic didn't know where to go and was being dropped by the physical router. He was geting traffic for 192.168.1.x IPs, and it was just being discarded.
So I had to go to Firewall : NAT : Outbound, which I have configured for Manual Outbound NAT rule generation (Advanced Outbound NAT (AON)), and there was my solution. I only had rules for WAN and OPT1, and I just copied the rule for OPT1 and created a new one for OPT2.
Changing the ICMP rule to go out on OPT2, tried a "tracert www.google.com", and there it is, working without problems now.
Traza a la dirección www.l.google.com [66.249.93.99] sobre un máximo de 30 saltos: 1 1 ms 1 ms <1 ms 192.168.4.113 2 45 ms 37 ms 37 ms 192.168.153.1 3 35 ms 35 ms 36 ms 145.Red-81-46-34.staticIP.rima-tde.net [81.46.34.145]I will do some more testing on monday but I am sure that this will be it. I can't do too much testing now since it is friday evening, or otherwise if I mess up and have to reboot the router I will have 3 dozens of crazy kids yelling at me because they have been kicked out from WOW or lost the DOTA match they were about to win.
Thanks!
Aitor -
btw: why are you running this in a VM?
Wouldnt it be easier to just install pfSense on the hardware itself? -
Mainly because it is not a dedicated computer, it's a multi purpose WinXP computer that has right now 3 VMs:
- pfSense
- Win98 SE with out custom cybercafe management software
- Debian (file sharing, squid proxy)
I also use often the XP part by using MSTSC, VNC, some web browsing, a couple of programs for file sync, …
I actually gave it a thought on just building a dedicated machine for pfSense, but I am not sure if it would be worth it. It would mean one more computer on 24/7, and I doubt that the performance would be a lot better, ping times would go down but maybe 1ms..? I do not know if I would even notice the difference.
With several old computers laying around I might give it a try just to see if it would be worth it. Makes me wonder if I could run it from a bootable pendrive, so at least I could save myself the HD and its noise/heat.
I have also grown used to VMs over the years for many tasks. It makes it soooo much easy to just backup a full machine, move it to different hardware, and never bother installing too much crap on the main computer. I even have some VMs dedicated to things like Visual Basic 6, I still use it once in a while, and almost every time I needed it it meant reinstalling, so now I just have a VM with VB6 installed that I boot up when I need it, so I will never need to install VB6 on the main computer.
-
From a security-point it's not such a good idea.
Search the forum, since there are quite a few threads why running a firewall in a VM is insecure.I've been running for quite some time a windows xp "server" too.
Ok it wasnt a server but just a computer that was running 24/7.
I noticed that about every 20-30 days you HAVE to restart. (windows behaving really really strange)
I dont know if you run into the same problem.If you're running pfSense on dedicated hardware you could take some lowpower embedded system since you dont seem to use packages.
(Like http://pcengines.ch/alix2c3.htm )Ping wise…
I dont know. You could run a longtime test through your VM-pfSense.
I think i just saw in cT (german computermagazone) a free software which is capable of displaying ping tests over long periods of time.If your customers are playing FPSs it would make a difference if they have 100 or 50 ms latency.
-
I am positive that everything would be a bit more secure on dedicated hardware than on virtual machines, but the data I might be keeping is not critical at all. My weakest security would probably be someone just walking to one of the servers since we open 7 days a week and I just won't always be there, the fact that pfSense or any other server/service is running on dedicated hardware or a VM won't make me lose my sleep :)
There are several reasons that could make me switch to a dedicated hardware solution:
-
Ping times. I doubt the difference between VM or dedicated would be 100 or 50ms, but maybe more like 51/52 or 50ms. I haven't even checked the difference between direct connect to the DSL routers or through pfSense and from there to the routers, but if I had to guess I would say that pfSense in the middle doesn't add more than 1/2ms.
If you know of any tool to do some tests on latency times I would love to know, since always I have done test on this they have been by hand (ping for x hours and make an avarage, use a gamer tool like HLSW to make me an avarage of ping times to a game server over a period of time, etc). If I had a scientific way to say "VM pfSense adds 5ms to my traffic, dedicated hardware pfSense adds only 1ms" that would be a good reason to make the switch. -
Good hardware, I once looked into it but didn't find anything that seemed good for me. It is not easy to find this kind of hardware in Spain, I looked some ITX computers and things like that. The one you linked me too seems great, but they do not seem to have any with 4 lan ports which is what I think I would need (I could probably use just 3, yeah, or even one since that is what I am using now with pfSense on a VM). I see it at 98.20E + taxes here in Spain, another 12.20E + taxes for the box, it doesn't seem so bad. It would be about 128E and I would just need a CF card, and I think that the power suply, which doesn't seem to be included.
-
About two years ago I retired an old P2-266Mhz 128Mb 2Gb HD which was running 98SE with our own management software. I just moved it to a VM on this computer for several reasons; it was one more computer running 24/7, which added to more wasted electricity, more noise, more dust, more heat, … If I go the other way now with the pfSense router it would make me feel like going backwards. Yeah, I would do it if I had a good reason, better ping times, good hardware like the one above that has a low power usage/noise/heat disipation, etc.
I would love to try more things with pfSense, but my time (and knowledge) is limited. I could try it on a physical computer to see if it improves, I would love to have failover so if one connection fails traffic would be router on another one, I would like to use it as a proxy with squidguard, or a file server... I just love breaking things that work ok just for the heck of fixing and improving them :)
-
-
Everything seems to be working just great over here!
I have now the 3 internet connections working of a single pfSense router on a VM, and all with only one physical NIC on the computer. I have one connection for WOW, Warcraft3, Quake3, UT, Guild Wars, Warsow, and some more, another connection for BF2, Steam games, CS, TF2, and a third one with more bandwidth but worse latency for web, IM, and any kind of unknown traffic. I love it! :D
When I have the time I will take a look if it is possible for me to implement failover, so if one connection is offline traffic can be redirected automatically to another one, and I would also like to try to use pfSense on a physical computer, to see if there are good improvements vs running it on VM.
Many thanks!
Aitor
