Pfsense 2.3 on xen server



  • Does anyone tested pfSense 2.3 on xen servers?

    On 2.2 there was a lot of extra steps to disable hardware checksum offload and tx disables on xen vm to get a good network performance.

    I've seen that pfSense dos not include freebsd 10.3 repos by default. What is the recomendation now?


  • Netgate

    I have the diagram in my sig upgraded to 2.3 under XenServer 6.5.

    I am using this in all the /boot/loader.conf.local files and foregoing all the stuff you have to do to get the PV NICs working. I need to be able to test ALTQ and max performance is essentially a non-issue in this virtual lab environment.

    hw.xen.disable_pv_nics="1"
    

    I haven't spent a lot of time in it but I haven't seen anything to indicate any problems.



  • Without guest utilities ?


  • Netgate

    I don't have guest utilities installed.



  • Went through this process myself a few weeks ago and planned on making a topic but never got around to it. oops! This is all you need to do, works perfectly afterwards, no problems saturating gigabit interfaces wan to lan

    Install guest utils, just do

    pkg install xe-guest-utilities

    like usual and it'll grab it down no problem

    Now make it run at start by running the below command to stick the proper line into rc.conf.local

    echo 'xenguest_enable="YES"' >> /etc/rc.conf.local

    (if you wanna verify, open /etc/rc.conf.local and make sure it has xenguest_enable="YES" in it)

    last but not least run:

    ln -s /usr/local/etc/rc.d/xenguest /usr/local/etc/rc.d/xenguest.sh

    now it'll start every boot, you can start it now yourself, "service xenguest start", should start without issue

    Now to turn off TX offload for the pfsense interfaces in xen so freebsd doesn't freak out and drop the un-checksummed traffic generated by xen vm's. This is all you need to do, don't go turning off any offloading in pfsense itself

    Get the UUID of the pfsense virtual interfaces by running: (all of the following commands to be ran on your xen hypervisor of course)

    xe vif-list vm-uuid=uuid-of-your-pfsense-vm-here  (note that the interface uuid is the very top uuid for each interface, not the bottom 3. if you don't know the uuid of your pfsense vm, run xe vm-list and find it)

    then just copy each interface UUID (so only two if you just have a lan and wan) and stick it in the below command, running it for each interface, and that's it. It'll be a property of the VM and persist forever across reboots etc.

    xe vif-param-set uuid=your-interface-uuid-here other-config:ethtool-tx="off"

    Reboot the vm when you're done. That came out a lot longer than it seems but I assure you it only takes 5 minutes  :)



  • I added xe-guest-utilities to the stock pkg repo so enabling the FreeBSD one isn't necessary. Edited post to update instructions accordingly.





  • @fohdeesha:

    @Fohdeesha, you shouldn't have removed the method on enabling the repo.  It would be helpful to enable the whole repo momentarily like you had mentioned, but I see you edited your OP and this thread is linked from multiple locations as a "solution" to enabling the original REPO.

    Do you think you can edit your post with the solution of "enabling the standard freebsd repo momentarily"??

    I don't know what packages I need, but I definitely would like to be able to set up a full development platform on PFsense itself, instead of a FreeBSD 10.x builder OS.



  • to be fair I didn't edit it, an admin did, and understandably so as it can very easily break a pfsense install. setting up a "full development platform" by pulling a bunch of packages down from the freebsd repo is pretty much guaranteed to break the pfsense install and overwrite a lot of important pfsense-specific packages

    However if you don't care, simply edit /usr/local/etc/pkg/repos/pfSense.conf with your favorite text editor (pfsense comes with ee, or you can do a pkg install nano to get nano, or a different editor)

    at the top where it says FreeBSD: { enabled: no }

    just change the no to yes and save and now the default repo is on. keep in mind if the pfsense install does an update or anything with this on it can potentially break the install, same with installing packages that replace pre-existing packages etc



  • it is really good to see people are already doing this. I am also looking at using pfsense as a virtual firewall for all the VMs in my xenserver pool. If that what you guys are doing? How do you configure your network in xen to get all traffic pass through pfsense? What sort of configuration are you doing with pfsense? Transparent routing mode or NAT routing mode?



  • So the recommended is to do all the steps indicated by Fohdeesha?


  • Netgate

    It depends. If it's something where performance doesn't really matter (like my lab) I find it easier to just install, boot to single user, add hw.xen.disable_pv_nics=1 to /boot/loader.conf.local, reboot, and configure the re NICs.