Adventures with a virtual firewall

D

Davez69gto

Guest
Hello Everyone,

I figured since we are a community I would post my adventures with getting a virtual firewall up and running with fios.

First My setup:
2 hp hosts, 2U, rack mounted. Both running Porxmox VE 2.3, soon to upgrade.
1 homebuilt san out of an hp storageworks.
I have three nics on my hosts an 4 on my san.
The hosts have 1 that is dedicated to the SAN, 1 for general interets and 1 that is going to be used to connect outside (Mostly Setup).
HP Porcurve off ebay for my switching needs.

Basically what I wanted to say was that I have found it quite a task to get create a virtual router.
I configured the hosts, setting up the nics correctly so I could see the outside world however the oss for firewalls were not cooperating.

I found that pfsense will not install correctly. There is a kernal error so I went and tried smoothwall. That installed and worked in itially however after a reboot it went crazy. This was fine when I had it connected directly to the nat side of the fios router however it caused major issues when it was connected outward. I rebooted and it didn't get it's ip back so i had to wait hours for the renew to occur b/c it was the middle of the night.

I have always found debian systems to work well on proxmox so I install sphirewall. That installed however during configuration it decided it would not bring nics up via the web interface. Also I couldn't figure out how to differentiate the internal from the external so I didn't consider it to be safe.

Finally after a while I went to ipcop. I have that up and running connected to the nat side of the firewall and everything seems to be working fine. I'll update on here when I finally connect it directly to the outside world.

I figured the proxmox world would like to know. :)
 
I have been devising a way to move my networking virtual gear away from VSphere/ESXi over to Proxmox. This has been something I have been trying to plan out for the last 6 months...

I have just not been able to come up with a good plan for replacing the network functions yet:
ESXi/Vsphere 5.0
modem > vyatta VM > Sophos/Astaro transparent bridge VM > cisco 3560

I have tons of NICs available (9 currently in my ESXi host, and 5 in each of my other 2 proxmox nodes, with the ability to add 4 more each)

My problem is configuring the network pieces of Proxmox to 'semi-match' the config I have in ESXi, with minimal downtime...it is proving to be rather difficult.
 
Davez69gto said:
I found that pfsense will not install correctly. There is a kernal error so I went and tried smoothwall.
Click to expand...

This was because of a new bios that was upgraded. All BSD distro's seemed to be affected. If I recall, 2.3 caused this. 2.2 doesn't have this problem. Long story short, add the older bios to the machine and specify that manually in the config. I've got a feeling I've lost the link to the article but I can post an example config and a link to the bios.

If your still interesting in running pfSense that is :)

P.s. I LOVE pfSense. Feature wise it's the most packed OS FW i've found. Might not be the friendliest but certainly holds it's weight. If your after an all in one UTM solution, check out Sopho's Home UTM. It's packed with pretty cool features that just work. Even includes a HTML5 based VNC/RDP viewer. And it's free!! (Not OS though if I recall).
 
I wouldn't mind the config. I really wanted pfsense but didn't find any info on it without downgrading. Also could you specify where I'm supposed to put the config when you post the config itself. I'll take down ipcop and test pfsense and if there are not issues I will definitely go with that. Do you know if the issue went away with 3.0? I pla on upgrading but am having a quarum issue atm and don't want to reboot the firewall yet.
 
Sorry about the delay. Meant to do it last night but was so engrossed with bloody VLANs I forgot!

Okay, the config line you need in the VM conf is:
args: -bios /usr/share/kvm/oldbios.bin
and the old bios I've uploaded here: http://sdrv.ms/11hSQFo

It's basically an older version of the SeaBios that QEMU uses. Grabbed it from a mirror site. Annoyingly I cant recall the version it is sorry :(

Nope, as of a couple of weeks ago (when 3.0 came out) it didn't work. Not sure if it has since been updated.
 
Sorry about the delay. Meant to do it last night but was so engrossed with bloody VLANs I forgot!

Okay, the config line you need in the VM conf is: "args: -bios /usr/share/kvm/oldbios.bin" and the old bios I've uploaded here: http://sdrv.ms/11hSQFo
It's basically an older version of the SeaBios that QEMU uses. Grabbed it from a mirror site. Annoyingly I cant recall the version it is sorry :( Nope, as of a couple of weeks ago (when 3.0 came out) it didn't work. Not sure if it has since been updated.
 
Very interested in this also. I have tried to run freeBSD and freeNAS 8.3 64bit and both fail to get passed the boot screen (just freezes). 32 bit works fine as advised in other threads.
 
Yeh, the BSD kernel has an issue with the newer bios. There was a bug logged in the qemu side of things if I recall as that's how I found out to use an older version. Have a go at the above and let me know how it goes :)
 
downloaded bios and amended /etc/pve/local/qemu-server/<id>.conf with args: -bios /usr/share/kvm/oldbios.bin but the BSD64 bit will still not boot. Is that what you done to resolve?

my machine has a q77 chipset and runs fine with a linux kvm but will not run BSD.

PCI bus has:
00:00.0 Host bridge: Intel Corporation Xeon E3-1200 v2/Ivy Bridge DRAM Controller (rev 09)
00:02.0 VGA compatible controller: Intel Corporation Xeon E3-1200 v2/Ivy Bridge Graphics Controller (rev 09)
00:14.0 USB controller: Intel Corporation 7 Series/C210 Series Chipset Family USB xHCI Host Controller (rev 04)
00:16.0 Communication controller: Intel Corporation 7 Series/C210 Series Chipset Family MEI Controller #1 (rev 04)
00:16.3 Serial controller: Intel Corporation 7 Series/C210 Series Chipset Family KT Controller (rev 04)
00:19.0 Ethernet controller: Intel Corporation 82579LM Gigabit Network Connection (rev 04)
00:1a.0 USB controller: Intel Corporation 7 Series/C210 Series Chipset Family USB Enhanced Host Controller #2 (rev 04)
00:1b.0 Audio device: Intel Corporation 7 Series/C210 Series Chipset Family High Definition Audio Controller (rev 04)
00:1c.0 PCI bridge: Intel Corporation 7 Series/C210 Series Chipset Family PCI Express Root Port 1 (rev c4)
00:1c.6 PCI bridge: Intel Corporation 7 Series/C210 Series Chipset Family PCI Express Root Port 7 (rev c4)
00:1d.0 USB controller: Intel Corporation 7 Series/C210 Series Chipset Family USB Enhanced Host Controller #1 (rev 04)
00:1e.0 PCI bridge: Intel Corporation 82801 PCI Bridge (rev a4)
00:1f.0 ISA bridge: Intel Corporation Q77 Express Chipset LPC Controller (rev 04)
00:1f.2 SATA controller: Intel Corporation 7 Series/C210 Series Chipset Family 6-port SATA Controller [AHCI mode] (rev 04)
00:1f.3 SMBus: Intel Corporation 7 Series/C210 Series Chipset Family SMBus Controller (rev 04)
01:00.0 SATA controller: ASMedia Technology Inc. ASM1062 Serial ATA Controller (rev 01)
02:00.0 Ethernet controller: Intel Corporation 82574L Gigabit Network Connection


any help would be very greatful
 
Last edited by a moderator:
I just tried it and everything worked correctly. Hopefully tomorrow night I will have time to set everything up and test it out over the weekend so i can switch fully to pfsense. If you happen by the bios version please let me know if not no biggy.
 
It actually says during boot up and it is SeaBios 1.7.1. FYI
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back