Anyone successfully running pfsense??

[totalimpact]

I am having stability issues on mine, pve 5.0-23, pfsense v2.4.3, any ideas??

My main firewall died last weekend, and having a R720 with 4 nics, as a temporary fix, I loaded a pfsense VM and was online... but after a random time, sometimes a couple days, sometimes 8 hours, the WAN gateway shows unreachable, I still have full access to the LAN side and a couple VLANs on the LAN port.

It never did this on the physical hardware, Atom+ 4GB RAM, running ifconfig down/up on the WAN in the vm brings it back online. I have 2 virtio nics, 3GB RAM, 2x cores. I doubled the RAM/CPU last night and am hoping that helps. That setup let me max out my cable modem at 300/30.

Here is the trick to get it working in case anyone else wants to try it:

Create a new bridge in proxmox (vmbr1)with no IP assigned, and add a dedicated port to it that will plug directly in to the ISP. I then put the 1st nic of the VM on vmbr0, and the 2nd on vmbr1, assigned the static IP to the WAN nic and it is online.

In pfsense I had to disable Hardware Checksum Offloading under Advanced>Networking to get it to be stable, otherwise a lot of inbound port forwards did not work.

I probably wont have new hardware for the firewall until next week, so hoping for any tips to get me by until then without a lot of outages.

VM conf:

balloon: 0
bootdisk: virtio0
cores: 4
ide2: none,media=cdrom
memory: 6000
name: Router
net0: virtio=CA:C7:C3:28:CD:AE,bridge=vmbr0
net1: virtio=AA:10:79:E1:F2:60,bridge=vmbr9
numa: 0
onboot: 1
ostype: other
protection: 1
scsihw: virtio-scsi-pci
smbios1: uuid=f48ccf47-1ddf-4080-a86d-571b5ef5f5c5
sockets: 1
startup: order=1
virtio0: VMStore1:102/vm-102-disk-2.qcow2,size=10G

 

[Michel V]

No help just confirm:
I have a VM with pfsense running, but can confirm that stability is unfortunately not great. I get a random (sometimes weeks, sometimes days) drop of network traffic.

 

[jkalousek]

I have pfsense running as VM over a 1,5 year and never had any problem with it.

My config (processor Default kvm64):


Options:

 

[TwiX]

Hi,

Do we still have to disable hardware checksum offload with latest release ?

 

[Michel V]

Hi,

Do we still have to disable hardware checksum offload with latest release ?

I have that option ticked/enabled (System>Advanced>Networking)

 

[TwiX]

damn...so still not solved

 

[jkalousek]

I have:
Hardware Checksum Offloading: unchecked (enabled)
Hardware TCP Segmentation Offloading: checked (disabled)
Hardware Large Receive Offloading: checked (disabled)

I have that option ticked/enabled (System>Advanced>Networking)

I thing that you have it backwards. When the option is ticked/checked the feature is disabled. (or I just misunderstand you and you meant the checkbox itself )

 

[jkalousek]

damn...so still not solved

What HW nics are you using?
Right now I have uptime 10 days from last proxmox update and restart and pfsense has transfered ~435 GB without errors on any of the interfaces so I can say that pfsense can be stable on proxmox. I also have three vpn tunnels which I would know immediately if some of them went down, within like 5 minutes because of constant checks on intranet and internet.

 

[Michel V]

I thing that you have it backwards. When the option is ticked/checked the feature is disabled. (or I just misunderstand you and you meant the checkbox itself )

Sorry, my bad. I have it ticked, so the option is to disable.

@TwiX: I am not an expert, just followed the instructions there....

 

[TwiX]

I'm asking because I know there was an issue related to KVM and virtio on BSD few years ago.


https://www.netgate.com/docs/pfsense/virtualization/virtualizing-pfsense-with-proxmox.html
https://pve.proxmox.com/wiki/PfSense_Guest_Notes
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=165059

 

[Michel V]

@jkalousek : And what throughput do you achieve? After my upgrade to 5.2 things got much worse...

 

[Michel V]

As a follow up: I double checked the config against the pfSense documentation here: https://www.netgate.com/docs/pfsense/virtualization/virtualizing-pfsense-with-proxmox.html
Note there are differences with https://pve.proxmox.com/wiki/PfSense_Guest_Notes . The latter has no date on it, but seems older.

Following the netgate documentation I now have a stable setup for the last two months with nice through put.

 

[Maurizio Marini]

I have a stable installation but some unexplained (maybe) hardware issues with nic
after resetting, the pfsense interfaces does not come up

Jun 23 13:04:45 pve kernel: [6449579.400667] e1000e 0000:07:00.0 eth4: Reset adapter unexpectedly
Jun 23 13:04:45 pve kernel: [6449579.403186] e1000e 0000:07:00.0 eth4: speed changed to 0 for port eth4
Jun 23 13:04:45 pve kernel: [6449579.500460] bond1: link status definitely down for interface eth4, disabling it
Jun 23 13:04:45 pve kernel: [6449579.500471] bond1: first active interface up!
Jun 23 13:04:51 pve kernel: [6449586.033371] e1000e: eth4 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: Rx/Tx
Jun 23 13:04:51 pve kernel: [6449586.124349] bond1: link status definitely up for interface eth4, 1000 Mbps full duplex
Jun 23 15:00:39 pve pvedaemon[8924]: <root@pam> successful auth for user 'root@pam'
Jun 23 15:00:51 pve pvedaemon[29803]: <root@pam> starting task UPID:pve:00007A93:267C5CF9:5EF1FD02:vncproxy:101:root@pam:
Jun 23 15:01:53 pve pvedaemon[8924]: <root@pam> update VM 101: -net4 virtio=AA:98:4B:F0:6E:FC,bridge=vmbr3,tag=63,link_down=1
Jun 23 15:01:57 pve pvedaemon[8924]: <root@pam> update VM 101: -net4 virtio=AA:98:4B:F0:6E:FC,bridge=vmbr3,tag=63

as you see, bond1 come up, but vtnet4 keeep going to stay down, until I logged into webgui of proxmox, and disable/reenable eth4