PfSense and VLANs disappear

check-ict

Well-Known Member
Apr 19, 2011
102
18
58
Hi,

We have a 6-node Proxmox cluster. Recently we updates from Proxmox 4 / Debian 8 to Proxmox 5 / Debian 9.

Since the upgrade, we have many failed PfSense firewalls running as VM on Proxmox.

We run every PfSense firewall with 2 adapters. 1 adapter is for WAN without a VLAN, the other adapter is for LAN with a VLAN tag.

Every day, 1 or 2 PfSense VM's (we run 12 PfSense VM's) loosse their connection with the VLAN adapter (LAN). We can't ping from the LAN side servers to the PfSense. The PfSense can't ping to the LAN side servers, only WAN works.

When we change the VLAN or even remove it, it has no effect. When we restart the PfSense VM, everything works again.

Any idea why this happends and how to solve it?
 
Hi,

I do not have a solution but I can confirm the problem.
If I disable and then enable the interface within pfSense it temporarly solves the problem for me, if that gives any clues
 
Hi,

We use E1000 because Virtio has a lot of bugs (really slow).

I will disable the hardware checksum offload and reboot the PfSense, see if it helps.
 
Hi,

Disable hardware checksum offload and change network adapters to virtio. You'll see a huge performance improvement, I have lots of pfsense vms with this config.

Regards
 
I've a 3 nodes cluster with 60 pfsense and 60 vlan with other vm.
Every pfsense has 1 lan (virtio) 1 opt (virtio) and 1 wan (e1000 to internet). This configuration is needed cause of backup run on opt network.
Still everyday one or two pfsense lost connection to every network (lan,wan,opt).
Disable hardware checksum offload was done at installation more than 1 year ago.
Problem started in september where we have upgraded all proxmox servers and upgraded all pfsense
 
Disable hardware checksum offload and change network adapters to virtio. You'll see a huge performance improvement, I have lots of pfsense vms with this config.
It's the same for me. I have a cluster with 2 pfSense VMs with CARP configuration (master/backup) and if I don't disable hardware checksum offload in pfSense I have huge problems with network. Disabling it and using VirtIO drivers, the two pfSense boxes work great.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!