Issue
Various networking issues might occur when pfSense is used as a "Virtual Server as a Gateway" (https://docs.onapp.com/display/53AG/Virtual+Server+as+a+Gateway). In one particular case we observed the following:
- pfSense was installed as a guest on a KVM hypervisor.
- pfSense was used to NAT traffic between the internal and external networks (default configuration).
- There were no TCP/UDP connections between a client VM and the outside world when both pfSense and client VM were running on the same HV.
- When client VM was running on the separate HV, TCP / UDP connections were slow.
- In both cases, ICMP traffic worked as expected.
Resolution
It appears that paravirtualized drives (VirtIO in KVM; PV in XEN) are causing these issues. In order to resolve the problem, some or all of steps below must be followed:
- Disable hardware checksum offload inside pfSense (System -> Advanced -> Networking -> "Disable hardware checksum offload"). The VM has to be rebooted in order to apply the change. In our case, this measure was sufficient to resolve a customer's problem.
- Disable tx offloading on the hypervisor side.
Comments
2 comments
Dear Volodymyr Shturma,
shall we need to enable private network interface as gateway for pfsense vm?
===================
Our pfsense setup
WAN interface with gateway
LAN interface private IP
Disable hardware checksum offload
==============
created new vm with LAN interface assign private IP. Here we have set gateway pfsense private IP
On pfsense level we have added virtual IP alias vm wan ip and set 1:1 NAT
Please advice, if we are miss out anything
Hi wwsupport
You need to enable "Use as Gateway" feature on every NIC you intend to use as such. Therefore, in your case I believe it should be enabled for the private network interface.
Should you have any problems with the setup, please do not be hesitant to contact OnApp Support.
Please sign in to leave a comment.