pfSense VM in Proxmox

Sources

run pfsense in proxmox

VM Setup

Defaults are safe. Make it better:

• CPU - enable pdpe1gb, aes, or rather pass the native CPU, cores: 1 OK, for a 1Gbps need at least 2.
• RAM - 1GB, NO ballooning required for PCI-passthrough to work.
• Hard Disk\IO Thread enabled
• Network - either bridge or PCIe device passed through.

Either way:

• Firewall - disabled
• Model - VirtIO (paravirtualized)
• Multiqueue - 8

Options: QEMU Guest Agent: Enabled

After VM created - add another NIC.

Install pfSense

As usual.

pfSense built-in editors:

• vi
• ee

Guest Agent

Install guest agent.

• In shell:

pkg install qemu-guest-agent

• In web gui:

• From System / PackageManager - install package “Shellcmd”;
• From Services / Shellcmd - create an “earlyshellcmd” service qemu-guest-agent start

• From System / Advanced / System Tunables - add tunable: virtio_console_load, value: YES

• In shell edit /etc/rc.conf.local:

  qemu_guest_agent_enable="YES"
  qemu_guest_agent_flags="-d -v -l /var/log/qemu-ga.log"
  

• In shell reboot

pfSense Setup

System/Advanced/Networking

Disable all the offloading. Or NOT!

UPDATE: i350-T2 is known to work well with all the functions being offloaded to NIC.

Services/DHCP Server

Besides obvious…

LAN/Other Options:

• NTP Server 1: pfSense IP
• Syslog server: IP
• Unifi controller specified via additional BOOTP/DHCP Options: Option 43, String, value, where value is calculated

pfSense migrated to Kea DHCP server and some custom options, e.g. for syslog server or option 43 can NOT be entered in GUI. Configuration is stored in /usr/local/etc/key/kea-dhcp4.conf. presentation

Added to option-data in /usr/local/etc/key/kea-dhcp4.conf:

{
    "name": "log-servers",
    "data": "192.168.10.21"
}

Services/DNS Resolver/General Settings

To ensure that UniFi controller DNS name is unifi, add host override:

• Host: unifi
• Domain: lan
• IP Address: 192.168.x.y
• Description UniFi Cotnroller
• Additional name for the host: unicon

Proxmox with a single NIC running pfSense + USB Ethernet dongle

Throughput limited to 30 Mbps. Therefore such config is not recommended. Blame the FreeBSD USB driver? Also the dongle (Realtec chipset) gets pretty hot.

Proxmox with a single NIC running pfSense + switch with VLANs

Throughput proved to easily reach 900 Mbps.

Configure the following VLANs:

• 10 for WAN traffic;
• 20 for LAN traffic;

VLAN ID 1 is a reserved, not used by user apps.

1. Setup proxmox as usual, with bridge to be VLAN-aware. Continue proxmox config and setup control web GUI on vmbr0.20.

2. Setup pfSense VM as usual, pass to it a single vmbr0.

3. Configure pfSense to use VLANs. (re)Run setup to make pfSense VLAN-aware, so that:

 WAN (wan)       -> vtnet0.10  -> v4/DHCP4: <wan>
 LAN (lan)       -> vtnet0.20  -> v4: 192.168.245.1/24

1. Configure the switch, e.g. TL-SG108E, to use VLANs, such that:

• port 1 is used for WAN, VLAN 10;
• port 2 is used for router, VLANs 10, 20;
• other ports are used for LAN, VLAN 20.

802.1Q VLAN Configuration:

VLAN ID	VLAN Name	Member Ports	Tagged Ports	Untagged Ports
1	Default	1-8	1-8	n/a
10	WAN	1-2	2	1
20	LAN	2-8	2	3-8

802.1Q VLAN PVID Setting:

Port	PVID
1	10
2	1
3	20
4	20
5	20
6	20
7	20
8	20

Unbound Instability

My install was affected by unbound instability. For now in Services/DNS Resolver/General Settings I UNchecked Register DHCP leases in the DNS Resolver.