pfSense and XenServer: networking problems

We mainly use KVM as virtualization hypervisor, but sometimes we have XenServer installations. Often in these situation we deploy a firewall as a Virtual Machine, but sadly pfSense, or better FreeBSD in general, has networking problems in virtualization environments.

The typical situation when pfSense is installed is that:

  • networking is fine on the hosts of the LAN. The VMs work fine in the LAN;
  • the hosts on the LAN can access internet without problems;
  • XenServer host and other virtual machines can ping outside, but almost all TCP connections doesn’t work, inbound or outbound.

To solve such problems with KVM it’s enough to Disable hardware checksum offload in pfSense’s advanced network preferences. But this doesn’t apply to XenServer.

Basically the solution is to disable hardware checksum, but since pfSense in XenServer doesn’t use virtualized drivers, we have to do the change on the host configuration, and disable the feature on the virtualized interface.

ssh to the XenServer host and list the interfaces associated with the pfSense virtual machine with this command (replace VM_NAME with the name of the VM):

xe vm-vif-list vm=VM_NAME

The output will be something like this:

uuid ( RO) : a59019a2-0278-fa51-982c-eb7cab437147
vm-name-label ( RO): pfSense
device ( RO): 0
MAC ( RO): ca:44:7f:6a:ad:6b
network-uuid ( RO): 84bbfaa4-1872-2595-0996-40fa61421daf
network-name-label ( RO): Pool-wide network associated with eth0

uuid ( RO) : 6f04ec4f-50fa-063e-ed7a-b45216fe8b61
vm-name-label ( RO): pfSense
device ( RO): 1
MAC ( RO): 9e:70:64:7e:46:1e
network-uuid ( RO): 7e08ae46-86ed-8c90-7e5c-54eb7a35b3cc
network-name-label ( RO): Pool-wide network associated with eth1

Pick pfSense’s LAN interface (typically eth0) and grab the first uuid of the item. In the output above it’s the one starting with a5901 and so on. Now run these two commands (replacing VIFUUID with the ID obtained above):

xe vif-param-set uuid=VIFUUID other-config:ethtool-tx="off"
xe vif-param-set uuid=VIFUUID other-config:ethtool-rx="off"

Now shutdown and start the pfSense VM. Rebooting it it’s not enough, changes won’t be applied!

After this all the VMs on the XenServer host will be able to NAT outside, and receive connections from outside hosts!

Original discussion for XenServer is on this forum thread. For a more broad explanation see this other one.


Lascia un commento

Il tuo indirizzo email non sarà pubblicato. I campi obbligatori sono contrassegnati *

Solve : *
25 − 2 =

Questo sito usa Akismet per ridurre lo spam. Scopri come i tuoi dati vengono elaborati.