We mainly use KVM as virtualization hypervisor, but sometimes we have XenServer installations. Often in these situation we deploy a firewall as a Virtual Machine, but sadly pfSense, or better FreeBSD in general, has networking problems in virtualization environments.
The typical situation when pfSense is installed is that:
- networking is fine on the hosts of the LAN. The VMs work fine in the LAN;
- the hosts on the LAN can access internet without problems;
- XenServer host and other virtual machines can ping outside, but almost all TCP connections doesn’t work, inbound or outbound.
To solve such problems with KVM it’s enough to Disable hardware checksum offload in pfSense’s advanced network preferences. But this doesn’t apply to XenServer.
Basically the solution is to disable hardware checksum, but since pfSense in XenServer doesn’t use virtualized drivers, we have to do the change on the host configuration, and disable the feature on the virtualized interface.
ssh to the XenServer host and list the interfaces associated with the pfSense virtual machine with this command (replace VM_NAME with the name of the VM):
xe vm-vif-list vm=VM_NAME
The output will be something like this:
uuid ( RO) : a59019a2-0278-fa51-982c-eb7cab437147 vm-name-label ( RO): pfSense device ( RO): 0 MAC ( RO): ca:44:7f:6a:ad:6b network-uuid ( RO): 84bbfaa4-1872-2595-0996-40fa61421daf network-name-label ( RO): Pool-wide network associated with eth0 uuid ( RO) : 6f04ec4f-50fa-063e-ed7a-b45216fe8b61 vm-name-label ( RO): pfSense device ( RO): 1 MAC ( RO): 9e:70:64:7e:46:1e network-uuid ( RO): 7e08ae46-86ed-8c90-7e5c-54eb7a35b3cc network-name-label ( RO): Pool-wide network associated with eth1
Pick pfSense’s LAN interface (typically eth0) and grab the first uuid of the item. In the output above it’s the one starting with a5901 and so on. Now run these two commands (replacing VIFUUID with the ID obtained above):
xe vif-param-set uuid=VIFUUID other-config:ethtool-tx="off" xe vif-param-set uuid=VIFUUID other-config:ethtool-rx="off"
Now shutdown and start the pfSense VM. Rebooting it it’s not enough, changes won’t be applied!
After this all the VMs on the XenServer host will be able to NAT outside, and receive connections from outside hosts!