Running pfSense in XenServer

Deploy pfSense in a XenServer

It goes with out saying, that you should deploy your firewall on dedicated hardware right? We agree. However there are some instances where, you may for one reason or another decide that you want to run pfSense in a virtual machine. If you deploy pfSense on a XenServer, you may be shocked at the performance loss. But wait, there are some tweaks to make this usable.

Installing pfSense

There is no template provided by but you can do a standard install from ISO using the “Other” Template.

Go ahead and setup pfSense like normal, and when you are done, perform the following tweaks.

XenServer tweaks

Find UUID for the pfSense VM you just installed.

xe vm-list

You should get something like the following

uuid ( RO) : b435d920-eb22-b45d-5058-091619ed427f
name-label ( RW): pfSense
power-state ( RO): running

uuid ( RO) : 42626f69-6185-4aa6-a125-839700f96828
name-label ( RW): Control domain on host: xenserver-000
power-state ( RO): running

We want the UUID of the instance running pfSense, b435d920-eb22-b45d-5058-091619ed427f in this case.

export UUID=b435d920-eb22-b45d-5058-091619ed427f

Next we need to find the internal ID for the interfaces you assigned to the pfSense install.

xe vm-vif-list uuid=$UUID

The output should look something like the following,

uuid ( RO) : 0d3408aa-76a8-c67f-103f-1a1ad8b74a84
vm-name-label ( RO): pfSense
device ( RO): 1
MAC ( RO): ea:30:29:df:cd:66
network-uuid ( RO): 6480f142-8024-b07e-7a6c-e7483d89229c
network-name-label ( RO): Pool-wide network associated with eth1


uuid ( RO) : b5cfe2a7-c7dc-d9db-b43c-3cfb1395f09c
vm-name-label ( RO): pfSense
device ( RO): 0
MAC ( RO): ba:cf:a9:e1:c9:49
network-uuid ( RO): 4dee415a-e497-0370-09e1-eb56145b69b4
network-name-label ( RO): Pool-wide network associated with eth0

You can see this install has 2 NIC’s assigned. we are looking for the ‘uuid’ of each of them

export VIF_1_UUID=0d3408aa-76a8-c67f-103f-1a1ad8b74a84
export VIF_2_UUID=b5cfe2a7-c7dc-d9db-b43c-3cfb1395f09c

Now for each of the VIF UUID’s we want to disable the offload settings:

xe vif-param-set uuid=$VIF_1_UUID other-config:ethtool-gso="off"
xe vif-param-set uuid=$VIF_1_UUID other-config:ethtool-ufo="off"
xe vif-param-set uuid=$VIF_1_UUID other-config:ethtool-tso="off"
xe vif-param-set uuid=$VIF_1_UUID other-config:ethtool-sg="off"
xe vif-param-set uuid=$VIF_1_UUID other-config:ethtool-tx="off"
xe vif-param-set uuid=$VIF_1_UUID other-config:ethtool-rx="off"
xe vif-param-set uuid=$VIF_2_UUID other-config:ethtool-gso="off"
xe vif-param-set uuid=$VIF_2_UUID other-config:ethtool-ufo="off"
xe vif-param-set uuid=$VIF_2_UUID other-config:ethtool-tso="off"
xe vif-param-set uuid=$VIF_2_UUID other-config:ethtool-sg="off"
xe vif-param-set uuid=$VIF_2_UUID other-config:ethtool-tx="off"
xe vif-param-set uuid=$VIF_2_UUID other-config:ethtool-rx="off"

Install Xen Tools on pfSense and set hardware checksum disable

Connect to the pfSense terminal and select option 8 to get shell access. Then copy and past the following to install the xen tools into the VM.

pkg install xe-guest-utilities
echo 'xenguest_enable="YES"' >> /etc/rc.conf.local
ln -s /usr/local/etc/rc.d/xenguest /usr/local/etc/rc.d/xenguest.sh
service xenguest start

Because you are running your pfSense as a VM you do not need hardware checksum enabled, so you can disable it.

In pfSense GUI, System > Advanced > Networking >Tick the option for “Disable hardware checksum offload”

Conclusion

I hope that you have found these tips helpful, if you are deploying Xen in a lab, building and testing configurations, or just need a way to put in an emergency firewall until your new hardware arrives, these tweaks should help make it more usable.