Deploy pfSense in a XenServer
It goes with out saying, that you should deploy your firewall on dedicated hardware right? We agree. However there are some instances where, you may for one reason or another decide that you want to run pfSense in a virtual machine. If you deploy pfSense on a XenServer, you may be shocked at the performance loss. But wait, there are some tweaks to make this usable.
Installing pfSense
There is no template provided by but you can do a standard install from ISO using the “Other” Template.
Go ahead and setup pfSense like normal, and when you are done, perform the following tweaks.
XenServer tweaks
Find UUID for the pfSense VM you just installed.
xe vm-list
You should get something like the following
uuid ( RO) : b435d920-eb22-b45d-5058-091619ed427f
name-label ( RW): pfSense
power-state ( RO): running
uuid ( RO) : 42626f69-6185-4aa6-a125-839700f96828
name-label ( RW): Control domain on host: xenserver-000
power-state ( RO): running
We want the UUID of the instance running pfSense, b435d920-eb22-b45d-5058-091619ed427f in this case.
export UUID=b435d920-eb22-b45d-5058-091619ed427f
Next we need to find the internal ID for the interfaces you assigned to the pfSense install.
xe vm-vif-list uuid=$UUID
The output should look something like the following,
uuid ( RO) : 0d3408aa-76a8-c67f-103f-1a1ad8b74a84 vm-name-label ( RO): pfSense device ( RO): 1 MAC ( RO): ea:30:29:df:cd:66 network-uuid ( RO): 6480f142-8024-b07e-7a6c-e7483d89229c network-name-label ( RO): Pool-wide network associated with eth1 uuid ( RO) : b5cfe2a7-c7dc-d9db-b43c-3cfb1395f09c vm-name-label ( RO): pfSense device ( RO): 0 MAC ( RO): ba:cf:a9:e1:c9:49 network-uuid ( RO): 4dee415a-e497-0370-09e1-eb56145b69b4 network-name-label ( RO): Pool-wide network associated with eth0
You can see this install has 2 NIC’s assigned. we are looking for the ‘uuid’ of each of them
export VIF_1_UUID=0d3408aa-76a8-c67f-103f-1a1ad8b74a84 export VIF_2_UUID=b5cfe2a7-c7dc-d9db-b43c-3cfb1395f09c
Now for each of the VIF UUID’s we want to disable the offload settings:
xe vif-param-set uuid=$VIF_1_UUID other-config:ethtool-gso="off" xe vif-param-set uuid=$VIF_1_UUID other-config:ethtool-ufo="off" xe vif-param-set uuid=$VIF_1_UUID other-config:ethtool-tso="off" xe vif-param-set uuid=$VIF_1_UUID other-config:ethtool-sg="off" xe vif-param-set uuid=$VIF_1_UUID other-config:ethtool-tx="off" xe vif-param-set uuid=$VIF_1_UUID other-config:ethtool-rx="off"
xe vif-param-set uuid=$VIF_2_UUID other-config:ethtool-gso="off" xe vif-param-set uuid=$VIF_2_UUID other-config:ethtool-ufo="off" xe vif-param-set uuid=$VIF_2_UUID other-config:ethtool-tso="off" xe vif-param-set uuid=$VIF_2_UUID other-config:ethtool-sg="off" xe vif-param-set uuid=$VIF_2_UUID other-config:ethtool-tx="off" xe vif-param-set uuid=$VIF_2_UUID other-config:ethtool-rx="off"
Install Xen Tools on pfSense and set hardware checksum disable
Connect to the pfSense terminal and select option 8 to get shell access. Then copy and past the following to install the xen tools into the VM.
pkg install xe-guest-utilities echo 'xenguest_enable="YES"' >> /etc/rc.conf.local ln -s /usr/local/etc/rc.d/xenguest /usr/local/etc/rc.d/xenguest.sh service xenguest start
Because you are running your pfSense as a VM you do not need hardware checksum enabled, so you can disable it.
In pfSense GUI, System > Advanced > Networking >Tick the option for “Disable hardware checksum offload”
Conclusion
I hope that you have found these tips helpful, if you are deploying Xen in a lab, building and testing configurations, or just need a way to put in an emergency firewall until your new hardware arrives, these tweaks should help make it more usable.
Ben has been building VoIP solutions for over 15 years, has over 25 years of Linux administration experience, and enjoys problem-solving. When he is not coding something in Python, or tinkering with some project, you can often find him wandering through the forests and parks of the Pacific Northwest enjoying waterfalls, trails, and animals.
Pingback:pfSense 1U Server Build, Cheap Low Power & AES-NI Supported