WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

Re: [Xen-users] pfSense HVM

To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Xen-users] pfSense HVM
From: Nicolas Vilz <niv@xxxxxxxxxx>
Date: Sat, 05 Jun 2010 21:55:17 +0200
Delivery-date: Sat, 05 Jun 2010 12:56:54 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <4C0A8F51.90503@xxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <4BFE986C.5000704@xxxxxxxxxxx> <4C001295.4040909@xxxxxxxxxx> <4C0055BC.1050202@xxxxxxxxxxx> <4C006BF0.4040208@xxxxxxxxxx> <4C0A8F51.90503@xxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.9.1.9) Gecko/20100317 Thunderbird/3.0.4
On 06/05/10 19:54, Jonathan Tripathy wrote:

On 29/05/10 02:20, Nicolas Vilz 'niv' wrote:
On 05/29/10 01:46, Jonathan Tripathy wrote:


actually, i use pfSense in hvm quite a while... it works. recently i
tried to get pfSense in pv, but that needs to be polished some time
before it is ready to use. (it works, but it is half broken that way
and i spent the whole day yesterday to get a clear view on that problem).
That's good that it works well in HVM. What kind of throughput can you
get? My co-lo is giving me a 100Mbit connection, thing Xen can handle that?

I think it is worth a try. problem is, you get 8139cp emulated chipset with hvm (without pci passthrough) and I don't really know, if that can handle 100mbit.

I had several event setups with pfSense as Uplink gateway one physical on a dl380 and one as HVM. On the WAN side there where 3 16MBit uplinks, on the LAN side there where up to 400 people accessing the WAN side.

Once the physical pfsense crashed because of RAM failure. Nobody noticed. Not even I noticed. So I can say, for 3x 16MBit you don't really notice a difference between physical pfsense and HVM virtualised one.


make sure, you can access that dom0 in event of emergency. If anything
happens to your pfsense, which is possible, you probably can't access
your dom0 anymore and are stuck and thats probably not what you want.
This is a really good point, and I'm not sure what to do in this case.
The only thing I can think of, is to give the 2nd physical NIC on the
server access to the Dom0 directly (bypassing the pfSense firewall
DomU), however I'm not sure if my co-lo can provision this without extra
costs...
and then your dom0 will be accessible. that is what you wanted to prevent for extra security.

one advantage an extra NIC gives you in this situation, is: you can get hardwired access to a different network, which has nothing to do phyically with your main network and your pfsense in front. i don't know if your co-lo can make this happen, but it would be a possibility. an extra port for a NIC will normaly cost you something extra.


btw, you don't need to passthrough your nic for that behavior. In a
bridged setup you just have to leave your bridge interface to the
outside without an ip address.
Since the NIC will be the physical interface for the WAN, I thought I
would use PCI Passthrough for extra security? So that the Dom0 has *no
access* to the physical NIC? Or am I incorrect?

if you passthrough your NIC, then you are right. no access from dom0 to physical NIC.

if you just setup a bridge on the WAN NIC and put the pfsense domU with one foot on that NIC, you have the possibility to setup another domU to be accessible outside, and you can setup emergency access to dom0 on that bridge, too. if you don't need dom0 for an external access, you can leave the bridge interface without an ip address, like i wrote above. I don't know, if someone can gain access to your dom0, when this dom0 has an unconfigured bridge listening on your WAN port.

you have to decide, how secure your setup shall be and what will you have to do, if your pfsense crashes.

if your co-lo doesn't allow you to have several MAC addresses on that port, you won't be able to use that kind of setup either.

in that case the only possible solution for you will be passthrough one of your two NICs to pfsense and hardwire the other one to your dom0 for emergency access.

PCI Passthrough is possible for your hardware, right? If not, you are still able to use the bridged setup as long as just one MAC shows up on that port.

Sincerly
Nicolas

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

Hi Nic,

What kind of throughput are you getting with your pfsense guest? I've got my Gigabit NIC passthrough to the pfsense DomU (To act as the "WAN"), then I've connected the "LAN" side of pfsense to a Xen bridge, with the Dom0 is also connected to. I tried to do a file tranfer (via samba) from a machine on the "WAN" to the Dom0. The speed was capping out at 90Mbps. In the pfsense config, I've made the NIC "e1000" and pfsense does show it's connected at 1000.

Any ideas?

Not really, i tried e1000 as well, but couldn't see any advantage for that (Throughput was nearly the same or worse). Either i don't see the difference between emulated 8139cp and e1000 or there is no difference when using it for openvpn in a bridged setup. I will analyze that further. The real performance boost would be the pv driver with freebsd and pfsense, but i haven't done that yet (patched pfsense kernel with xen modules). Inside openvpn i get a max throughput of 800 kb/s, where there should be 100Mbit or 1000 Mbit (if i emulate the right one). Thats a bit confusing for me, but i keep observing and searching. Pfsense shows connected at 1000 Mbit, too on my side.

That doesn't really help you right now, but that is what i know and experienced so far.
Sincerly

Nicolas

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

<Prev in Thread] Current Thread [Next in Thread>