Re: [Xen-users] pfSense HVM
On 06/05/10 19:54, Jonathan Tripathy wrote:
Not really, i tried e1000 as well, but couldn't see any advantage for
that (Throughput was nearly the same or worse). Either i don't see the
difference between emulated 8139cp and e1000 or there is no difference
when using it for openvpn in a bridged setup. I will analyze that
further. The real performance boost would be the pv driver with freebsd
and pfsense, but i haven't done that yet (patched pfsense kernel with
xen modules). Inside openvpn i get a max throughput of 800 kb/s, where
there should be 100Mbit or 1000 Mbit (if i emulate the right one). Thats
a bit confusing for me, but i keep observing and searching. Pfsense
shows connected at 1000 Mbit, too on my side.
On 29/05/10 02:20, Nicolas Vilz 'niv' wrote:
On 05/29/10 01:46, Jonathan Tripathy wrote:
actually, i use pfSense in hvm quite a while... it works. recently i
tried to get pfSense in pv, but that needs to be polished some time
before it is ready to use. (it works, but it is half broken that way
and i spent the whole day yesterday to get a clear view on that
That's good that it works well in HVM. What kind of throughput can you
get? My co-lo is giving me a 100Mbit connection, thing Xen can
I think it is worth a try. problem is, you get 8139cp emulated
chipset with hvm (without pci passthrough) and I don't really know,
if that can handle 100mbit.
I had several event setups with pfSense as Uplink gateway one
physical on a dl380 and one as HVM. On the WAN side there where 3
16MBit uplinks, on the LAN side there where up to 400 people
accessing the WAN side.
Once the physical pfsense crashed because of RAM failure. Nobody
noticed. Not even I noticed. So I can say, for 3x 16MBit you don't
really notice a difference between physical pfsense and HVM
and then your dom0 will be accessible. that is what you wanted to
prevent for extra security.
make sure, you can access that dom0 in event of emergency. If anything
happens to your pfsense, which is possible, you probably can't access
your dom0 anymore and are stuck and thats probably not what you want.
This is a really good point, and I'm not sure what to do in this case.
The only thing I can think of, is to give the 2nd physical NIC on the
server access to the Dom0 directly (bypassing the pfSense firewall
DomU), however I'm not sure if my co-lo can provision this without
one advantage an extra NIC gives you in this situation, is: you can
get hardwired access to a different network, which has nothing to do
phyically with your main network and your pfsense in front. i don't
know if your co-lo can make this happen, but it would be a
possibility. an extra port for a NIC will normaly cost you something
btw, you don't need to passthrough your nic for that behavior. In a
bridged setup you just have to leave your bridge interface to the
outside without an ip address.
Since the NIC will be the physical interface for the WAN, I thought I
would use PCI Passthrough for extra security? So that the Dom0 has *no
access* to the physical NIC? Or am I incorrect?
if you passthrough your NIC, then you are right. no access from dom0
to physical NIC.
if you just setup a bridge on the WAN NIC and put the pfsense domU
with one foot on that NIC, you have the possibility to setup another
domU to be accessible outside, and you can setup emergency access to
dom0 on that bridge, too. if you don't need dom0 for an external
access, you can leave the bridge interface without an ip address,
like i wrote above. I don't know, if someone can gain access to your
dom0, when this dom0 has an unconfigured bridge listening on your WAN
you have to decide, how secure your setup shall be and what will you
have to do, if your pfsense crashes.
if your co-lo doesn't allow you to have several MAC addresses on that
port, you won't be able to use that kind of setup either.
in that case the only possible solution for you will be passthrough
one of your two NICs to pfsense and hardwire the other one to your
dom0 for emergency access.
PCI Passthrough is possible for your hardware, right? If not, you are
still able to use the bridged setup as long as just one MAC shows up
on that port.
Xen-users mailing list
What kind of throughput are you getting with your pfsense guest? I've
got my Gigabit NIC passthrough to the pfsense DomU (To act as the
"WAN"), then I've connected the "LAN" side of pfsense to a Xen bridge,
with the Dom0 is also connected to. I tried to do a file tranfer (via
samba) from a machine on the "WAN" to the Dom0. The speed was capping
out at 90Mbps. In the pfsense config, I've made the NIC "e1000" and
pfsense does show it's connected at 1000.
That doesn't really help you right now, but that is what i know and
experienced so far.
Xen-users mailing list