PFSense
Asterysk
Connor Page
I created an alternative config for a Manjaro HVM to connect to the bridge in LAN and after manually setting addresses on all network interfaces and bridges and a bit of tinkering with iptables I could login to pfSense admin portal from Manjaro
I think putting it together with standard appvms and proxyvms in one network topology is possible but I haven't tried yet.
for reference re multiple network interfaces connecting to bridges http://libvirt.org/formatdomain.html#elementsNICSVirtual
Drew White
Do you by chance have an instruction list for how to install and set it up to work properly please?
Or is it just the generic with alteration for the vNIC?
Drew White
Whenever I perform an install, I always get "No-link-up conencted" when it tries to find the current WAN device and I've got it connected to the firewall instead of a physical device.
I attach a physical device...
"bge0: watchdog timeout -- resetting"
"bge0: firmware handshake timed out, found 0x58000000"
"bge0: firmware handshake timed out, found 0x58000000"
Then a few minutes later it does it again.
How did you get around this?
Connor Page
all I changed in VM config was to do with virtual interfaces. those are correctly recognised as xn0 and xn1.
Drew White
> Drew, as I've said my wifi card is not supported . Perhaps, yours isn't either. I need to test something that pfsense can talk to.
> all I changed in VM config was to do with virtual interfaces. those are correctly recognised as xn0 and xn1.
It is not a wifi card. It's a generic NIC.
I have a Realtek and a Broadcom.
They both do the same thing.
I have not even tried using my TP-Link WiFi card.
Connor Page
Drew White
> I've encountered some problems myself. Out of two identical standard Realtek cards only one is recognised. :(
My Realtek works in version > 2.2, it's < 2.2 that it has the issue.
My Broadcom has the issue with the timeouts, the RealTek doesn't.
Is there some issue with the responses not being passed to and from correctly?
But I still don't know how to get the connection to be working for hot-add of NIC's to PFSense when a new guest is added.
I can't add the details to PFSense when there is ONLY the WAN port, it doesn't like it.
How does one get around this?
How did you get yours set up Connor?
Connor Page
This may be not optimal as bridges consume cpu cycles and irq processing. On the other hand Qubes currently doesn't support HVM netvms so until v4.0 that's the only solution I see. I'll keep playing with it but I suspect virtualised pfSense is not a good idea for real life use.
Drew White
> I don't do hotplugging to pfSense. I've created separate Fedora based netvms with bridges named LAN and DMZ and connected pfSense to those at start. Then other VMs can use those netvms and connect either to a bridge or do the usual Qubes routing. Physycal NIC's can be added to tjose vms and bridges. In case of routing one needs to masquerade selectively on the bridge interface (qubes does masquerading on all interfaces except lo and vif+ by default). In case of bridging, vm's config file has to invoke vif-bridge script, provide source bridge name and vm's ip address. Then the script will do the rest. qvm-start --custom-config=...
>
> This may be not optimal as bridges consume cpu cycles and irq processing. On the other hand Qubes currently doesn't support HVM netvms so until v4.0 that's the only solution I see. I'll keep playing with it but I suspect virtualised pfSense is not a good idea for real life use.
So PFSense is NOT the first line of defense then?
It is behind another guest?
I create HVM, then convert it to NetVM/TemplateVM from TemplateHVM.
That normally works for me.
But the thing is it's difficult if you odn't have the right things there to allow the connection to be created automatically. so that's where I come unstuck.
Even if it's the external, then you have multiple internals, that are statics, after that you have the guests behind them, then that would work?
How do you set up multiple NICs for it though?
Connor Page
>
> So PFSense is NOT the first line of defense then?
> It is behind another guest?
It was the first line of defense from Internet threats. But at the same time it was connected to bridges in Fedora netvms that themselves were only connected or to be more precise provided bridging and routing services to an external NIC (for LAN) and internal VMs (some bridged, some routed). The netvms were not connected to the Internet.
> How do you set up multiple NICs for it though?
Somehow pfSense didn't recognise one of two identical NICs that I delegated to it. So in the end it had only 3 interfaces: one external physical and two internal xen devices to LAN and DMZ. Routing and filtering worked fine in pfSense in this setup. I could have possibly created another bridge vm with the NIC that didn't work but I thought that would be a waste of resources.
I didn't have much time to spend on this as the server had to be restored back. I think it's too early now. We should wait for or help implementing HVM netvms in R4.0. Should be trivial then.
Drew White
Why wait when they are already in version 2? (If set up correctly).