Running pfSense in a XenServer with xenguest

If you deploy pfSense on a XenServer, you may be shocked at the performance loss-specially on interface speed! But wait, there are some tweaks to make this usable.

Installing pfSense

Go ahead and setup pfSense like normal, and when you are done, perform the following tweaks. (the day till it’s tested on pfsense version 2.5.2 and xen on scp-ng 8.1)

XenServer tweaks

Find UUID for the pfSense VM you just installed.

xe vm-list

You should get something like the following

uuid ( RO) : b435d920-eb22-b45d-5058-091619ed427f
name-label ( RW): pfSense
power-state ( RO): running

uuid ( RO) : 42626f69-6185-4aa6-a125-839700f96828
name-label ( RW): Control domain on host: xenserver-000
power-state ( RO): running

We want the UUID of the instance running pfSense, b435d920-eb22-b45d-5058-091619ed427f in this case.

export UUID=b435d920-eb22-b45d-5058-091619ed427f

Next we need to find the internal ID for the interfaces you assigned to the pfSense install.

xe vm-vif-list uuid=$UUID

The output should look something like the following,

uuid ( RO) : 0d3408aa-76a8-c67f-103f-1a1ad8b74a84
vm-name-label ( RO): pfSense
device ( RO): 1
MAC ( RO): ea:30:29:df:cd:66
network-uuid ( RO): 6480f142-8024-b07e-7a6c-e7483d89229c
network-name-label ( RO): Pool-wide network associated with eth1

uuid ( RO) : b5cfe2a7-c7dc-d9db-b43c-3cfb1395f09c
vm-name-label ( RO): pfSense
device ( RO): 0
MAC ( RO): ba:cf:a9:e1:c9:49
network-uuid ( RO): 4dee415a-e497-0370-09e1-eb56145b69b4
network-name-label ( RO): Pool-wide network associated with eth0

You can see this install has 2 NIC’s assigned. we are looking for the ‘uuid’ of each of them

export VIF_1_UUID=0d3408aa-76a8-c67f-103f-1a1ad8b74a84
export VIF_2_UUID=b5cfe2a7-c7dc-d9db-b43c-3cfb1395f09c

Now for each of the VIF UUID’s we want to disable the offload settings:

xe vif-param-set uuid=$VIF_1_UUID other-config:ethtool-gso="off"
xe vif-param-set uuid=$VIF_1_UUID other-config:ethtool-ufo="off"
xe vif-param-set uuid=$VIF_1_UUID other-config:ethtool-tso="off"
xe vif-param-set uuid=$VIF_1_UUID other-config:ethtool-sg="off"
xe vif-param-set uuid=$VIF_1_UUID other-config:ethtool-tx="off"
xe vif-param-set uuid=$VIF_1_UUID other-config:ethtool-rx="off"

xe vif-param-set uuid=$VIF_2_UUID other-config:ethtool-gso="off"
xe vif-param-set uuid=$VIF_2_UUID other-config:ethtool-ufo="off"
xe vif-param-set uuid=$VIF_2_UUID other-config:ethtool-tso="off"
xe vif-param-set uuid=$VIF_2_UUID other-config:ethtool-sg="off"
xe vif-param-set uuid=$VIF_2_UUID other-config:ethtool-tx="off"
xe vif-param-set uuid=$VIF_2_UUID other-config:ethtool-rx="off"

Install Xen Tools on pfSense and set hardware checksum disable

Connect to the pfSense terminal and select option 8 to get shell access. Then copy and past the following to install the xen tools into the VM.

pkg install xe-guest-utilities
echo 'xenguest_enable="YES"' >> /etc/rc.conf.local
ln -s /usr/local/etc/rc.d/xenguest /usr/local/etc/rc.d/
service xenguest start

Because you are running your pfSense as a VM you do not need hardware checksum enabled, so you can disable it.

In pfSense GUI, System > Advanced > Networking >Tick the option for “Disable hardware checksum offload”



Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.