*VIDEO GUIDE* A comprehensive guide to pfSense both unRAID VM and physical


SpaceInvaderOne

Recommended Posts

Hi First off thank you for the videos. because of those on youtube I decided to try unraid first for my new server and so far I am absolutely loving it.

 

On 5/2/2018 at 9:01 PM, Tal said:

Just spent the last few hours rattling my brain after watching part 3. My board (MSI P55-GD65) has 2 network ports so I was thinking I could use one for the connection to the internet and the other to my internal network but I just cannot get it to work. If you could suggest where I'm going wrong that would be mighty helpful. Awesome videos by the way. You're videos are the reason I'm using unraid at all. ?

 

Tal had the same idea I had and I was hoping I could get it work with the 2 nics on my board first for more testing to see if I actually like having pfsense on my server instead of a physical device.

 

Would you be able to help us out and point us in the direction on how to use one for wan and the other for lan. this must be possible right?

Link to comment

My dual 2670 report AES enabled repeating the following 32 times.  But when I change pfSense to support Cryptographic Hardware I get the following on pfSense  2.4.3-RELEASE (amd64) on noVNC:

 

pfsense padlock0 no ace support

 

root@Tower:~# grep flags /proc/cpuinfo
flags           : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc cpuid aperfmperf pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 cx16 xtpr pdcm pcid dca sse4_1 sse4_2 x2apic popcnt tsc_deadline_timer aes xsave avx lahf_lm epb pti ibrs ibpb stibp tpr_shadow vnmi flexpriority ept vpid xsaveopt dtherm ida arat pln pts

I changed it back to disabled for now pending advice on this error.  Is AES enabled in spite of this error?

 

Edited by tr0910
Link to comment

Thanks for the video series. I've been trying to get everything set up on my unraid server and everything seems to be working except for one thing. My unraid server doesn't seem to be getting an ip address from the pfsense VM. I have passed the 4 port Gigabit Network Card to the VM but my original Gigabit NIC that unraid uses is not being passed to the pfsense. Could that be the reason why it's not assigning my unraid server an ip address? I also have a separate physical network card for IPMI which doesn't seem to be getting an ip address either from the pfsense VM. I've assigned static IP addresses for both my unraid server (under network settings) and also my IPMI in my bios but I don't see it anywhere under DHCP leases in the pfsense menu.

Link to comment
12 hours ago, jonathanm said:

Can you describe your physical connections? For example, port 1 of 4 port nic plugged into 16 port gigabit switch, port 2 plugged into ISP modem, etc.

 

My Unraid server has 2 eth ports (On Motherboard) + 1 IPMI Port + 4 port NIC (Intel PCIe Gigabit card). Only the 4 port NIC has been passed to the pfsense VM. 

 

4 Port NIC:

Port 1 = WAN

Port 2 = LAN (Direct connection to PC) -> This is used to connect to pfsense to configure settings

Port 3 = WIFI/SWITCH (Using my old router AC68U in Access Point mode, it also has 4 ports + WAN port which I want to utilize as a switch)

Port 4 = Empty

 

The 2 eth ports on my motherboard and IPMI are not physically connected to anything, but I have also tried physically connecting the ethernet port on motherboard and the IPMI port to my AC68U which is connected to port 3 of the 4 port NIC. Ideally I want to avoid physically connecting anything from my motherboard/IPMI port to anything in order to save ports/ethernet cables on the AC68U

Edited by bobokun
Link to comment

Any interface that needs an IP address assigned has to be physically on the same segment of the passed through port that pfSense is running a DHCP server. If you have DHCP assigned on port 3, then you have to plug your server and IPMI into that same segment.

 

Since you have 2 LAN interfaces defined in pfSense, you could have 2 different sets of firewall rules and such on the 2 ports, for example you could have a switch plugged in to port 2 and have both your IPMI and pfSense on the same segment, with extremely restrictive rules, while putting your general network traffic on the other interface.

 

There is no way that I am aware of to software bridge the passed through ports to the unraid box, you have to physically connect them somehow.

 

If you want to save one port, you could define a LAN segment on port 4 for your unraid box, and just connect a short bit of cable from the motherboard port to port 4.

 

If the particular LAN port as defined in pfSense doesn't have a DHCP server running with valid settings, you won't get an IP address assigned to anything plugged into it.

Link to comment
  • 3 weeks later...

I am trying to get pfSense up and running using the Part 3 of the video series. The video is fantastic, but still I am clueles at some point.

 

I have 4 ethernet ports on my unRAID server:

eth0: Broadcom on the MB. Before installing pfSense, unRAID normally used this port (192.168.1.100). Currently nothing is connected

eth1: Broadcom on the MB. Nothing.

 

eth2: Intel NIC on PCIe (pfSense WAN)

eth3: Intel NIC on PCIe (pfSense LAN) This is connected to the switch.

 

All seems OK. 2 port intel nic is passed through to the pfSense VM. I can reach pfSense VM on 192.168.1.1 but cannot get unRaid on 192.168.1.100. The video gives a solution on DNS resolver page. But I don't use any domain name for unRAID.

 

How can I access to unRAID from LAN which had an IP of 192.168.1.100 previously. If I connect eth0 to the switch separately, unRAID becomes accessible. But, surely this is not an elegant way.

 

Thanks for any support.

Edited by sse450
Link to comment
On 4/24/2018 at 11:12 AM, gridrunner said:

Hi @joelones Just set in the bios of the pfsense to enable wake on lan. When the machine is off it will still power the lan port for wake on lan.

I use @Squid excellent user script plugin to send a wol ping using etherwake command

This script runs on array stop

 


etherwake 00:01:3e:4e:5a:b8

 

I also use another script for when the array starts

This uses ssh to login to the pfsense machine and shut it down this way only one pfsense is running at a time

ie 


ssh [email protected] /etc/rc.halt

You will need to generate some ssh key pairs on unRAID and copy the public key to the admin user in pfsense.

 

All of this will be covered in my pfsense videos

 

Did this video ever get made, this is exactly what i am looking for, I have a seperate 1u box in the rack that is my pfsense, would love to run it in a VM environment.

Did you also think of a good way to update the configuration on the physical box?

 

Thanks

Myk

  • Like 1
Link to comment
 
Did this video ever get made, this is exactly what i am looking for, I have a seperate 1u box in the rack that is my pfsense, would love to run it in a VM environment.
Did you also think of a good way to update the configuration on the physical box?
 
Thanks
Myk
I think this is still in his queue as he developed a full vm install that can be replicated to bare metal. Next video might be the fail over process.

Sent from my BND-L34 using Tapatalk

Link to comment

Another question trying to set this up, what would be the best way to have the unRAID machine and bare metal machine connected to the modem so they can auto switch?  Can you put a small switch after the modem and have both hooked up since only one at a time would be trying to connect to the modem?

Link to comment
Another question trying to set this up, what would be the best way to have the unRAID machine and bare metal machine connected to the modem so they can auto switch?  Can you put a small switch after the modem and have both hooked up since only one at a time would be trying to connect to the modem?
if you look back at his first video I think he made a diagram on how he had them connected and that's how I think he was going to do the videos

Sent from my BND-L34 using Tapatalk

Link to comment
  • 2 weeks later...

Okay, so I have a dumb question. I have pfSense as a VM in unRaid.  I have a quad Intel nic passed through to the VM. Port Designated WAN goes to cable modem, LAN goes to switch, which then goes to all my wired devices and wireless AP's. One of these ports on the switch goes back to the unRaid server onboard nic, which is used to give unRaid network access. This all works great until I restart the unRaid Machine. Obviously, unRaid starts before the pfSense VM can, resulting in the unRaid machine getting assigned a 169.xxx.xxx.xxx address which then results in not being able to access unRaid, have to put the old router back in place to get access again. Am I missing something? / Is there a way to resolve this?

Link to comment
1 minute ago, adamfritzsche said:

Okay, so I have a dumb question. I have pfSense as a VM in unRaid.  I have a quad Intel nic passed through to the VM. Port Designated WAN goes to cable modem, LAN goes to switch, which then goes to all my wired devices and wireless AP's. One of these ports on the switch goes back to the unRaid server onboard nic, which is used to give unRaid network access. This all works great until I restart the unRaid Machine. Obviously, unRaid starts before the pfSense VM can, resulting in the unRaid machine getting assigned a 169.xxx.xxx.xxx address which then results in not being able to access unRaid, have to put the old router back in place to get access again. Am I missing something? / Is there a way to resolve this?

 

Set a static IP address in unRaid network settings and make it locked/registered to the MAC address of your unRaid server in pfsense.

 

you can always access it via hostname tower.local or whatever you set it too. Just might a little longer to resolve without a dhcp server on the network.

Link to comment
37 minutes ago, 1812 said:

 

Set a static IP address in unRaid network settings and make it locked/registered to the MAC address of your unRaid server in pfsense.

 

you can always access it via hostname tower.local or whatever you set it too. Just might a little longer to resolve without a dhcp server on the network.

 

Ah, yes. That makes sense. Thank you.

Link to comment

Hello!

Yuo helped me a lot with your videos and after all your tutorials i followed i pulled the trigger on an intel 4 1gb ports nic.

The problem is that i realized too late my 2500k doesn't support vt-d, so i can't passthrough the PCI-e card to the VM. 

Are there any ways i can install pfSense on a VM?

The hardware configuration is like this:

ISP Modem/Router -> Switch -> unRaid Machine at eth port on motherboard.

I am not a pro in networking and i can't figure out how to configure the 4 ports nic.
 

Link to comment
  • 2 months later...

Hi All,

 

I'm trying to install this and am not able to boot into the vm.  It won't connect via vnc and gives me a message saying login to server failed.  I've tried OVMF and Seabios with no success on either.  On OVMF, I've tried all the Q35 versions.  I'm able to pass through my 4 port NIC.  Everything was done exactly as in video part 3.  What could be the issue?

 

It's f'ng Safari that is the problem.  Works with Chrome.  Go figure.

Edited by Mlatx
Link to comment

Hi All,

 

I successfully have offense running as a vm on unraid. I just need to get a cheap backup device. I’m having issues connecting to https with internal sites and through let’s encrypt.  I other words, I can’t connect and no message to proceed with caution. 

 

I have nextcloud setup according to spaceinvader’s video. It’s running under my own domain and proxynet. With my old isp router, port forwarding worked, and I was able to connect. Now with offense, I cannot. I don’t get any errors within let’s encrypt’s logs. 

 

I can’t connect to my OpenVPN server either. I put in the rule for private domain equals unraid.net in DNS resolver. 

 

What could I be missing here? I’ll continue to search but found nothing yet. 

Link to comment
  • 1 month later...

Hi @SpaceInvaderOne.  

First off thanks for all of your videos.  They have been beyond helpful!  Quick question about pfsense in particular to part 3 of your video.   I have the same 4 port intel nic you have; instead of applying the pci patch to separate out the nic is there any reason why we couldn't do the host dev method you've mentioned in another one of your videos?

Link to comment

Hello All You Helpful People!! (hint, hint)

 

I want to run pfSense in a VM under Unraid 6.6.6. I followed SpaceInvaderOne's videos, but I'm a bit stuck.

 

I'm trying to get cute with my setup.  I have a SuperMicro server with 4 onboard Intel gigabit lan ports AND a two port 10 gigabit pci card.  All of this is connected to a Cisco L3 3560e switch, which I have configured vlans on. 

 

Now, I'm trying to do the following.  My WAN port from my cable modem goes into switchport 1 (Vlan 80) on my switch.  All my devices can reach the internet because I have InterVlan routing configured.  VLAN 10 is for computers.  VLAN 20 is for cameras.  VLAN 30 will be for ubiquity.  VLAN 50 will be for IOT.

 

Now, I think I can configure the 10 gigabit ethernet ports to be bonded and set up as a trunk port, which I can then use as the LAN port in pfSense.  But, I'm fuzzy as to how/what to configure as the WAN port.  Can I use VLAN 80 as my WAN port, or does it have to be a discrete interface (like one of the gigabit ports)?  Where do I plug in the gigabit port(s)--in VLAN 80, or in VLAN 10 with computers?  And finally, how do I route all traffic through pfSense?  Set it as the default gateway? Or does running the trunk port through it do this for me already?

 

Any help would be appreciated.  Thank you

Link to comment
1 hour ago, Moose_Flunky said:

Hello All You Helpful People!! (hint, hint)

 

I want to run pfSense in a VM under Unraid 6.6.6. I followed SpaceInvaderOne's videos, but I'm a bit stuck.

 

I'm trying to get cute with my setup.  I have a SuperMicro server with 4 onboard Intel gigabit lan ports AND a two port 10 gigabit pci card.  All of this is connected to a Cisco L3 3560e switch, which I have configured vlans on. 

 

Now, I'm trying to do the following.  My WAN port from my cable modem goes into switchport 1 (Vlan 80) on my switch.  All my devices can reach the internet because I have InterVlan routing configured.  VLAN 10 is for computers.  VLAN 20 is for cameras.  VLAN 30 will be for ubiquity.  VLAN 50 will be for IOT.

 

Now, I think I can configure the 10 gigabit ethernet ports to be bonded and set up as a trunk port, which I can then use as the LAN port in pfSense.  But, I'm fuzzy as to how/what to configure as the WAN port.  Can I use VLAN 80 as my WAN port, or does it have to be a discrete interface (like one of the gigabit ports)?  Where do I plug in the gigabit port(s)--in VLAN 80, or in VLAN 10 with computers?  And finally, how do I route all traffic through pfSense?  Set it as the default gateway? Or does running the trunk port through it do this for me already?

 

Any help would be appreciated.  Thank you

*** IANANA/E (i am not a network architect/engineer) ***

Have you planned out your network? Literally drawn up a map for it? I'm not good enough at network architecture to do anything beyond basic configuration without drawing up a diagram/map/<something> to make sure I'm not missing something. How do you plan on connecting VLAN 80 to pfSense?
 

Link to comment
  • 3 weeks later...

Hi, I love the guide, however, I am having an issue with starting the VM. I am on step 3.

This pops up

internal error: process exited while connecting to monitor: 2019-01-24T03:29:45.614726Z qemu-system-x86_64: -device vfio-pci,host=07:00.0,id=hostdev0,bus=pci.3,addr=0x0: vfio error: 0000:07:00.0: failed to setup container for group 15: failed to set iommu for container: Operation not permitted

 

Thanks

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.