pfSense 1.2.1-RC2 VMware Appliance available
With each release going forward, we will be providing a VMware appliance in addition to the versions currently provided. This one is being handled a little differently since it is in the first, in the future they will just be a part of the normal release announcement.
Many people (including nearly all of our developers) run pfSense in various VMware products covering their entire product line. For years now, the pfSense installer has automatically detected when you are running in VMware and applied OS tweaks specific to optimal performance when running under VMware hypervisors. More recently, Open-VM-Tools, the open source version of VMware Tools, is also available as a pfSense package. If you are one of the many existing users of pfSense in VMware, you should consider installing that package.
Latest download link available here.
There are numerous mission critical pfSense deployments running in ESX, so this is a proven virtual firewall solution. The VMware Appliance is different from a stock pfSense install in three ways:
- Default allow all rule added on WAN – usually your VM firewall’s WAN will be connected to your LAN, this makes it easier to get in.
- VMware Tools installed
- Hostname set to pfsensevm.local rather than pfsense.local
Compatibility
Works with VMware Server 1.0 and newer, Workstation 6.0 and newer, ESX 3.x, every version of ESXi, and every version of Player.
Is it good to run my production firewall in a VM?
Sometimes yes, sometimes no. A more expansive dialog on this will come.
Usage
For hosted products (Server, Workstation, Player, Fusion) – Just extract the zip file, and double click on the FreeBSD.vmx file.
For ESX and ESXi – there are several ways to pull this VM into ESX/ESXi. I personally prefer using the free VMware Converter.
Network Info
The WAN interface is configured as bridged, and the LAN is on VMnet2. The WAN is configured for DHCP by default, so if the network your VMs are bridged to contains a DHCP server, it will pull a lease. You will see the WAN IP at the console menu. Because the VM Appliance includes an allow all rule on WAN, you can just pull up the shown WAN IP in your web browser to log in. Note this allow all rule is simply for convenience in getting up and running – with this rule in place, you don’t have a firewall, you have a wide open router.
More info on VMware and networking will also come at some point.
November 21st, 2008 at 8:58 am
[...] Digest News, reviews and more related to the pfSense firewall project « The Road to QoS pfSense 1.2.1-RC2 VMware Appliance available [...]
November 21st, 2008 at 3:38 pm
WOW, you just made my day! Thanks to you and all the developers behind this great product. Good job!
November 21st, 2008 at 10:22 pm
keep up the great work
November 22nd, 2008 at 6:57 am
I love pfsense!!
2 thumbs up for this product.
November 22nd, 2008 at 2:29 pm
well i have big problems with this release. an ath0 adapter on a asus p5b-v set up as wan causes a kernel panic + crash. after the configuration the system keeps on crashing everytime on booting. i had to reinstall and not use a wlan adapter as wan.
November 22nd, 2008 at 2:32 pm
toro: that’s FreeBSD problems outside our control (plus it’s not related to the VMware Appliance so you’re on the wrong post). If you post to the forum we can provide suggestions. I have ath running as WAN just fine.
November 23rd, 2008 at 9:18 am
I head that you can’t do traffic shaping in a VMWare VM because of a flaw in the FreeBSD network driver that the VM uses.
Is this true?
November 23rd, 2008 at 3:49 pm
Mark: that’s not true, with default settings on pfSense 1.2 and newer, VMware will use le(4) which supports ALTQ. On releases prior to 1.2, it would use lnc(4), which also supported ALTQ at that time. This appliance sets the NIC device type to e1000, which uses em(4), which also supports ALTQ.
The timing inside a VM isn’t as precise as the timing on a physical machine (hz=100 vs. 1000), which could have an impact on shaping effectiveness, but shouldn’t be enough to have a significant impact, if even measurable.
November 24th, 2008 at 6:26 am
Traffic shaping works with pfSense(e1000 indeed has ALTQ).
Timing on a VM is however a bigger problem then you think.
If you’re running multiple VM’s on the same CPU core(the whole idea around virtualization), then the VM’s clock can go multiple seconds “wrong” per 10 seconds, as it has no direct link to the hardware clock.
You can tune this a little, and assigning the VM a dedicated core will make a big difference, but the facts remains that Virtualisation and timing critical applications do not work well together.
November 24th, 2008 at 3:11 pm
Just curious why the appliance uses the e1000. Are there any advantages over the “flexible” adapter?
November 24th, 2008 at 6:38 pm
On timing – YMMV. Some systems will have significant problems. Personally, none of my VMware systems have remotely the timing problems that YoMarK mentioned, but you may indeed have serious problems on occasion.
Mark: it uses e1000 based on our extensive experience with production deployments, and conversations with engineers at VMware. It’s the best choice with FreeBSD.
November 25th, 2008 at 8:39 am
Mark: “flexible” means vmxnet(driver), and can be faster depending on the situation. You can compile vmxnet as a module for pfSense if you want, but it’s not as stable as e1000. Updating pfSense/kernel can cause problems with old modules, and e1000 is supported in the FreeBSD/pfSense kernel so you don’t have to worry about that.
On 64bit operating systems(Windows/Linux/*BSD) e1000 is the standard interface type.
Some more information and benchmarks on this topic: http://www.vmware.com/files/pdf/perf_comparison_virtual_network_devices_wp.pdf
November 25th, 2008 at 4:16 pm
vmxnet is included in the Open-VM-Tools package so you can use it, there just isn’t any compelling reason to do so.
November 26th, 2008 at 1:56 pm
Hello, I’m looking for the RSS feed of this blog. Is it avaible?
November 26th, 2008 at 8:16 pm
horace: look at the bottom of every page on this site. “Entries (RSS) and Comments (RSS)”
December 26th, 2008 at 4:10 pm
This VMWare appliance DO NOT works on VmWare Server 1.0.8 (the latest of 1.0.x series).
VmWare Server say that the appliance has been created with a server with “more feature”.
If I manually edit the .vmx file changing the
virtualHW.version = “6″
into
virtualHW.version = “4″
now I can add the apliance to the inventory, but it doesent start becouse, now, it’s the disk file pfSense-1.2.1-VM.vmdk that has been created with ano incompatible version of vmware server…
I’ll follow the dirty way, tring to upgrade my existing PsFense 1.2
Anyway, thanks for the GREAT JOB you are doing, PfSense solved my connectivity problem
December 27th, 2008 at 3:22 am
Now everything is up and running on my VmWare Server 1.0.8.
I’ve updated my psFense 1.2 installation, and I’ve installed the OpenVMTools package.
Everything went fine
February 26th, 2009 at 10:13 pm
When importing into to esxi, it fails because the drive is reported as IDE … am I doing something wrong?
February 26th, 2009 at 10:35 pm
Correction to my last post … I was using VMWare Converter to make OVF file and then importing into esxi. The working method is to use vmware converter to convert the vm directly to esxi
February 26th, 2009 at 11:00 pm
Rob: Right, that’s the way to do it. I’ll likely make a OVF file also, for future releases.
April 21st, 2009 at 12:12 pm
What is the best method to upgrade from pfSense-1.2.1-VM to 1.2.2?
1. Backup configuration, replace 1.2.1 with 1.2.2, restore configuration.
2. Manual firmware update using pfSense-Full-Update-1.2.2.tgz.
3. Auto update.
April 21st, 2009 at 12:39 pm
You can delete my comment about how to upgrade from pfSense-1.2.1-VM to 1.2.2. The answer is at
http://doc.pfsense.org/index.php/UpgradeGuide#VMware_Appliance
April 21st, 2009 at 1:03 pm
Roger: Yep, you found it. I’ll leave it here for anyone looking in the future.
October 2nd, 2009 at 6:48 am
How can i use the Appliance with an Debian VMware Server 2.01 installation, because the NIC type
ethernet1.virtualDev = “e1000″
is not aviable in this Installation…
After updating it to an “flexible” type the NIC isn’t aviable inside the Appliance
Thank’s for your help…
November 29th, 2009 at 3:07 am
Great Job Pfsense Team!!
Awesome Software.
Keep it up.
October 25th, 2011 at 7:32 am
are there plans to update the VMware appliance to the current 2.0 version? At least you should add a warning to the downloadpage of the appliance that this is an outdated version…
December 7th, 2011 at 8:15 pm
I agree. Just looking for the 2.0 appliance.
December 7th, 2011 at 8:32 pm
There’s no need for an appliance, just install from the ISO. Though we’ll put out an OVA on the next release.
February 7th, 2013 at 2:07 am
Download does not work!
February 7th, 2013 at 10:29 pm
There’s an OVA on the mirrors for all current releases.
May 16th, 2013 at 6:29 am
Chris Buechler
Would you please help us to use the software because me and “Ph4r4n0x” cannot download. Even with a working like.
And if you know how to tell and admins about this problem I’ll be happy.
May 17th, 2013 at 12:05 am
There is an ova on the mirrors now. Go to the downloads page, new installs, on http://www.pfsense.org, pick a mirror, choose the ova.