pfSense 1.2.1-RC2 VMware Appliance available

November 21st, 2008 by Chris Buechler

With each release going forward, we will be providing a VMware appliance in addition to the versions currently provided. This one is being handled a little differently since it is in the first, in the future they will just be a part of the normal release announcement.

Many people (including nearly all of our developers) run pfSense in various VMware products covering their entire product line. For years now, the pfSense installer has automatically detected when you are running in VMware and applied OS tweaks specific to optimal performance when running under VMware hypervisors. More recently, Open-VM-Tools, the open source version of VMware Tools,is also available as a pfSense package. If you are one of the many existing users of pfSense in VMware, you should consider installing that package.

Latest download link available here.

There are numerous mission critical pfSense deployments running in ESX, so this is a proven virtual firewall solution. The VMware Appliance is different from a stock pfSense install in three ways:

  • Default allow all rule added on WAN – usually your VM firewall’s WAN will be connected to your LAN, this makes it easier to get in.
  • VMware Tools installed
  • Hostname set to pfsensevm.local rather than pfsense.local

Compatibility

Works with VMware Server 1.0 and newer, Workstation 6.0 and newer, ESX 3.x, every version of ESXi, and every version of Player.

Is it good to run my production firewall in a VM?

Sometimes yes, sometimes no. A more expansive dialog on this will come.

Usage

For hosted products (Server, Workstation, Player, Fusion) – Just extract the zip file, and double click on the FreeBSD.vmx file.

For ESX and ESXi – there are several ways to pull this VM into ESX/ESXi. I personally prefer using the free VMware Converter.

Network Info

The WAN interface is configured as bridged, and the LAN is on VMnet2. The WAN is configured for DHCP by default, so if the network your VMs are bridged to contains a DHCP server, it will pull a lease. You will see the WAN IP at the console menu. Because the VM Appliance includes an allow all rule on WAN, you can just pull up the shown WAN IP in your web browser to log in. Note this allow all rule is simply for convenience in getting up and running – with this rule in place, you don’t have a firewall, you have a wide open router.

More info on VMware and networking will also come at some point.

Tags:

36 Responses to “pfSense 1.2.1-RC2 VMware Appliance available”

  1. pfSense Digest » Blog Archive » pfSense 1.2.1-RC2 now available Says:

    [...] Digest News, reviews and more related to the pfSense firewall project « The Road to QoS pfSense 1.2.1-RC2 VMware Appliance available [...]

  2. Max Says:

    WOW, you just made my day! Thanks to you and all the developers behind this great product. Good job!

  3. degel3030 Says:

    keep up the great work

  4. banget sekale Says:

    I love pfsense!!
    2 thumbs up for this product.

  5. toro Says:

    well i have big problems with this release. an ath0 adapter on a asus p5b-v set up as wan causes a kernel panic + crash. after the configuration the system keeps on crashing everytime on booting. i had to reinstall and not use a wlan adapter as wan.

  6. Chris Buechler Says:

    toro: that’s FreeBSD problems outside our control (plus it’s not related to the VMware Appliance so you’re on the wrong post). If you post to the forum we can provide suggestions. I have ath running as WAN just fine.

  7. Mark Says:

    I head that you can’t do traffic shaping in a VMWare VM because of a flaw in the FreeBSD network driver that the VM uses.

    Is this true?

  8. Chris Buechler Says:

    Mark: that’s not true, with default settings on pfSense 1.2 and newer, VMware will use le(4) which supports ALTQ. On releases prior to 1.2, it would use lnc(4), which also supported ALTQ at that time. This appliance sets the NIC device type to e1000, which uses em(4), which also supports ALTQ.

    The timing inside a VM isn’t as precise as the timing on a physical machine (hz=100 vs. 1000), which could have an impact on shaping effectiveness, but shouldn’t be enough to have a significant impact, if even measurable.

  9. YoMarK Says:

    Traffic shaping works with pfSense(e1000 indeed has ALTQ).
    Timing on a VM is however a bigger problem then you think.
    If you’re running multiple VM’s on the same CPU core(the whole idea around virtualization), then the VM’s clock can go multiple seconds “wrong” per 10 seconds, as it has no direct link to the hardware clock.
    You can tune this a little, and assigning the VM a dedicated core will make a big difference, but the facts remains that Virtualisation and timing critical applications do not work well together.

  10. Mark Says:

    Just curious why the appliance uses the e1000. Are there any advantages over the “flexible” adapter?

  11. Chris Buechler Says:

    On timing – YMMV. Some systems will have significant problems. Personally, none of my VMware systems have remotely the timing problems that YoMarK mentioned, but you may indeed have serious problems on occasion.

    Mark: it uses e1000 based on our extensive experience with production deployments, and conversations with engineers at VMware. It’s the best choice with FreeBSD.

  12. YoMarK Says:

    Mark: “flexible” means vmxnet(driver), and can be faster depending on the situation. You can compile vmxnet as a module for pfSense if you want, but it’s not as stable as e1000. Updating pfSense/kernel can cause problems with old modules, and e1000 is supported in the FreeBSD/pfSense kernel so you don’t have to worry about that.
    On 64bit operating systems(Windows/Linux/*BSD) e1000 is the standard interface type.
    Some more information and benchmarks on this topic: http://www.vmware.com/files/pdf/perf_comparison_virtual_network_devices_wp.pdf

  13. Chris Buechler Says:

    vmxnet is included in the Open-VM-Tools package so you can use it, there just isn’t any compelling reason to do so.

  14. horace Says:

    Hello, I’m looking for the RSS feed of this blog. Is it avaible?

  15. Chris Buechler Says:

    horace: look at the bottom of every page on this site. “Entries (RSS) and Comments (RSS)”

  16. Max Says:

    This VMWare appliance DO NOT works on VmWare Server 1.0.8 (the latest of 1.0.x series).
    VmWare Server say that the appliance has been created with a server with “more feature”.
    If I manually edit the .vmx file changing the
    virtualHW.version = “6″
    into
    virtualHW.version = “4″
    now I can add the apliance to the inventory, but it doesent start becouse, now, it’s the disk file pfSense-1.2.1-VM.vmdk that has been created with ano incompatible version of vmware server…

    :-(

    I’ll follow the dirty way, tring to upgrade my existing PsFense 1.2 :-)
    Anyway, thanks for the GREAT JOB you are doing, PfSense solved my connectivity problem :-)

  17. Max Says:

    Now everything is up and running on my VmWare Server 1.0.8.
    I’ve updated my psFense 1.2 installation, and I’ve installed the OpenVMTools package.
    Everything went fine :-)

  18. Rob Says:

    When importing into to esxi, it fails because the drive is reported as IDE … am I doing something wrong?

  19. Rob Says:

    Correction to my last post … I was using VMWare Converter to make OVF file and then importing into esxi. The working method is to use vmware converter to convert the vm directly to esxi

  20. Chris Buechler Says:

    Rob: Right, that’s the way to do it. I’ll likely make a OVF file also, for future releases.

  21. Roger C. Pao Says:

    What is the best method to upgrade from pfSense-1.2.1-VM to 1.2.2?
    1. Backup configuration, replace 1.2.1 with 1.2.2, restore configuration.
    2. Manual firmware update using pfSense-Full-Update-1.2.2.tgz.
    3. Auto update.

  22. Roger C. Pao Says:

    You can delete my comment about how to upgrade from pfSense-1.2.1-VM to 1.2.2. The answer is at
    http://doc.pfsense.org/index.php/UpgradeGuide#VMware_Appliance

  23. Chris Buechler Says:

    Roger: Yep, you found it. I’ll leave it here for anyone looking in the future.

  24. pbk Says:

    How can i use the Appliance with an Debian VMware Server 2.01 installation, because the NIC type
    ethernet1.virtualDev = “e1000″
    is not aviable in this Installation…
    After updating it to an “flexible” type the NIC isn’t aviable inside the Appliance

    Thank’s for your help…

  25. Steve Anthony Says:

    Great Job Pfsense Team!!

    Awesome Software.

    Keep it up.

  26. Tobias Says:

    are there plans to update the VMware appliance to the current 2.0 version? At least you should add a warning to the downloadpage of the appliance that this is an outdated version…

  27. 7echno7im Says:

    I agree. Just looking for the 2.0 appliance.

  28. Chris Buechler Says:

    There’s no need for an appliance, just install from the ISO. Though we’ll put out an OVA on the next release.

  29. Ph4r4n0x Says:

    Download does not work!

  30. Chris Buechler Says:

    There’s an OVA on the mirrors for all current releases.

  31. Ahmed Says:

    Chris Buechler
    Would you please help us to use the software because me and “Ph4r4n0x” cannot download. Even with a working like.
    And if you know how to tell and admins about this problem I’ll be happy.

  32. Chris Buechler Says:

    There is an ova on the mirrors now. Go to the downloads page, new installs, on http://www.pfsense.org, pick a mirror, choose the ova.

  33. Tom Says:

    I couldn’t find a download link for your VMWare appliance. Can you send me a link where I can download the latest VMWare appliance…?

    Thx in advance & Bye Tom

  34. Chris Buechler Says:

    There is an OVA on the mirrors. See my last comment.

  35. John Says:

    There is no ova file available for the latest version (2.1) you will have to look for a mirror offering a folder “old”. There are ova files for the version 2.0.3 in it.

  36. Some Guy Says:

    Hmm, quoth the article above – “With each release going forward, we will be providing a VMware appliance… in the future they will just be a part of the normal release announcement.”
    If that policy has changed, the download pages should probably be edited to stop sending people hunting for non-existant ova downloads.

Please don’t post technical questions or off-topic comments. It is far more likely that your questions and concerns will be addressed effectively through one of our support channels.

Leave a Reply