Tuesday, June 17, 2014

pfSense in Hyper-V 2012 R2

As of May 2012, Microsoft has supported FreeBSD running as a guest on Hyper-V (see this article for more info).  That's nice as pfSense runs on a FreeBSD base, and if all was well in the world, the recently released pfSense 2.1 would have supported these new drivers.  If.

Unfortunately, pfSense 2.1 doesn't include the required drivers, so we're still stuck with Legacy NICs.  :(  Oh, well...

So, if you want to configure a pfSense Hyper-V 2012 R2 guest, you'll have to stick with the 100Mbps limitation of the Legacy NICs and a little bit of time synchronization funkiness due to the Hyper-V Host CPUs entering into low power mode and pfSense not handling this all that well, resulting in a number of "calcru: runtime went backwards" error messages.  :(

So, at this point in time pfSense 2.1 works adequately for a testing environment under Hyper-V, but I wouldn't recommend using it for a production environment.

  1. The latest pfSense is available from: http://mirror.optus.net/pub/pfSense/downloads/ - choose the LiveCD-x.y-RELEASE-amd64.iso.gz or LiveCD-x.y-RELEASE-i386.iso.gz file, check its checksum after downloading, and extract the ISO image
  2. Create a Gen 1 Hyper-V Guest with one CPU, 512MB RAM, 2 * Legacy NICs (and no Synthetic/native ones) and disable the Time Synchronization option.  Make a 5GB or so fixed VHDX file and assign the ISO as the DVD.  Boot away
  3. After the LiveCD boots and the two NICs (de0 and de1 have been assigned), you have the option to install to HDD - take this option and remove the ISO after the install and before the reboot happens
  4. Ensure the IPs of the two interfaces are configured appropriately.  I configured de0 to connect to the physical interface and de1 to connect to a Private Network for the guests inside the pfSense firewall.  Check that you can ping from the console.
  5. Configure a guest on the Private Network, check it can ping and www.google.com
  6. Hit the pfSense web page from inside the network and configure any options you need.
  7. On the pfSense console, you may need to type the following to ensure the NICs are restarted properly.  This used to be a significant issue with earlier pfSense releases, however it seems to have been fixed in 2.1 - YMMV:
    echo "ifconfig de0 down" >> /etc/rc.local
    echo "ifconfig de0 up" >> /etc/rc.local
    echo "ifconfig de1 down" >> /etc/rc.local
    echo "ifconfig de1 up" >> /etc/rc.local
  8. To try and help a little with the time sync issues, you will likely also need to type:
    echo "sysctl kern.timecounter.hardware=TSC" >> /etc/sysctl.conf
  9. That's pretty much it.  You'll have a somewhat functional pfSense Hyper-V guest.  It would be nice if the pfSense team had incorporated the Hyper-V drivers - let's hope they actually do this for pfSense 2.2.


The Outspoken Wookie


Michael-Rainabba Richardson said...

pfSense still not production ready in Hyper-V? I see there were some drivers on the pfsense forums until someone threw a fit and removed the links.

Anonymous said...

Thanks for the guide; very helpful! I was looking to play with some command line routing and this is a great way to do so. Thanks again for the guide!

Anonymous said...

At the Moment Beta Pfsense 2.2 is out with native support of the Nics .

Very Nice, I use it in our Hyper-V Test enviroment every day , what a beauty