pfSense 2.2 beta works with Xen

After a quick test install of pfSense 2.2’s beta image (dated 1017 – I see there are two newer builds up since then), I’m pleased to report that Xen support works with pfSense 2.2 without rebuilding it!  yay!

iso image here:;O=D

I’ve been running a build of pfSense 2.1 I built over a year ago (crikey.. already?), to add Xen support myself.  Its been great, but after Electric Sheep Fence locked down their git repository (bastages!), I haven’t bothered upgrading.  Here’s my current build:

PfSense_2-1_DashboardAs you can see, I’m running it with 2 threads on my Xeon X3450, and have given it 2GB of memory to work with, as its not just being a router/firewall, but is also running a Squid transparent http caching proxy, as well as being the endpoint for my AirVPN connection.

So for those looking to do your own install of pfSense 2.2 based on FreeBSD 10, on a Xen environment, here’s the config file I used to run up the installer:

#  pfSense 2.2 pvhvm  installation
name = 'pfsense22'
builder = 'hvm'
maxmem = 2000
memory = 2000
vif = [ 'bridge=xenbr0, mac=00:3e:16:02:02:99' ]
disk = [ 'phy:/dev/vg_ssd/pfsense22,xvda,w',
         'file:/mnt/isos/bsd/pfSense-LiveCD-2.2-BETA-amd64-20141017-1127.iso,hdb:cdrom,r' ]
# Boot from the cdrom device
vnclisten = ''

on_poweroff = 'destroy'
on_reboot   = 'destroy'
on_crash    = 'destroy'

Once the install is complete, when it goes to reboot, it will terminate, thanks to the “destroy” for the on_reboot entry.  That gives me the chance to edit the file for actual use, rather than just install.  Also note that I have it set to create a VNC console on the dom0 for the console – this is something I do for all my VM’s, as I like to have console access available sometimes.

For production use, the lines I change or add are:

#disable the xen bridged virtual network interface
#vif = [ 'bridge=xenbr0, mac=00:16:3e:00:99:03' ]
#Remove the ISO image and add a data drive for the Squid cache
disk = [ 'phy:/dev/vg_ssd/vm_pfsense22,xvda,w',
#set the boot drive to the primary "disk"
#put the reboot interrupt back to rebooting the VM
on_reboot   = 'restart'
# Passthrough two physical network cards for duty as LAN/WAN interfaces.  These are connected to two physically separate network subnets.
pci = ['03:00.0','03:00.1']

Note that I don’t run Xenserver – so if any of you reading this do, and give pfSense a test, please report back as to whether it includes the xen-tools support, for the benefit of others.  In a week or two, I’ll be grabbing the latest beta snapshot and installing it to actually run my network, with the fallback of booting up the VM I’ve been using for the last year if anything is too broken 🙂


7 thoughts on “pfSense 2.2 beta works with Xen

  1. I completed a deployment of pfSense 2.2-RELEASE X64 in XenServer 6.5 and it works very well after making some adjustments to the Virtual Interfaces.

    My Internet speed normally is 20 Mb/s down and 2 Mb/s up.

    Without modification, the pfSense 2.2 would only muster 5 Mb/s down, and 0.06 Mb/s up. Painful.
    I applied the changes to the LAN side VIF and the upload speed went back to full 2 Mb/s.
    I applied the changes to the WAN side VIF and the upload speed went back up to 20 Mb/s.

    See this thread for the commands and apply them to both the LAN and WAN.


  2. I have pfSense 2.2 running on XenServer 6.2 and on XenServer 6.5 beta3, Both work fine for machines on the lan behind the XenServer hardware, but for VM’s on the same XenServer, access through pfSense to the internet is painfully slow. See this discussion:

    Is your internet-speed from other VM’s on the same Xen-hardware normal ?

    • I’m using two hardware devices for pfSense, passed using pciback passthrough, so I haven’t noticed any slowdown.

      I’ve been sorting out my openVPN setup under 2.2 release. I decided to go for a clean install, after trying the upgrade successfully from my old 2.1 xen build, and deciding I may as well re-setup the router/firewall stuff, switching to DNS Resolver along the way.

Leave a Reply

Your email address will not be published. Required fields are marked *