Virtualized pfSense 2.0.1 affecting Hyper-V host connectivity? arp?

The Setup

I have setup pfSense 2.0.1 (64bit-amd image) as a host in Hyper-V. As described in other blogs I had to do the “ifconfig down deX”, “ifconfig up deX” to get the network up and running.

The server (HP running Windows 2008 R2) is equipped with two physical NICs.

  • The first physical NIC (port 1) is not configured in the host (only as Hyper-V switch, see further down).

  • The second physical NIC (port 2) is configured with a network for remote management (standard C-class network). I think both NICs are connected to the same switch and VLAN=default (the physical wiring was done by my co-location provider).

In Hyper-V there are the following virtual networks defined:

  • internal: virtual machine internal network used for inter VM communication (“LAN” connecting the Windows servers).

  • Internet: virtual network used as WAN connection for pfSense. This network is assigned to the first physical NIC (port 1) of the server. The virtual network is dedicated for Hyper-V and is not shared with the host.

In my setup I use pfSense as the Internet facing firewall for a couple of virtual machines (Windows servers) also running on the same Hyper-V host.

The Windows boxes use the pfSense as default gateway and I successfully downloaded Windows updates to all VMs through pfSense firewall – working smooth.

For re-directing incoming services, the pfSense is setup with 1-1 NAT to map ISPs IP-addresses to internal 172.16.0.0/16 addresses on the Windows boxes.

The problem

The problem I had is that after working successfully with a RDP connection over the management network (port 2), the connection just dies and all network connectivity is lost to the server and VMs. Before the problem occurred I did two configuration changes.

  1. Moved the management IP address from port 1 to port 2. This change was successfully verified by re-connecting RDP one hour later on the new interface (port 2 as described above).

  2. Did some configurations on the virtual IPs in pfSense (needed for the 1-1 NAT).

Some minutes later the connectivity to the machine was lost.

The thing that puzzles me is that management network connection (port 2) is supposed to be untouched by Hyper-V since it is not integrated with Hyper-V. However there seem to be error propagation from pfSense (using NIC on port 1).

Earlier today we had a similar problem when using only one NIC (port 1 shared between Hyper-V/pfSense and the host). The problem we got then was that when pfSense was stopped we could ping the host and when it was started again the ping stopped working (no IP conflict what we know).

The pfSense is installed from the ISO and the “MAC Address spoofing” is default = off.

Since the problem seam to propagate between the two physical ports my guess is that this might have something to do with ARP not working correctly.

Any insights comments on this very much appreciated.

/ J


Did you checked the Event Viewer on the W2008R2 ?

Could be due to max TCP connections allowed by Windows: https://technet.microsoft.com/en-us/library/cc759700%28WS.10%29.aspx

pfSense as a software router uses lots of connections which can be opened but not closed, waiting status and so on. This kind of network use can achieve the default limits of TCP stack and windows could close or not allow more connections of this type. The first thing to do on this case it's to check Event Viewer to see if something it's reported there.