Hi Everyone, Does anybody have any experience using pfSense on Xen? I would most probably have to use HVM... My idea would be to use PCI-Passthrough to the pfsense DomU, and only make the Dom0 accessable via the pfsense firewall Thanks Jonathan _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On 05/27/10 18:06, Jonathan Tripathy wrote:> Hi Everyone, > > Does anybody have any experience using pfSense on Xen? I would most > probably have to use HVM...actually, i use pfSense in hvm quite a while... it works. recently i tried to get pfSense in pv, but that needs to be polished some time before it is ready to use. (it works, but it is half broken that way and i spent the whole day yesterday to get a clear view on that problem).> My idea would be to use PCI-Passthrough to the pfsense DomU, and only > make the Dom0 accessable via the pfsense firewallmake sure, you can access that dom0 in event of emergency. If anything happens to your pfsense, which is possible, you probably can''t access your dom0 anymore and are stuck and thats probably not what you want. btw, you don''t need to passthrough your nic for that behavior. In a bridged setup you just have to leave your bridge interface to the outside without an ip address. Sincerly Nicolas _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
> On Fri, 28 May 2010 20:59:33 +0200 <niv@iaglans.de> wrote: > > actually, i use pfSense in hvm quite a while... it works.Yep it did work well when I tried using pfSense in hvm too. Network throughput was fast and solid too.> > > My idea would be to use PCI-Passthrough to the pfsense DomU, and only > > make the Dom0 accessable via the pfsense firewall > > make sure, you can access that dom0 in event of emergency. If anything > happens to your pfsense, which is possible, you probably can''t access > your dom0 anymore and are stuck and thats probably not what you want.This is true. You could setup a dummy vif as in the domU to access the dom0 -M _________________________________________________________________ 30 days of prizes to be won with Hotmail. Enter Here. http://go.microsoft.com/?linkid=9729709 _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Will be awesome to play with PFSense under a paravirtual domain! Let me know if you guys can do it!! Cheers! Thiago On 27 May 2010 13:06, Jonathan Tripathy <jonnyt@abpni.co.uk> wrote:> Hi Everyone, > > Does anybody have any experience using pfSense on Xen? I would most > probably have to use HVM... > > My idea would be to use PCI-Passthrough to the pfsense DomU, and only make > the Dom0 accessable via the pfsense firewall > > Thanks > > Jonathan > > > _______________________________________________ > Xen-users mailing list > Xen-users@lists.xensource.com > http://lists.xensource.com/xen-users >_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
> > actually, i use pfSense in hvm quite a while... it works. recently i > tried to get pfSense in pv, but that needs to be polished some time > before it is ready to use. (it works, but it is half broken that way > and i spent the whole day yesterday to get a clear view on that problem).That''s good that it works well in HVM. What kind of throughput can you get? My co-lo is giving me a 100Mbit connection, thing Xen can handle that?> make sure, you can access that dom0 in event of emergency. If anything > happens to your pfsense, which is possible, you probably can''t access > your dom0 anymore and are stuck and thats probably not what you want.This is a really good point, and I''m not sure what to do in this case. The only thing I can think of, is to give the 2nd physical NIC on the server access to the Dom0 directly (bypassing the pfSense firewall DomU), however I''m not sure if my co-lo can provision this without extra costs...> > btw, you don''t need to passthrough your nic for that behavior. In a > bridged setup you just have to leave your bridge interface to the > outside without an ip address.Since the NIC will be the physical interface for the WAN, I thought I would use PCI Passthrough for extra security? So that the Dom0 has *no access* to the physical NIC? Or am I incorrect? _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
> > Yep it did work well when I tried using pfSense in hvm too. Network > throughput was fast and solid too. >This is good to know. What kind of throughput were you getting?> > You could setup a dummy vif as in the domU to access the dom0 >Can you please explain this a little more? Thanks _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On 05/29/10 01:46, Jonathan Tripathy wrote:> >> >> actually, i use pfSense in hvm quite a while... it works. recently i >> tried to get pfSense in pv, but that needs to be polished some time >> before it is ready to use. (it works, but it is half broken that way >> and i spent the whole day yesterday to get a clear view on that problem). > That''s good that it works well in HVM. What kind of throughput can you > get? My co-lo is giving me a 100Mbit connection, thing Xen can handle that?I think it is worth a try. problem is, you get 8139cp emulated chipset with hvm (without pci passthrough) and I don''t really know, if that can handle 100mbit. I had several event setups with pfSense as Uplink gateway one physical on a dl380 and one as HVM. On the WAN side there where 3 16MBit uplinks, on the LAN side there where up to 400 people accessing the WAN side. Once the physical pfsense crashed because of RAM failure. Nobody noticed. Not even I noticed. So I can say, for 3x 16MBit you don''t really notice a difference between physical pfsense and HVM virtualised one.>> make sure, you can access that dom0 in event of emergency. If anything >> happens to your pfsense, which is possible, you probably can''t access >> your dom0 anymore and are stuck and thats probably not what you want. > This is a really good point, and I''m not sure what to do in this case. > The only thing I can think of, is to give the 2nd physical NIC on the > server access to the Dom0 directly (bypassing the pfSense firewall > DomU), however I''m not sure if my co-lo can provision this without extra > costs...and then your dom0 will be accessible. that is what you wanted to prevent for extra security. one advantage an extra NIC gives you in this situation, is: you can get hardwired access to a different network, which has nothing to do phyically with your main network and your pfsense in front. i don''t know if your co-lo can make this happen, but it would be a possibility. an extra port for a NIC will normaly cost you something extra.>> btw, you don''t need to passthrough your nic for that behavior. In a >> bridged setup you just have to leave your bridge interface to the >> outside without an ip address. > Since the NIC will be the physical interface for the WAN, I thought I > would use PCI Passthrough for extra security? So that the Dom0 has *no > access* to the physical NIC? Or am I incorrect?if you passthrough your NIC, then you are right. no access from dom0 to physical NIC. if you just setup a bridge on the WAN NIC and put the pfsense domU with one foot on that NIC, you have the possibility to setup another domU to be accessible outside, and you can setup emergency access to dom0 on that bridge, too. if you don''t need dom0 for an external access, you can leave the bridge interface without an ip address, like i wrote above. I don''t know, if someone can gain access to your dom0, when this dom0 has an unconfigured bridge listening on your WAN port. you have to decide, how secure your setup shall be and what will you have to do, if your pfsense crashes. if your co-lo doesn''t allow you to have several MAC addresses on that port, you won''t be able to use that kind of setup either. in that case the only possible solution for you will be passthrough one of your two NICs to pfsense and hardwire the other one to your dom0 for emergency access. PCI Passthrough is possible for your hardware, right? If not, you are still able to use the bridged setup as long as just one MAC shows up on that port. Sincerly Nicolas _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
>> >> Yep it did work well when I tried using pfSense in hvm too. Network >> throughput was fast and solid too. >>> This is good to know. What kind of throughput were you getting?On the LAN I was getting around 90% to native performance by using the Intel 82540EM Gigabit Ethernet controller (the e1000 controller) You can use the network device emulators for the Intel 8255x 10/100 Mbps Ethernet controller (the e100 controller) and the Intel 82540EM Gigabit Ethernet controller (the e1000 controller) for hardware virtualized guests. The e1000 controller is a Gigabit Ethernet controller and increases the network throughput when compared to the default Ethernet controller. To use these network device emulators, install the network device driver on the guest, then modify the guest configuration file to specify the controller model type: either e100; or e1000. For example, to use the e1000 controller, set model=e1000 in the vif entry in the guest configuration file: vif = [ ''type=ioemu, mac=00:16:3e:00:00:00, bridge=xenbr0, model=e1000''] Create the guest again using the xm create command. The guest now uses the faster e1000 controller.>> >> You could setup a dummy vif as in the domU to access the dom0 >>> Can you please explain this a little more? ThanksThis one is a little more difficult to explain but if you look at: http://wiki.xensource.com/xenwiki/XenNetworking#head-1fc8531de90f02e42e6fdccc30232cf8f0254ad0 You can see how a dummy0 interface is inside the dom0. When the idea is dummy0 is a ''non-physical'' network interface to the dom0 which can then be bridged to another dummy0 ''non-physical'' network interface in the pfsense domU, kind of like a private network. For layer 3 (IPs) you can use static IPs, and might I suggest 255.255.255.252 or /30 for point to point communication. _________________________________________________________________ 30 days of prizes: Hotmail makes your day easier! Enter Now. http://go.microsoft.com/?linkid=9729710 _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On 05/29/10 04:17, Mike Viau wrote:> To use these network device emulators, install the network device driver > on the guest, then modify the guest configuration file to specify the > controller model type: either |e100|; or |e1000|. For example, to use > the e1000 controller, set |model=e1000| in the |vif| entry in the guest > configuration file: > > > vif = [ ''type=ioemu, mac=00:16:3e:00:00:00, bridge=xenbr0, model=e1000''] > > Create the guest again using the |xm create| command. The guest now uses > the faster e1000 controller. >thank you for that config bit. I always wondered, how you can emulate these kind of controller types. (never found anything about that in any documentation) Sincerly Nicolas _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On 05/29/10 04:17, Mike Viau wrote:> To use these network device emulators, install the network device driver > on the guest, then modify the guest configuration file to specify the > controller model type: either |e100|; or |e1000|. For example, to use > the e1000 controller, set |model=e1000| in the |vif| entry in the guest > configuration file: > > > vif = [ ''type=ioemu, mac=00:16:3e:00:00:00, bridge=xenbr0, model=e1000''] > > Create the guest again using the |xm create| command. The guest now uses > the faster e1000 controller. >thank you for that config bit. I always wondered, how you can emulate these kind of controller types. (never found anything about that in any documentation) Sincerly Nicolas _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
> if you passthrough your NIC, then you are right. no access from dom0 > to physical NIC. > > if you just setup a bridge on the WAN NIC and put the pfsense domU > with one foot on that NIC, you have the possibility to setup another > domU to be accessible outside, and you can setup emergency access to > dom0 on that bridge, too. if you don''t need dom0 for an external > access, you can leave the bridge interface without an ip address, like > i wrote above. I don''t know, if someone can gain access to your dom0, > when this dom0 has an unconfigured bridge listening on your WAN port. > > you have to decide, how secure your setup shall be and what will you > have to do, if your pfsense crashes. > > if your co-lo doesn''t allow you to have several MAC addresses on that > port, you won''t be able to use that kind of setup either. > > in that case the only possible solution for you will be passthrough > one of your two NICs to pfsense and hardwire the other one to your > dom0 for emergency access. > > PCI Passthrough is possible for your hardware, right? If not, you are > still able to use the bridged setup as long as just one MAC shows up > on that port. >Hi Nicolas, Yep, PCI Passthrough is possible on the server which I''ve ordered. It''s a Dell R210 with a Xeon 3430 (2.4Ghz x 4, 8Mb cache) with 4GB of RAM. In Dell''s marketing document, it specifically mentioned that it''s Vt-d compatible. If I were to use PCI Passthrough, then the 100Mbit wouldn''t be an issue, correct? And as for the "DMZ" side of of pfsense, if I follow Mike''s instructions to enable the e1000 emulated adapter (which would be connect to a bridge), then that should also be ok for 100Mbit, correct? Thanks _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Hi Everyone, I''m having some problems installing pfSense on Xen. I installed CentOS with the "Virtualisation" option. I then tried to install pfSense as a DomU, but it won''t boot. It says "BTX Halted" Any ideas? Thanks On 29/05/10 11:45, Jonathan Tripathy wrote:> >> if you passthrough your NIC, then you are right. no access from dom0 >> to physical NIC. >> >> if you just setup a bridge on the WAN NIC and put the pfsense domU >> with one foot on that NIC, you have the possibility to setup another >> domU to be accessible outside, and you can setup emergency access to >> dom0 on that bridge, too. if you don''t need dom0 for an external >> access, you can leave the bridge interface without an ip address, >> like i wrote above. I don''t know, if someone can gain access to your >> dom0, when this dom0 has an unconfigured bridge listening on your WAN >> port. >> >> you have to decide, how secure your setup shall be and what will you >> have to do, if your pfsense crashes. >> >> if your co-lo doesn''t allow you to have several MAC addresses on that >> port, you won''t be able to use that kind of setup either. >> >> in that case the only possible solution for you will be passthrough >> one of your two NICs to pfsense and hardwire the other one to your >> dom0 for emergency access. >> >> PCI Passthrough is possible for your hardware, right? If not, you are >> still able to use the bridged setup as long as just one MAC shows up >> on that port. >> > Hi Nicolas, > > Yep, PCI Passthrough is possible on the server which I''ve ordered. > It''s a Dell R210 with a Xeon 3430 (2.4Ghz x 4, 8Mb cache) with 4GB of > RAM. In Dell''s marketing document, it specifically mentioned that it''s > Vt-d compatible. > > If I were to use PCI Passthrough, then the 100Mbit wouldn''t be an > issue, correct? > > And as for the "DMZ" side of of pfsense, if I follow Mike''s > instructions to enable the e1000 emulated adapter (which would be > connect to a bridge), then that should also be ok for 100Mbit, correct? > > Thanks > > _______________________________________________ > Xen-users mailing list > Xen-users@lists.xensource.com > http://lists.xensource.com/xen-users_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Hi there, Le 31 mai 2010 à 15:40, Jonathan Tripathy a écrit :> Hi Everyone, > > I''m having some problems installing pfSense on Xen. > > I installed CentOS with the "Virtualisation" option. > > I then tried to install pfSense as a DomU, but it won''t boot. It says "BTX Halted"Big problem with pfSense is that it is based on FreeBSD, that doesn''t like too mutch Xen unfortunatly... I am a big fan of FreeBSD... but... really even with hvm it doesn''t seems to work on Xen... Xavier> Any ideas? > > Thanks > On 29/05/10 11:45, Jonathan Tripathy wrote: >> >>> if you passthrough your NIC, then you are right. no access from dom0 to physical NIC. >>> >>> if you just setup a bridge on the WAN NIC and put the pfsense domU with one foot on that NIC, you have the possibility to setup another domU to be accessible outside, and you can setup emergency access to dom0 on that bridge, too. if you don''t need dom0 for an external access, you can leave the bridge interface without an ip address, like i wrote above. I don''t know, if someone can gain access to your dom0, when this dom0 has an unconfigured bridge listening on your WAN port. >>> >>> you have to decide, how secure your setup shall be and what will you have to do, if your pfsense crashes. >>> >>> if your co-lo doesn''t allow you to have several MAC addresses on that port, you won''t be able to use that kind of setup either. >>> >>> in that case the only possible solution for you will be passthrough one of your two NICs to pfsense and hardwire the other one to your dom0 for emergency access. >>> >>> PCI Passthrough is possible for your hardware, right? If not, you are still able to use the bridged setup as long as just one MAC shows up on that port. >>> >> Hi Nicolas, >> >> Yep, PCI Passthrough is possible on the server which I''ve ordered. It''s a Dell R210 with a Xeon 3430 (2.4Ghz x 4, 8Mb cache) with 4GB of RAM. In Dell''s marketing document, it specifically mentioned that it''s Vt-d compatible. >> >> If I were to use PCI Passthrough, then the 100Mbit wouldn''t be an issue, correct? >> >> And as for the "DMZ" side of of pfsense, if I follow Mike''s instructions to enable the e1000 emulated adapter (which would be connect to a bridge), then that should also be ok for 100Mbit, correct? >> >> Thanks >> >> _______________________________________________ >> Xen-users mailing list >> Xen-users@lists.xensource.com >> http://lists.xensource.com/xen-users > > _______________________________________________ > Xen-users mailing list > Xen-users@lists.xensource.com > http://lists.xensource.com/xen-users-- Xavier Beaudouin - xb@soprive.net - http://www.soprive.net/ So Privé - Le premier acteur dédié au cloud computing en France GPG Fingerprints : A6B2 D563 F93B A3AF C08A CBAC 6BC6 79EB DCC9 9867 _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On 05/31/10 15:40, Jonathan Tripathy wrote:> Hi Everyone, > > I''m having some problems installing pfSense on Xen. > > I installed CentOS with the "Virtualisation" option. > > I then tried to install pfSense as a DomU, but it won''t boot. It says > "BTX Halted"What block/disk-backend do you want to use? i have no problems with blktap2 (meaning vhd image) and lvm. Google says, your error has todo with your "hard drive". Which version of pfsense do you want to try? You will need hvm virtualization for pfsense. Sincerly Nicolas _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On 05/31/10 15:40, Jonathan Tripathy wrote:> Hi Everyone, > > I''m having some problems installing pfSense on Xen. > > I installed CentOS with the "Virtualisation" option. > > I then tried to install pfSense as a DomU, but it won''t boot. It says > "BTX Halted"What block/disk-backend do you want to use? i have no problems with blktap2 (meaning vhd image) and lvm. Google says, your error has todo with your "hard drive". Which version of pfsense do you want to try? You will need hvm virtualization for pfsense. Sincerly Nicolas _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Hi Nicholas, I did select HVM, but left everything else at default. Maybe I should try to change the disk type somehow? On 31/05/10 17:12, Nicolas Vilz ''niv'' wrote:> On 05/31/10 15:40, Jonathan Tripathy wrote: >> Hi Everyone, >> >> I''m having some problems installing pfSense on Xen. >> >> I installed CentOS with the "Virtualisation" option. >> >> I then tried to install pfSense as a DomU, but it won''t boot. It says >> "BTX Halted" > What block/disk-backend do you want to use? > > i have no problems with blktap2 (meaning vhd image) and lvm. Google > says, your error has todo with your "hard drive". > > Which version of pfsense do you want to try? > > You will need hvm virtualization for pfsense. > > Sincerly > Nicolas > > > _______________________________________________ > Xen-users mailing list > Xen-users@lists.xensource.com > http://lists.xensource.com/xen-users_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On 05/31/10 18:19, Jonathan Tripathy wrote:> Hi Nicholas, > > I did select HVM, but left everything else at default. Maybe I should > try to change the disk type somehow?Show me your vm config please. I am interested in the "disk"- and the "boot"-part. There should be 2 entries at first (one disk, one cd), and you have to boot from cd. Sincerly Nicolas _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On 31/05/10 17:36, Nicolas Vilz ''niv'' wrote:> On 05/31/10 18:19, Jonathan Tripathy wrote: >> Hi Nicholas, >> >> I did select HVM, but left everything else at default. Maybe I should >> try to change the disk type somehow? > > Show me your vm config please. I am interested in the "disk"- and the > "boot"-part. There should be 2 entries at first (one disk, one cd), > and you have to boot from cd. > > Sincerly Nicolas > > _______________________________________________ > Xen-users mailing list > Xen-users@lists.xensource.com > http://lists.xensource.com/xen-usersHi Nicolas, I did all this through virt-manager. I''m currently just re-installing my server, so I''ll give you the config that virt-manager creates in about an hour. Which version of Xen are you using? Thanks _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On 05/31/10 18:41, Jonathan Tripathy wrote:> > On 31/05/10 17:36, Nicolas Vilz ''niv'' wrote: >> On 05/31/10 18:19, Jonathan Tripathy wrote: >>> Hi Nicholas, >>> >>> I did select HVM, but left everything else at default. Maybe I should >>> try to change the disk type somehow? >> >> Show me your vm config please. I am interested in the "disk"- and the >> "boot"-part. There should be 2 entries at first (one disk, one cd), >> and you have to boot from cd. >> >> Sincerly Nicolas >> >> _______________________________________________ >> Xen-users mailing list >> Xen-users@lists.xensource.com >> http://lists.xensource.com/xen-users > > Hi Nicolas, > > I did all this through virt-manager. I''m currently just re-installing my > server, so I''ll give you the config that virt-manager creates in about > an hour. Which version of Xen are you using?Right at the moment, i use xen 4.0.0, so blktap2 works for me. Before that i used xen 3.4.x with lvm physical backend. You could also use the file backend for xen 3.4.x. and you will probably need file backend and ioemu for the cd iso image. Sincerly Nicolas _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On 31/05/10 17:44, Nicolas Vilz ''niv'' wrote:> On 05/31/10 18:41, Jonathan Tripathy wrote: >> >> On 31/05/10 17:36, Nicolas Vilz ''niv'' wrote: >>> On 05/31/10 18:19, Jonathan Tripathy wrote: >>>> Hi Nicholas, >>>> >>>> I did select HVM, but left everything else at default. Maybe I should >>>> try to change the disk type somehow? >>> >>> Show me your vm config please. I am interested in the "disk"- and the >>> "boot"-part. There should be 2 entries at first (one disk, one cd), >>> and you have to boot from cd. >>> >>> Sincerly Nicolas >>> >>> _______________________________________________ >>> Xen-users mailing list >>> Xen-users@lists.xensource.com >>> http://lists.xensource.com/xen-users >> >> Hi Nicolas, >> >> I did all this through virt-manager. I''m currently just re-installing my >> server, so I''ll give you the config that virt-manager creates in about >> an hour. Which version of Xen are you using? > Right at the moment, i use xen 4.0.0, so blktap2 works for me. Before > that i used xen 3.4.x with lvm physical backend. You could also use > the file backend for xen 3.4.x. and you will probably need file > backend and ioemu for the cd iso image. > > Sincerly > Nicolas > > _______________________________________________ > Xen-users mailing list > Xen-users@lists.xensource.comI''ve read many reports online about how FeeBSD only works in 3.4.x and above, so I have to somehow try and upgrade to that> http://lists.xensource.com/xen-users_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On 05/31/10 18:50, Jonathan Tripathy wrote:> > On 31/05/10 17:44, Nicolas Vilz ''niv'' wrote: >> On 05/31/10 18:41, Jonathan Tripathy wrote: >>> >>> On 31/05/10 17:36, Nicolas Vilz ''niv'' wrote: >>>> On 05/31/10 18:19, Jonathan Tripathy wrote: >>>>> Hi Nicholas, >>>>> >>>>> I did select HVM, but left everything else at default. Maybe I should >>>>> try to change the disk type somehow? >>>> >>>> Show me your vm config please. I am interested in the "disk"- and the >>>> "boot"-part. There should be 2 entries at first (one disk, one cd), >>>> and you have to boot from cd. >>>> >>>> Sincerly Nicolas >>>> >>>> _______________________________________________ >>>> Xen-users mailing list >>>> Xen-users@lists.xensource.com >>>> http://lists.xensource.com/xen-users >>> >>> Hi Nicolas, >>> >>> I did all this through virt-manager. I''m currently just re-installing my >>> server, so I''ll give you the config that virt-manager creates in about >>> an hour. Which version of Xen are you using? >> Right at the moment, i use xen 4.0.0, so blktap2 works for me. Before >> that i used xen 3.4.x with lvm physical backend. You could also use >> the file backend for xen 3.4.x. and you will probably need file >> backend and ioemu for the cd iso image. >> >> Sincerly >> Nicolas >> >> _______________________________________________ >> Xen-users mailing list >> Xen-users@lists.xensource.com > I''ve read many reports online about how FeeBSD only works in 3.4.x and > above, so I have to somehow try and upgrade to thatmh... i''m not quite sure about that... asked a collegue about it, but he hasn''t answered yet. Sincerly Nicolas _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
________________________________ From: xen-users-bounces@lists.xensource.com on behalf of Nicolas Vilz ''niv'' Sent: Mon 31/05/2010 17:10 To: xen-users@lists.xensource.com Subject: Re: [Xen-users] pfSense HVM On 05/31/10 15:40, Jonathan Tripathy wrote:> Hi Everyone, > > I''m having some problems installing pfSense on Xen. > > I installed CentOS with the "Virtualisation" option. > > I then tried to install pfSense as a DomU, but it won''t boot. It says > "BTX Halted"What block/disk-backend do you want to use? i have no problems with blktap2 (meaning vhd image) and lvm. Google says, your error has todo with your "hard drive". Which version of pfsense do you want to try? You will need hvm virtualization for pfsense. Sincerly Nicolas --------------------------------------------------------------------------------------------------------------------------------------- Hi There, Did you have to compile Xen with any special options to get pfSense working on an Intel processor? Or maybe you''re using AMD chips? Thanks _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On 06/02/10 14:56, Jonathan Tripathy wrote:> > > ------------------------------------------------------------------------ > *From:* xen-users-bounces@lists.xensource.com on behalf of Nicolas Vilz > ''niv'' > *Sent:* Mon 31/05/2010 17:10 > *To:* xen-users@lists.xensource.com > *Subject:* Re: [Xen-users] pfSense HVM > > On 05/31/10 15:40, Jonathan Tripathy wrote: > > Hi Everyone, > > > > I''m having some problems installing pfSense on Xen. > > > > I installed CentOS with the "Virtualisation" option. > > > > I then tried to install pfSense as a DomU, but it won''t boot. It says > > "BTX Halted" > What block/disk-backend do you want to use? > > i have no problems with blktap2 (meaning vhd image) and lvm. Google > says, your error has todo with your "hard drive". > > Which version of pfsense do you want to try? > > You will need hvm virtualization for pfsense. > > Sincerly > Nicolas > > --------------------------------------------------------------------------------------------------------------------------------------- > > Hi There, > > Did you have to compile Xen with any special options to get pfSense > working on an Intel processor? > > Or maybe you''re using AMD chips?it works on both. standard ebuild, nothing special. currently on xen-3.4.2-r1 (amd chipset) and xen-4.0.0 (intel chipset). although, your xen-tools need to have hvm support to work with that. Still waiting for your config-sniplets, Jonathan. Sincerly Nicolas _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On 02/06/10 20:00, Nicolas Vilz ''niv'' wrote:> On 06/02/10 14:56, Jonathan Tripathy wrote: >> >> >> ------------------------------------------------------------------------ >> *From:* xen-users-bounces@lists.xensource.com on behalf of Nicolas Vilz >> ''niv'' >> *Sent:* Mon 31/05/2010 17:10 >> *To:* xen-users@lists.xensource.com >> *Subject:* Re: [Xen-users] pfSense HVM >> >> On 05/31/10 15:40, Jonathan Tripathy wrote: >> > Hi Everyone, >> > >> > I''m having some problems installing pfSense on Xen. >> > >> > I installed CentOS with the "Virtualisation" option. >> > >> > I then tried to install pfSense as a DomU, but it won''t boot. It says >> > "BTX Halted" >> What block/disk-backend do you want to use? >> >> i have no problems with blktap2 (meaning vhd image) and lvm. Google >> says, your error has todo with your "hard drive". >> >> Which version of pfsense do you want to try? >> >> You will need hvm virtualization for pfsense. >> >> Sincerly >> Nicolas >> >> --------------------------------------------------------------------------------------------------------------------------------------- >> >> >> Hi There, >> >> Did you have to compile Xen with any special options to get pfSense >> working on an Intel processor? >> >> Or maybe you''re using AMD chips? > > it works on both. standard ebuild, nothing special. currently on > xen-3.4.2-r1 (amd chipset) and xen-4.0.0 (intel chipset). > > although, your xen-tools need to have hvm support to work with that. > > Still waiting for your config-sniplets, Jonathan. > > Sincerly > Nicolas > > > _______________________________________________ > Xen-users mailing list > Xen-users@lists.xensource.com > http://lists.xensource.com/xen-usersSorry for not getting them to you yet Nicolas. I''ve been recompiling my linux kernels over and over again however this time I''m very close. Infact, BSD boots up now. Will let you know how I progress. Thanks _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On 02/06/10 21:07, Jonathan Tripathy wrote:> > On 02/06/10 20:00, Nicolas Vilz ''niv'' wrote: >> On 06/02/10 14:56, Jonathan Tripathy wrote: >>> >>> >>> ------------------------------------------------------------------------ >>> >>> *From:* xen-users-bounces@lists.xensource.com on behalf of Nicolas Vilz >>> ''niv'' >>> *Sent:* Mon 31/05/2010 17:10 >>> *To:* xen-users@lists.xensource.com >>> *Subject:* Re: [Xen-users] pfSense HVM >>> >>> On 05/31/10 15:40, Jonathan Tripathy wrote: >>> > Hi Everyone, >>> > >>> > I''m having some problems installing pfSense on Xen. >>> > >>> > I installed CentOS with the "Virtualisation" option. >>> > >>> > I then tried to install pfSense as a DomU, but it won''t boot. It says >>> > "BTX Halted" >>> What block/disk-backend do you want to use? >>> >>> i have no problems with blktap2 (meaning vhd image) and lvm. Google >>> says, your error has todo with your "hard drive". >>> >>> Which version of pfsense do you want to try? >>> >>> You will need hvm virtualization for pfsense. >>> >>> Sincerly >>> Nicolas >>> >>> --------------------------------------------------------------------------------------------------------------------------------------- >>> >>> >>> Hi There, >>> >>> Did you have to compile Xen with any special options to get pfSense >>> working on an Intel processor? >>> >>> Or maybe you''re using AMD chips? >> >> it works on both. standard ebuild, nothing special. currently on >> xen-3.4.2-r1 (amd chipset) and xen-4.0.0 (intel chipset). >> >> although, your xen-tools need to have hvm support to work with that. >> >> Still waiting for your config-sniplets, Jonathan. >> >> Sincerly >> Nicolas >> >> >> _______________________________________________ >> Xen-users mailing list >> Xen-users@lists.xensource.com >> http://lists.xensource.com/xen-users > > Sorry for not getting them to you yet Nicolas. I''ve been recompiling > my linux kernels over and over again however this time I''m very close. > Infact, BSD boots up now. Will let you know how I progress. > > Thanks > > _______________________________________________ > Xen-users mailing list > Xen-users@lists.xensource.com > http://lists.xensource.com/xen-usersHi Nicolas, I''m currently in the process of installing pfSense on my Xen 4.0 box via virt-manager. If I use the IDE bus for the HDD, install is very slow. I orignally tried it with the SCSI bus, and it was fast, however the system woudn''t boot from the drive. I''m not sure if I can send you any config files, as I''m not sure where virt-mamanger saves them... Thanks J _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On 03/06/10 02:31, Matthew Law wrote:> On Thu, June 3, 2010 2:15 am, Jonathan Tripathy wrote: > >> I''m currently in the process of installing pfSense on my Xen 4.0 box via >> virt-manager. If I use the IDE bus for the HDD, install is very slow. I >> orignally tried it with the SCSI bus, and it was fast, however the >> system woudn''t boot from the drive. >> >> I''m not sure if I can send you any config files, as I''m not sure where >> virt-mamanger saves them... >> > Out of interest: do you especially want/need pfSense or could you use > something like vyatta which already distributes a xen domU image which > might save you the hassle? (not that I don''t like pfSense as I have > several copies of it running currently :-) > > > Cheers, > > Matt. > >Hi Matt, Thanks for the suggestion however I''d like to keep all firewall solutions the same, just so staff are familiar with the settings. I''ve managed to get pfsense installed, it took a long time, but once its installed, it seems ok. I havn''t done any throughput testing yet though Thanks _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Hi Everyone, When I try and assign a physical device to a guest using virt-manager, libvirt throws an error: "Failed to create inactive domain" I''m using libvirt 0.8.1 which I compiled myself, along with Xen 4.0 on Ubuntu 10.04 Dom0 I''m also using virt-manager 0.8.4 which I compiled myself. I can confirm that when I try and do a "virsh define file.xml" where file.xml includes the <hostdev> block, the same error is thrown. Has anybody seen this before? Any help would be appreciated _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On 29/05/10 02:20, Nicolas Vilz ''niv'' wrote:> On 05/29/10 01:46, Jonathan Tripathy wrote: >> >>> >>> actually, i use pfSense in hvm quite a while... it works. recently i >>> tried to get pfSense in pv, but that needs to be polished some time >>> before it is ready to use. (it works, but it is half broken that way >>> and i spent the whole day yesterday to get a clear view on that >>> problem). >> That''s good that it works well in HVM. What kind of throughput can you >> get? My co-lo is giving me a 100Mbit connection, thing Xen can handle >> that? > > I think it is worth a try. problem is, you get 8139cp emulated chipset > with hvm (without pci passthrough) and I don''t really know, if that > can handle 100mbit. > > I had several event setups with pfSense as Uplink gateway one physical > on a dl380 and one as HVM. On the WAN side there where 3 16MBit > uplinks, on the LAN side there where up to 400 people accessing the > WAN side. > > Once the physical pfsense crashed because of RAM failure. Nobody > noticed. Not even I noticed. So I can say, for 3x 16MBit you don''t > really notice a difference between physical pfsense and HVM > virtualised one. > > >>> make sure, you can access that dom0 in event of emergency. If anything >>> happens to your pfsense, which is possible, you probably can''t access >>> your dom0 anymore and are stuck and thats probably not what you want. >> This is a really good point, and I''m not sure what to do in this case. >> The only thing I can think of, is to give the 2nd physical NIC on the >> server access to the Dom0 directly (bypassing the pfSense firewall >> DomU), however I''m not sure if my co-lo can provision this without extra >> costs... > and then your dom0 will be accessible. that is what you wanted to > prevent for extra security. > > one advantage an extra NIC gives you in this situation, is: you can > get hardwired access to a different network, which has nothing to do > phyically with your main network and your pfsense in front. i don''t > know if your co-lo can make this happen, but it would be a > possibility. an extra port for a NIC will normaly cost you something > extra. > > >>> btw, you don''t need to passthrough your nic for that behavior. In a >>> bridged setup you just have to leave your bridge interface to the >>> outside without an ip address. >> Since the NIC will be the physical interface for the WAN, I thought I >> would use PCI Passthrough for extra security? So that the Dom0 has *no >> access* to the physical NIC? Or am I incorrect? > > if you passthrough your NIC, then you are right. no access from dom0 > to physical NIC. > > if you just setup a bridge on the WAN NIC and put the pfsense domU > with one foot on that NIC, you have the possibility to setup another > domU to be accessible outside, and you can setup emergency access to > dom0 on that bridge, too. if you don''t need dom0 for an external > access, you can leave the bridge interface without an ip address, like > i wrote above. I don''t know, if someone can gain access to your dom0, > when this dom0 has an unconfigured bridge listening on your WAN port. > > you have to decide, how secure your setup shall be and what will you > have to do, if your pfsense crashes. > > if your co-lo doesn''t allow you to have several MAC addresses on that > port, you won''t be able to use that kind of setup either. > > in that case the only possible solution for you will be passthrough > one of your two NICs to pfsense and hardwire the other one to your > dom0 for emergency access. > > PCI Passthrough is possible for your hardware, right? If not, you are > still able to use the bridged setup as long as just one MAC shows up > on that port. > > Sincerly > Nicolas > > _______________________________________________ > Xen-users mailing list > Xen-users@lists.xensource.com > http://lists.xensource.com/xen-usersHi Nic, What kind of throughput are you getting with your pfsense guest? I''ve got my Gigabit NIC passthrough to the pfsense DomU (To act as the "WAN"), then I''ve connected the "LAN" side of pfsense to a Xen bridge, with the Dom0 is also connected to. I tried to do a file tranfer (via samba) from a machine on the "WAN" to the Dom0. The speed was capping out at 90Mbps. In the pfsense config, I''ve made the NIC "e1000" and pfsense does show it''s connected at 1000. Any ideas? Thanks _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On 06/05/10 19:54, Jonathan Tripathy wrote:> > On 29/05/10 02:20, Nicolas Vilz ''niv'' wrote: >> On 05/29/10 01:46, Jonathan Tripathy wrote: >>> >>>> >>>> actually, i use pfSense in hvm quite a while... it works. recently i >>>> tried to get pfSense in pv, but that needs to be polished some time >>>> before it is ready to use. (it works, but it is half broken that way >>>> and i spent the whole day yesterday to get a clear view on that >>>> problem). >>> That''s good that it works well in HVM. What kind of throughput can you >>> get? My co-lo is giving me a 100Mbit connection, thing Xen can >>> handle that? >> >> I think it is worth a try. problem is, you get 8139cp emulated >> chipset with hvm (without pci passthrough) and I don''t really know, >> if that can handle 100mbit. >> >> I had several event setups with pfSense as Uplink gateway one >> physical on a dl380 and one as HVM. On the WAN side there where 3 >> 16MBit uplinks, on the LAN side there where up to 400 people >> accessing the WAN side. >> >> Once the physical pfsense crashed because of RAM failure. Nobody >> noticed. Not even I noticed. So I can say, for 3x 16MBit you don''t >> really notice a difference between physical pfsense and HVM >> virtualised one. >> >> >>>> make sure, you can access that dom0 in event of emergency. If anything >>>> happens to your pfsense, which is possible, you probably can''t access >>>> your dom0 anymore and are stuck and thats probably not what you want. >>> This is a really good point, and I''m not sure what to do in this case. >>> The only thing I can think of, is to give the 2nd physical NIC on the >>> server access to the Dom0 directly (bypassing the pfSense firewall >>> DomU), however I''m not sure if my co-lo can provision this without >>> extra >>> costs... >> and then your dom0 will be accessible. that is what you wanted to >> prevent for extra security. >> >> one advantage an extra NIC gives you in this situation, is: you can >> get hardwired access to a different network, which has nothing to do >> phyically with your main network and your pfsense in front. i don''t >> know if your co-lo can make this happen, but it would be a >> possibility. an extra port for a NIC will normaly cost you something >> extra. >> >> >>>> btw, you don''t need to passthrough your nic for that behavior. In a >>>> bridged setup you just have to leave your bridge interface to the >>>> outside without an ip address. >>> Since the NIC will be the physical interface for the WAN, I thought I >>> would use PCI Passthrough for extra security? So that the Dom0 has *no >>> access* to the physical NIC? Or am I incorrect? >> >> if you passthrough your NIC, then you are right. no access from dom0 >> to physical NIC. >> >> if you just setup a bridge on the WAN NIC and put the pfsense domU >> with one foot on that NIC, you have the possibility to setup another >> domU to be accessible outside, and you can setup emergency access to >> dom0 on that bridge, too. if you don''t need dom0 for an external >> access, you can leave the bridge interface without an ip address, >> like i wrote above. I don''t know, if someone can gain access to your >> dom0, when this dom0 has an unconfigured bridge listening on your WAN >> port. >> >> you have to decide, how secure your setup shall be and what will you >> have to do, if your pfsense crashes. >> >> if your co-lo doesn''t allow you to have several MAC addresses on that >> port, you won''t be able to use that kind of setup either. >> >> in that case the only possible solution for you will be passthrough >> one of your two NICs to pfsense and hardwire the other one to your >> dom0 for emergency access. >> >> PCI Passthrough is possible for your hardware, right? If not, you are >> still able to use the bridged setup as long as just one MAC shows up >> on that port. >> >> Sincerly >> Nicolas >> >> _______________________________________________ >> Xen-users mailing list >> Xen-users@lists.xensource.com >> http://lists.xensource.com/xen-users > > Hi Nic, > > What kind of throughput are you getting with your pfsense guest? I''ve > got my Gigabit NIC passthrough to the pfsense DomU (To act as the > "WAN"), then I''ve connected the "LAN" side of pfsense to a Xen bridge, > with the Dom0 is also connected to. I tried to do a file tranfer (via > samba) from a machine on the "WAN" to the Dom0. The speed was capping > out at 90Mbps. In the pfsense config, I''ve made the NIC "e1000" and > pfsense does show it''s connected at 1000. > > Any ideas? >Not really, i tried e1000 as well, but couldn''t see any advantage for that (Throughput was nearly the same or worse). Either i don''t see the difference between emulated 8139cp and e1000 or there is no difference when using it for openvpn in a bridged setup. I will analyze that further. The real performance boost would be the pv driver with freebsd and pfsense, but i haven''t done that yet (patched pfsense kernel with xen modules). Inside openvpn i get a max throughput of 800 kb/s, where there should be 100Mbit or 1000 Mbit (if i emulate the right one). Thats a bit confusing for me, but i keep observing and searching. Pfsense shows connected at 1000 Mbit, too on my side. That doesn''t really help you right now, but that is what i know and experienced so far. Sincerly Nicolas _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
>> >> Hi Nic, >> >> What kind of throughput are you getting with your pfsense guest? I''ve >> got my Gigabit NIC passthrough to the pfsense DomU (To act as the >> "WAN"), then I''ve connected the "LAN" side of pfsense to a Xen >> bridge, with the Dom0 is also connected to. I tried to do a file >> tranfer (via samba) from a machine on the "WAN" to the Dom0. The >> speed was capping out at 90Mbps. In the pfsense config, I''ve made the >> NIC "e1000" and pfsense does show it''s connected at 1000. >> >> Any ideas? >> > Not really, i tried e1000 as well, but couldn''t see any advantage for > that (Throughput was nearly the same or worse). Either i don''t see > the difference between emulated 8139cp and e1000 or there is no > difference when using it for openvpn in a bridged setup. I will > analyze that further. The real performance boost would be the pv > driver with freebsd and pfsense, but i haven''t done that yet (patched > pfsense kernel with xen modules). Inside openvpn i get a max > throughput of 800 kb/s, where there should be 100Mbit or 1000 Mbit (if > i emulate the right one). Thats a bit confusing for me, but i keep > observing and searching. Pfsense shows connected at 1000 Mbit, too on > my side. > > That doesn''t really help you right now, but that is what i know and > experienced so far. > Sincerly > > Nicolas >Hi Nicolas, Thanks for sharing the above. Any further testing you do would very much be appreciated. If we can somehow manage to patch the pfsense kernel to get PV working then that would be great! I guess 90Mbit for me isn''t too bad though, since my colo''s connection will be limited to only 100Mbit, so I guess it''s ok there If anyone else has any experience of using the e1000 drive in HVM guests (especially BSD), please let me know Thanks everyone _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Hello, looks like you have much better HW than I used - when I benched Linux HVM guest on Athlon X2 1,9 GHz I got scary results (in a bad way of course) :D. 90 mbit/s is not bad at all for emulated hvm guest - the questions is, how much CPU power it consumes in the dom0 (qemu-dm process) and how many availabe cores do you have. PV driver should solve this issue (or pci passthru for the WAN NIC and PV driver for the LAN NIC). I got better results is some cases with the default emulated NIC (realtek?), but in majority, the emulated e1000 was better. Regards Matej ________________________________________ From: xen-users-bounces@lists.xensource.com [xen-users-bounces@lists.xensource.com] On Behalf Of Jonathan Tripathy [jonnyt@abpni.co.uk] Sent: 06 June 2010 00:35 To: Nicolas Vilz; Xen-users@lists.xensource.com Subject: Re: [Xen-users] pfSense HVM>> >> Hi Nic, >> >> What kind of throughput are you getting with your pfsense guest? I''ve >> got my Gigabit NIC passthrough to the pfsense DomU (To act as the >> "WAN"), then I''ve connected the "LAN" side of pfsense to a Xen >> bridge, with the Dom0 is also connected to. I tried to do a file >> tranfer (via samba) from a machine on the "WAN" to the Dom0. The >> speed was capping out at 90Mbps. In the pfsense config, I''ve made the >> NIC "e1000" and pfsense does show it''s connected at 1000. >> >> Any ideas? >> > Not really, i tried e1000 as well, but couldn''t see any advantage for > that (Throughput was nearly the same or worse). Either i don''t see > the difference between emulated 8139cp and e1000 or there is no > difference when using it for openvpn in a bridged setup. I will > analyze that further. The real performance boost would be the pv > driver with freebsd and pfsense, but i haven''t done that yet (patched > pfsense kernel with xen modules). Inside openvpn i get a max > throughput of 800 kb/s, where there should be 100Mbit or 1000 Mbit (if > i emulate the right one). Thats a bit confusing for me, but i keep > observing and searching. Pfsense shows connected at 1000 Mbit, too on > my side. > > That doesn''t really help you right now, but that is what i know and > experienced so far. > Sincerly > > Nicolas >Hi Nicolas, Thanks for sharing the above. Any further testing you do would very much be appreciated. If we can somehow manage to patch the pfsense kernel to get PV working then that would be great! I guess 90Mbit for me isn''t too bad though, since my colo''s connection will be limited to only 100Mbit, so I guess it''s ok there If anyone else has any experience of using the e1000 drive in HVM guests (especially BSD), please let me know Thanks everyone _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On 06/06/10 01:23, Matej Zary wrote:> Hello, > > looks like you have much better HW than I used - when I benched Linux HVM guest on Athlon X2 1,9 GHz I got scary results (in a bad way of course) :D. 90 mbit/s is not bad at all for emulated hvm guest - the questions is, how much CPU power it consumes in the dom0 (qemu-dm process) and how many availabe cores do you have. PV driver should solve this issue (or pci passthru for the WAN NIC and PV driver for the LAN NIC). I got better results is some cases with the default emulated NIC (realtek?), but in majority, the emulated e1000 was better. > > > Regards > > > Matej > > ________________________________________ > From: xen-users-bounces@lists.xensource.com [xen-users-bounces@lists.xensource.com] On Behalf Of Jonathan Tripathy [jonnyt@abpni.co.uk] > Sent: 06 June 2010 00:35 > To: Nicolas Vilz; Xen-users@lists.xensource.com > Subject: Re: [Xen-users] pfSense HVM > >Hi Matej, Well it''s a quad core Xeon X3430 with 8GB of RAM. I''m using PCI-Passthrough for the WAN NIC, and e1000 for the LAN NIC. Since it''s pfsense, it isn''t easy (if at all possible) to get this going with PV. So even though e1000 is a "gigabit" driver, 90Mb/s is ok for HVM you think? Thanks _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On Sun, 2010-06-06 at 01:29 +0100, Jonathan Tripathy wrote:> On 06/06/10 01:23, Matej Zary wrote: > > Hello, > > > > looks like you have much better HW than I used - when I benched Linux HVM guest on Athlon X2 1,9 GHz I got scary results (in a bad way of course) :D. 90 mbit/s is not bad at all for emulated hvm guest - the questions is, how much CPU power it consumes in the dom0 (qemu-dm process) and how many availabe cores do you have. PV driver should solve this issue (or pci passthru for the WAN NIC and PV driver for the LAN NIC). I got better results is some cases with the default emulated NIC (realtek?), but in majority, the emulated e1000 was better. > > > > > > Regards > > > > > > Matej > > > > ________________________________________ > > From: xen-users-bounces@lists.xensource.com [xen-users-bounces@lists.xensource.com] On Behalf Of Jonathan Tripathy [jonnyt@abpni.co.uk] > > Sent: 06 June 2010 00:35 > > To: Nicolas Vilz; Xen-users@lists.xensource.com > > Subject: Re: [Xen-users] pfSense HVM > > > > > > Hi Matej, > > Well it's a quad core Xeon X3430 with 8GB of RAM. I'm using > PCI-Passthrough for the WAN NIC, and e1000 for the LAN NIC. Since it's > pfsense, it isn't easy (if at all possible) to get this going with PV. > > So even though e1000 is a "gigabit" driver, 90Mb/s is ok for HVM you think? > > ThanksYou can try bench the throughput between wan and the pfsense (how fast ist the pci-passthru) and the between the pfsense and another domu or Dom0(how slow is the emulation). Iperf is neat CLI utility for this. :) Also when benching the pfsense-domx, watch the CPU utilization in the Dom0 (top, or better with dstat). The emulation tends to induce quite a cpu load in the dom0 via the qemu-dm process (at least on my shoddy old hw :) ). Emulation is really ineffective and I think that the various emulation NIC models don't have that significant impact on the overall speed - the "slowness" of this method lies in the nature of emulation. :) I attached one graph from my benchmarks - all results are in Mbit/s, iperf TCP bench with 3 different overall frame lengths. PC was another physical computer (same HW config) - so this is physical to virtual bench. Just for illustration of the PV drivers impact. :) Regards Matej _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users