Virtualized firewall on KVM

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP





.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;








1















I have few vms (homelab) virtualized with KVM (CentOS7) and connected to my home network. Lately I tried to isolate them by putting them in separate network and I wanted to do so with virtualized pfsense on the same host as other vms.



First I created isolated network in virt-manager for my lab hosts.
enter image description here



Then I created vm with 2 NICs and installed pfsense. One interface has 192.168.1.100 address (home lan) and the other one 10.13.37.1 (lab network).
enter image description hereenter image description here



pfsense xml dump:



<interface type='direct'>
<mac address='52:54:00:52:37:3f'/>
<source dev='enp1s0' mode='bridge'/>
<target dev='macvtap0'/>
<model type='virtio'/>
<alias name='net0'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
</interface>
<interface type='network'>
<mac address='52:54:00:65:58:d6'/>
<source network='lab' bridge='virbr1'/>
<target dev='vnet1'/>
<model type='virtio'/>
<alias name='net1'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/>
</interface>


I moved one of my vms (test server) to the internal pfsense network and set pfsense ip address as a gateway, to test if I will be able to connect to the internet.



test server (10.13.37.54) xml dump:



<interface type='network'>
<mac address='52:54:00:eb:ce:db'/>
<source network='lab' bridge='virbr1'/>
<target dev='vnet0'/>
<model type='virtio'/>
<alias name='net0'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
</interface>


There is www server running on the test server and I can curl it (curl http://10.13.37.54) from pfsense vm so internal network is working fine. I also have internet connection on the pfsense (I can update os and, for example, curl http://google.com). From the test server I can ping pfsense and google.com, but when I try to curl http://google.com I'm constantly getting timeouts for some reason (same for other sites). I can resolve the google.com domain to IP so dns (udp packets) is working fine, but I can't establish TCP 3-way handshake. I'm sending SYN packet, but not getting anything back. Here's how packets capture from internal lab network looks like (captured on pfsense):
enter image description here










share|improve this question
























  • So it sounds like you need to focus on pfsense. Can you provide specific reference(s) you used to set up pfsense please. E.g. to start with, where did you obtain pfsense from, also you haven't mentioned what version of pfsense. From my perspective I'm not saying you did something wrong, but I don't really know anything about using pfsense, so I can't even make any educated guess about what you did yet :-).

    – sourcejedi
    Mar 10 at 12:58











  • did you check the logs? i assume this document is relevant to your pfsense system: docs.netgate.com/pfsense/en/latest/firewall/…

    – sourcejedi
    Mar 10 at 13:02











  • I did not use any specific guide to set pfsense up. I just configured IPs on interfaces and make rule on firewall to pass all traffic, temporarily. Here's how firewall rules look like

    – sober
    Mar 10 at 13:18


















1















I have few vms (homelab) virtualized with KVM (CentOS7) and connected to my home network. Lately I tried to isolate them by putting them in separate network and I wanted to do so with virtualized pfsense on the same host as other vms.



First I created isolated network in virt-manager for my lab hosts.
enter image description here



Then I created vm with 2 NICs and installed pfsense. One interface has 192.168.1.100 address (home lan) and the other one 10.13.37.1 (lab network).
enter image description hereenter image description here



pfsense xml dump:



<interface type='direct'>
<mac address='52:54:00:52:37:3f'/>
<source dev='enp1s0' mode='bridge'/>
<target dev='macvtap0'/>
<model type='virtio'/>
<alias name='net0'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
</interface>
<interface type='network'>
<mac address='52:54:00:65:58:d6'/>
<source network='lab' bridge='virbr1'/>
<target dev='vnet1'/>
<model type='virtio'/>
<alias name='net1'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/>
</interface>


I moved one of my vms (test server) to the internal pfsense network and set pfsense ip address as a gateway, to test if I will be able to connect to the internet.



test server (10.13.37.54) xml dump:



<interface type='network'>
<mac address='52:54:00:eb:ce:db'/>
<source network='lab' bridge='virbr1'/>
<target dev='vnet0'/>
<model type='virtio'/>
<alias name='net0'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
</interface>


There is www server running on the test server and I can curl it (curl http://10.13.37.54) from pfsense vm so internal network is working fine. I also have internet connection on the pfsense (I can update os and, for example, curl http://google.com). From the test server I can ping pfsense and google.com, but when I try to curl http://google.com I'm constantly getting timeouts for some reason (same for other sites). I can resolve the google.com domain to IP so dns (udp packets) is working fine, but I can't establish TCP 3-way handshake. I'm sending SYN packet, but not getting anything back. Here's how packets capture from internal lab network looks like (captured on pfsense):
enter image description here










share|improve this question
























  • So it sounds like you need to focus on pfsense. Can you provide specific reference(s) you used to set up pfsense please. E.g. to start with, where did you obtain pfsense from, also you haven't mentioned what version of pfsense. From my perspective I'm not saying you did something wrong, but I don't really know anything about using pfsense, so I can't even make any educated guess about what you did yet :-).

    – sourcejedi
    Mar 10 at 12:58











  • did you check the logs? i assume this document is relevant to your pfsense system: docs.netgate.com/pfsense/en/latest/firewall/…

    – sourcejedi
    Mar 10 at 13:02











  • I did not use any specific guide to set pfsense up. I just configured IPs on interfaces and make rule on firewall to pass all traffic, temporarily. Here's how firewall rules look like

    – sober
    Mar 10 at 13:18














1












1








1








I have few vms (homelab) virtualized with KVM (CentOS7) and connected to my home network. Lately I tried to isolate them by putting them in separate network and I wanted to do so with virtualized pfsense on the same host as other vms.



First I created isolated network in virt-manager for my lab hosts.
enter image description here



Then I created vm with 2 NICs and installed pfsense. One interface has 192.168.1.100 address (home lan) and the other one 10.13.37.1 (lab network).
enter image description hereenter image description here



pfsense xml dump:



<interface type='direct'>
<mac address='52:54:00:52:37:3f'/>
<source dev='enp1s0' mode='bridge'/>
<target dev='macvtap0'/>
<model type='virtio'/>
<alias name='net0'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
</interface>
<interface type='network'>
<mac address='52:54:00:65:58:d6'/>
<source network='lab' bridge='virbr1'/>
<target dev='vnet1'/>
<model type='virtio'/>
<alias name='net1'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/>
</interface>


I moved one of my vms (test server) to the internal pfsense network and set pfsense ip address as a gateway, to test if I will be able to connect to the internet.



test server (10.13.37.54) xml dump:



<interface type='network'>
<mac address='52:54:00:eb:ce:db'/>
<source network='lab' bridge='virbr1'/>
<target dev='vnet0'/>
<model type='virtio'/>
<alias name='net0'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
</interface>


There is www server running on the test server and I can curl it (curl http://10.13.37.54) from pfsense vm so internal network is working fine. I also have internet connection on the pfsense (I can update os and, for example, curl http://google.com). From the test server I can ping pfsense and google.com, but when I try to curl http://google.com I'm constantly getting timeouts for some reason (same for other sites). I can resolve the google.com domain to IP so dns (udp packets) is working fine, but I can't establish TCP 3-way handshake. I'm sending SYN packet, but not getting anything back. Here's how packets capture from internal lab network looks like (captured on pfsense):
enter image description here










share|improve this question
















I have few vms (homelab) virtualized with KVM (CentOS7) and connected to my home network. Lately I tried to isolate them by putting them in separate network and I wanted to do so with virtualized pfsense on the same host as other vms.



First I created isolated network in virt-manager for my lab hosts.
enter image description here



Then I created vm with 2 NICs and installed pfsense. One interface has 192.168.1.100 address (home lan) and the other one 10.13.37.1 (lab network).
enter image description hereenter image description here



pfsense xml dump:



<interface type='direct'>
<mac address='52:54:00:52:37:3f'/>
<source dev='enp1s0' mode='bridge'/>
<target dev='macvtap0'/>
<model type='virtio'/>
<alias name='net0'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
</interface>
<interface type='network'>
<mac address='52:54:00:65:58:d6'/>
<source network='lab' bridge='virbr1'/>
<target dev='vnet1'/>
<model type='virtio'/>
<alias name='net1'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/>
</interface>


I moved one of my vms (test server) to the internal pfsense network and set pfsense ip address as a gateway, to test if I will be able to connect to the internet.



test server (10.13.37.54) xml dump:



<interface type='network'>
<mac address='52:54:00:eb:ce:db'/>
<source network='lab' bridge='virbr1'/>
<target dev='vnet0'/>
<model type='virtio'/>
<alias name='net0'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
</interface>


There is www server running on the test server and I can curl it (curl http://10.13.37.54) from pfsense vm so internal network is working fine. I also have internet connection on the pfsense (I can update os and, for example, curl http://google.com). From the test server I can ping pfsense and google.com, but when I try to curl http://google.com I'm constantly getting timeouts for some reason (same for other sites). I can resolve the google.com domain to IP so dns (udp packets) is working fine, but I can't establish TCP 3-way handshake. I'm sending SYN packet, but not getting anything back. Here's how packets capture from internal lab network looks like (captured on pfsense):
enter image description here







centos networking firewall kvm tcp






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Mar 10 at 12:03









Rui F Ribeiro

42k1483142




42k1483142










asked Mar 10 at 10:08









sobersober

163




163












  • So it sounds like you need to focus on pfsense. Can you provide specific reference(s) you used to set up pfsense please. E.g. to start with, where did you obtain pfsense from, also you haven't mentioned what version of pfsense. From my perspective I'm not saying you did something wrong, but I don't really know anything about using pfsense, so I can't even make any educated guess about what you did yet :-).

    – sourcejedi
    Mar 10 at 12:58











  • did you check the logs? i assume this document is relevant to your pfsense system: docs.netgate.com/pfsense/en/latest/firewall/…

    – sourcejedi
    Mar 10 at 13:02











  • I did not use any specific guide to set pfsense up. I just configured IPs on interfaces and make rule on firewall to pass all traffic, temporarily. Here's how firewall rules look like

    – sober
    Mar 10 at 13:18


















  • So it sounds like you need to focus on pfsense. Can you provide specific reference(s) you used to set up pfsense please. E.g. to start with, where did you obtain pfsense from, also you haven't mentioned what version of pfsense. From my perspective I'm not saying you did something wrong, but I don't really know anything about using pfsense, so I can't even make any educated guess about what you did yet :-).

    – sourcejedi
    Mar 10 at 12:58











  • did you check the logs? i assume this document is relevant to your pfsense system: docs.netgate.com/pfsense/en/latest/firewall/…

    – sourcejedi
    Mar 10 at 13:02











  • I did not use any specific guide to set pfsense up. I just configured IPs on interfaces and make rule on firewall to pass all traffic, temporarily. Here's how firewall rules look like

    – sober
    Mar 10 at 13:18

















So it sounds like you need to focus on pfsense. Can you provide specific reference(s) you used to set up pfsense please. E.g. to start with, where did you obtain pfsense from, also you haven't mentioned what version of pfsense. From my perspective I'm not saying you did something wrong, but I don't really know anything about using pfsense, so I can't even make any educated guess about what you did yet :-).

– sourcejedi
Mar 10 at 12:58





So it sounds like you need to focus on pfsense. Can you provide specific reference(s) you used to set up pfsense please. E.g. to start with, where did you obtain pfsense from, also you haven't mentioned what version of pfsense. From my perspective I'm not saying you did something wrong, but I don't really know anything about using pfsense, so I can't even make any educated guess about what you did yet :-).

– sourcejedi
Mar 10 at 12:58













did you check the logs? i assume this document is relevant to your pfsense system: docs.netgate.com/pfsense/en/latest/firewall/…

– sourcejedi
Mar 10 at 13:02





did you check the logs? i assume this document is relevant to your pfsense system: docs.netgate.com/pfsense/en/latest/firewall/…

– sourcejedi
Mar 10 at 13:02













I did not use any specific guide to set pfsense up. I just configured IPs on interfaces and make rule on firewall to pass all traffic, temporarily. Here's how firewall rules look like

– sober
Mar 10 at 13:18






I did not use any specific guide to set pfsense up. I just configured IPs on interfaces and make rule on firewall to pass all traffic, temporarily. Here's how firewall rules look like

– sober
Mar 10 at 13:18











1 Answer
1






active

oldest

votes


















1














I've got the answer on the other forum, turns out that all I had to do was disable hardware checksum offload, link to the documentation






share|improve this answer























    Your Answer








    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "106"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: false,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    imageUploader:
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    ,
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );













    draft saved

    draft discarded


















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f505445%2fvirtualized-firewall-on-kvm%23new-answer', 'question_page');

    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    1














    I've got the answer on the other forum, turns out that all I had to do was disable hardware checksum offload, link to the documentation






    share|improve this answer



























      1














      I've got the answer on the other forum, turns out that all I had to do was disable hardware checksum offload, link to the documentation






      share|improve this answer

























        1












        1








        1







        I've got the answer on the other forum, turns out that all I had to do was disable hardware checksum offload, link to the documentation






        share|improve this answer













        I've got the answer on the other forum, turns out that all I had to do was disable hardware checksum offload, link to the documentation







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Mar 10 at 13:31









        sobersober

        163




        163



























            draft saved

            draft discarded
















































            Thanks for contributing an answer to Unix & Linux Stack Exchange!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid


            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.

            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f505445%2fvirtualized-firewall-on-kvm%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown






            Popular posts from this blog

            How to check contact read email or not when send email to Individual?

            Displaying single band from multi-band raster using QGIS

            How many registers does an x86_64 CPU actually have?