Virtualized firewall on KVM
Clash Royale CLAN TAG#URR8PPP
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
I have few vms (homelab) virtualized with KVM (CentOS7) and connected to my home network. Lately I tried to isolate them by putting them in separate network and I wanted to do so with virtualized pfsense on the same host as other vms.
First I created isolated network in virt-manager for my lab hosts.
Then I created vm with 2 NICs and installed pfsense. One interface has 192.168.1.100 address (home lan) and the other one 10.13.37.1 (lab network).
pfsense xml dump:
<interface type='direct'>
<mac address='52:54:00:52:37:3f'/>
<source dev='enp1s0' mode='bridge'/>
<target dev='macvtap0'/>
<model type='virtio'/>
<alias name='net0'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
</interface>
<interface type='network'>
<mac address='52:54:00:65:58:d6'/>
<source network='lab' bridge='virbr1'/>
<target dev='vnet1'/>
<model type='virtio'/>
<alias name='net1'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/>
</interface>
I moved one of my vms (test server) to the internal pfsense network and set pfsense ip address as a gateway, to test if I will be able to connect to the internet.
test server (10.13.37.54) xml dump:
<interface type='network'>
<mac address='52:54:00:eb:ce:db'/>
<source network='lab' bridge='virbr1'/>
<target dev='vnet0'/>
<model type='virtio'/>
<alias name='net0'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
</interface>
There is www server running on the test server and I can curl it (curl http://10.13.37.54) from pfsense vm so internal network is working fine. I also have internet connection on the pfsense (I can update os and, for example, curl http://google.com). From the test server I can ping pfsense and google.com, but when I try to curl http://google.com I'm constantly getting timeouts for some reason (same for other sites). I can resolve the google.com domain to IP so dns (udp packets) is working fine, but I can't establish TCP 3-way handshake. I'm sending SYN packet, but not getting anything back. Here's how packets capture from internal lab network looks like (captured on pfsense):
centos networking firewall kvm tcp
edited Mar 10 at 12:03
Rui F Ribeiro
42k1483142
asked Mar 10 at 10:08
sobersober
163
add a comment |
I have few vms (homelab) virtualized with KVM (CentOS7) and connected to my home network. Lately I tried to isolate them by putting them in separate network and I wanted to do so with virtualized pfsense on the same host as other vms.
First I created isolated network in virt-manager for my lab hosts.
Then I created vm with 2 NICs and installed pfsense. One interface has 192.168.1.100 address (home lan) and the other one 10.13.37.1 (lab network).
pfsense xml dump:
<interface type='direct'>
<mac address='52:54:00:52:37:3f'/>
<source dev='enp1s0' mode='bridge'/>
<target dev='macvtap0'/>
<model type='virtio'/>
<alias name='net0'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
</interface>
<interface type='network'>
<mac address='52:54:00:65:58:d6'/>
<source network='lab' bridge='virbr1'/>
<target dev='vnet1'/>
<model type='virtio'/>
<alias name='net1'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/>
</interface>
I moved one of my vms (test server) to the internal pfsense network and set pfsense ip address as a gateway, to test if I will be able to connect to the internet.
test server (10.13.37.54) xml dump:
<interface type='network'>
<mac address='52:54:00:eb:ce:db'/>
<source network='lab' bridge='virbr1'/>
<target dev='vnet0'/>
<model type='virtio'/>
<alias name='net0'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
</interface>
There is www server running on the test server and I can curl it (curl http://10.13.37.54) from pfsense vm so internal network is working fine. I also have internet connection on the pfsense (I can update os and, for example, curl http://google.com). From the test server I can ping pfsense and google.com, but when I try to curl http://google.com I'm constantly getting timeouts for some reason (same for other sites). I can resolve the google.com domain to IP so dns (udp packets) is working fine, but I can't establish TCP 3-way handshake. I'm sending SYN packet, but not getting anything back. Here's how packets capture from internal lab network looks like (captured on pfsense):
centos networking firewall kvm tcp
edited Mar 10 at 12:03
Rui F Ribeiro
42k1483142
asked Mar 10 at 10:08
sobersober
163
So it sounds like you need to focus on pfsense. Can you provide specific reference(s) you used to set up pfsense please. E.g. to start with, where did you obtain pfsense from, also you haven't mentioned what version of pfsense. From my perspective I'm not saying you did something wrong, but I don't really know anything about using pfsense, so I can't even make any educated guess about what you did yet :-).
– sourcejedi
Mar 10 at 12:58
did you check the logs? i assume this document is relevant to your pfsense system: docs.netgate.com/pfsense/en/latest/firewall/…
– sourcejedi
Mar 10 at 13:02
I did not use any specific guide to set pfsense up. I just configured IPs on interfaces and make rule on firewall to pass all traffic, temporarily. Here's how firewall rules look like
– sober
Mar 10 at 13:18
add a comment |
I have few vms (homelab) virtualized with KVM (CentOS7) and connected to my home network. Lately I tried to isolate them by putting them in separate network and I wanted to do so with virtualized pfsense on the same host as other vms.
First I created isolated network in virt-manager for my lab hosts.
Then I created vm with 2 NICs and installed pfsense. One interface has 192.168.1.100 address (home lan) and the other one 10.13.37.1 (lab network).
pfsense xml dump:
<interface type='direct'>
<mac address='52:54:00:52:37:3f'/>
<source dev='enp1s0' mode='bridge'/>
<target dev='macvtap0'/>
<model type='virtio'/>
<alias name='net0'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
</interface>
<interface type='network'>
<mac address='52:54:00:65:58:d6'/>
<source network='lab' bridge='virbr1'/>
<target dev='vnet1'/>
<model type='virtio'/>
<alias name='net1'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/>
</interface>
I moved one of my vms (test server) to the internal pfsense network and set pfsense ip address as a gateway, to test if I will be able to connect to the internet.
test server (10.13.37.54) xml dump:
<interface type='network'>
<mac address='52:54:00:eb:ce:db'/>
<source network='lab' bridge='virbr1'/>
<target dev='vnet0'/>
<model type='virtio'/>
<alias name='net0'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
</interface>
There is www server running on the test server and I can curl it (curl http://10.13.37.54) from pfsense vm so internal network is working fine. I also have internet connection on the pfsense (I can update os and, for example, curl http://google.com). From the test server I can ping pfsense and google.com, but when I try to curl http://google.com I'm constantly getting timeouts for some reason (same for other sites). I can resolve the google.com domain to IP so dns (udp packets) is working fine, but I can't establish TCP 3-way handshake. I'm sending SYN packet, but not getting anything back. Here's how packets capture from internal lab network looks like (captured on pfsense):
centos networking firewall kvm tcp
edited Mar 10 at 12:03
Rui F Ribeiro
42k1483142
asked Mar 10 at 10:08
sobersober
163
I have few vms (homelab) virtualized with KVM (CentOS7) and connected to my home network. Lately I tried to isolate them by putting them in separate network and I wanted to do so with virtualized pfsense on the same host as other vms.
First I created isolated network in virt-manager for my lab hosts.
Then I created vm with 2 NICs and installed pfsense. One interface has 192.168.1.100 address (home lan) and the other one 10.13.37.1 (lab network).
pfsense xml dump:
<interface type='direct'>
<mac address='52:54:00:52:37:3f'/>
<source dev='enp1s0' mode='bridge'/>
<target dev='macvtap0'/>
<model type='virtio'/>
<alias name='net0'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
</interface>
<interface type='network'>
<mac address='52:54:00:65:58:d6'/>
<source network='lab' bridge='virbr1'/>
<target dev='vnet1'/>
<model type='virtio'/>
<alias name='net1'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/>
</interface>
I moved one of my vms (test server) to the internal pfsense network and set pfsense ip address as a gateway, to test if I will be able to connect to the internet.
test server (10.13.37.54) xml dump:
<interface type='network'>
<mac address='52:54:00:eb:ce:db'/>
<source network='lab' bridge='virbr1'/>
<target dev='vnet0'/>
<model type='virtio'/>
<alias name='net0'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
</interface>
There is www server running on the test server and I can curl it (curl http://10.13.37.54) from pfsense vm so internal network is working fine. I also have internet connection on the pfsense (I can update os and, for example, curl http://google.com). From the test server I can ping pfsense and google.com, but when I try to curl http://google.com I'm constantly getting timeouts for some reason (same for other sites). I can resolve the google.com domain to IP so dns (udp packets) is working fine, but I can't establish TCP 3-way handshake. I'm sending SYN packet, but not getting anything back. Here's how packets capture from internal lab network looks like (captured on pfsense):
centos networking firewall kvm tcp
centos networking firewall kvm tcp
edited Mar 10 at 12:03
Rui F Ribeiro
42k1483142
asked Mar 10 at 10:08
sobersober
163
edited Mar 10 at 12:03
Rui F Ribeiro
42k1483142
asked Mar 10 at 10:08
sobersober
163
edited Mar 10 at 12:03
Rui F Ribeiro
42k1483142
edited Mar 10 at 12:03
Rui F Ribeiro
42k1483142
edited Mar 10 at 12:03
Rui F Ribeiro
42k1483142
42k1483142
asked Mar 10 at 10:08
sobersober
163
asked Mar 10 at 10:08
sobersober
163
asked Mar 10 at 10:08
sobersober
163
163
So it sounds like you need to focus on pfsense. Can you provide specific reference(s) you used to set up pfsense please. E.g. to start with, where did you obtain pfsense from, also you haven't mentioned what version of pfsense. From my perspective I'm not saying you did something wrong, but I don't really know anything about using pfsense, so I can't even make any educated guess about what you did yet :-).
– sourcejedi
Mar 10 at 12:58
did you check the logs? i assume this document is relevant to your pfsense system: docs.netgate.com/pfsense/en/latest/firewall/…
– sourcejedi
Mar 10 at 13:02
I did not use any specific guide to set pfsense up. I just configured IPs on interfaces and make rule on firewall to pass all traffic, temporarily. Here's how firewall rules look like
– sober
Mar 10 at 13:18
add a comment |
So it sounds like you need to focus on pfsense. Can you provide specific reference(s) you used to set up pfsense please. E.g. to start with, where did you obtain pfsense from, also you haven't mentioned what version of pfsense. From my perspective I'm not saying you did something wrong, but I don't really know anything about using pfsense, so I can't even make any educated guess about what you did yet :-).
– sourcejedi
Mar 10 at 12:58
did you check the logs? i assume this document is relevant to your pfsense system: docs.netgate.com/pfsense/en/latest/firewall/…
– sourcejedi
Mar 10 at 13:02
I did not use any specific guide to set pfsense up. I just configured IPs on interfaces and make rule on firewall to pass all traffic, temporarily. Here's how firewall rules look like
– sober
Mar 10 at 13:18
So it sounds like you need to focus on pfsense. Can you provide specific reference(s) you used to set up pfsense please. E.g. to start with, where did you obtain pfsense from, also you haven't mentioned what version of pfsense. From my perspective I'm not saying you did something wrong, but I don't really know anything about using pfsense, so I can't even make any educated guess about what you did yet :-).
– sourcejedi
Mar 10 at 12:58
So it sounds like you need to focus on pfsense. Can you provide specific reference(s) you used to set up pfsense please. E.g. to start with, where did you obtain pfsense from, also you haven't mentioned what version of pfsense. From my perspective I'm not saying you did something wrong, but I don't really know anything about using pfsense, so I can't even make any educated guess about what you did yet :-).
– sourcejedi
Mar 10 at 12:58
did you check the logs? i assume this document is relevant to your pfsense system: docs.netgate.com/pfsense/en/latest/firewall/…
– sourcejedi
Mar 10 at 13:02
did you check the logs? i assume this document is relevant to your pfsense system: docs.netgate.com/pfsense/en/latest/firewall/…
– sourcejedi
Mar 10 at 13:02
I did not use any specific guide to set pfsense up. I just configured IPs on interfaces and make rule on firewall to pass all traffic, temporarily. Here's how firewall rules look like
– sober
Mar 10 at 13:18
I did not use any specific guide to set pfsense up. I just configured IPs on interfaces and make rule on firewall to pass all traffic, temporarily. Here's how firewall rules look like
– sober
Mar 10 at 13:18
add a comment |
1 Answer
1
active
oldest
votes
I've got the answer on the other forum, turns out that all I had to do was disable hardware checksum offload, link to the documentation
answered Mar 10 at 13:31
sobersober
163
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f505445%2fvirtualized-firewall-on-kvm%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
I've got the answer on the other forum, turns out that all I had to do was disable hardware checksum offload, link to the documentation
answered Mar 10 at 13:31
sobersober
163
add a comment |
I've got the answer on the other forum, turns out that all I had to do was disable hardware checksum offload, link to the documentation
answered Mar 10 at 13:31
sobersober
163
add a comment |
I've got the answer on the other forum, turns out that all I had to do was disable hardware checksum offload, link to the documentation
answered Mar 10 at 13:31
sobersober
163
I've got the answer on the other forum, turns out that all I had to do was disable hardware checksum offload, link to the documentation
answered Mar 10 at 13:31
sobersober
163
answered Mar 10 at 13:31
sobersober
163
answered Mar 10 at 13:31
sobersober
163
answered Mar 10 at 13:31
sobersober
163
163
add a comment |
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f505445%2fvirtualized-firewall-on-kvm%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
So it sounds like you need to focus on pfsense. Can you provide specific reference(s) you used to set up pfsense please. E.g. to start with, where did you obtain pfsense from, also you haven't mentioned what version of pfsense. From my perspective I'm not saying you did something wrong, but I don't really know anything about using pfsense, so I can't even make any educated guess about what you did yet :-).
– sourcejedi
Mar 10 at 12:58
did you check the logs? i assume this document is relevant to your pfsense system: docs.netgate.com/pfsense/en/latest/firewall/…
– sourcejedi
Mar 10 at 13:02
I did not use any specific guide to set pfsense up. I just configured IPs on interfaces and make rule on firewall to pass all traffic, temporarily. Here's how firewall rules look like
– sober
Mar 10 at 13:18