Just a quick note on pfSense in a virtualized environment. For whatever reason pfSense hangs during installation in a VM with default VM settings on all hypervisors I have tried. I have seen this on 1.2.3 and 2.0-RC1 on VirtualBox, KVM, and Xen. I have not tested with pfSense 2.0-RC3. The way I found to get around this is to put the cdrom and the harddisk on separate virtual disk controllers. For example sticking one on a SCSI and the other IDE seems to work around the issue. I have tested this in both VBox and KVM.
If you haven't checked out pfSense it complimants Open VSwitch quite well in a virtualized lab environment as a LAN router and firewall. My favorite firewall/router distribution I have used hands down.
Saturday, July 16, 2011
VirtualBox 4 Networking Notes
I recently setup a lab environment on older hardware that didn't have VT-x. For this setup I used VirtualBox 4 headless, phpVirtualBox, and Open VSwitch. I have a few notes worth documenting in one place.
Not entirely related but I would love to see enhanced protection such as sVirt like functionally developed for libvirt/KVM on a system with SELinux or Apparmor available. That would go a long why to help protect the host and other guests if an escape from a guest was achieved.
- If you are trunking to a VBox VM use the vnic type of AMD PCNet PCI II (Am79C970A). This is not the default vnic type. I have been able to trunk to Linux and FreeBSD guests including pfSense using the PCNet II vnic with a trunk from Open VSwitch with no issues. Every other vnic type I tried didn't work for me. I haven't tried the virtio drivers on VBox they may work as well. I do know the virtio drivers work when trunking to a Linux VM on KVM.
- If you are setting the destination of a mirror in Open VSwitch to a VM vnic on VBox you will need to set extra data on the vnic to allow promisc mode to be enabled.
VBoxManage setextradata VM_NAME \
"VBoxInternal/Devices/pcnet/0/LUN#0/Config/IfPolicyPromisc" "allow-all"
Replace pcnet with the appropriate vnic type you are using. - VBox comes with VBoxTunctl so you don't need to install tunctl seperatly to create tap interfaces for use with Open VSwitch.
As a side note you don't get 64 bit guests or hardware breakpoints while debugging in a guest without VT-x on VirtualBox :-( but at least you get full virtualization with good performance :-).
Not entirely related but I would love to see enhanced protection such as sVirt like functionally developed for libvirt/KVM on a system with SELinux or Apparmor available. That would go a long why to help protect the host and other guests if an escape from a guest was achieved.
Subscribe to:
Posts (Atom)