Ask Your Question
2

Problem using pfSense VM inside a tenant

asked 2014-04-10 07:36:09 -0500

Hi,

i have done an experiment to create an image of pfSense ( www.pfsense.org ) that is used like a router in my tenant.

I've installed "virtio" driver on FreeBSD 8.3 for networking & disk support and image work perfectly.

I have a "demo" tenant with this network topology:

  • WAN: 192.168.100.0/24 - DHCP Enabled - Gateway 192.168.100.1
  • LAN: 10.0.0.0/24 - DHCP Enabled - No Gateway
  • Router with 192.168.100.0/24 interface and connected to ext_net

Inside this tenant there are two VM:

  1. pfSense - An instance of pfSense that I use like a router with two network card (WAN:192.168.100.2 & LAN:10.0.0.2)
  2. cirros - An instance of Cirros connected with one network card to LAN 10.0.0.4

In cirros I've change default route to point to 10.0.0.2 address so pfSense can route packet to WAN for me.

But routing doesn't work.

After a bit of testing, I realized that it's a problem with a DROP iptables rule, generated by agent on the hypervisor where VM runs, for protect by spoofing attack.

It's possible to disable/remove this rule for a single port with neutron API ?

Thanks,

Salvo.

edit retag flag offensive close merge delete

2 answers

Sort by ยป oldest newest most voted
2

answered 2014-06-16 07:27:19 -0500

Some weeks ago I have wrote an email to a Openstack user, Jose Castro, for having an opinion about my problem with pfSense and he found a solution.

You must add allowed_address_pairs to LAN pfsense port and everythingis working:

neutron port-update <LAN_pfsense_uuid> --allowed-address-pairs
type=dict list=true mac_address=<MAC_LAN_pfsense>,ip_address=0.0.0.0/0

With this port extension, neutron create a iptables rule that allow packets to LAN pfsense from any IP and everything is working.

Very thanks to Jose for solution of the problem

edit flag offensive delete link more

Comments

You're welcome :)

jfcastroluis gravatar imagejfcastroluis ( 2014-06-20 16:14:15 -0500 )edit
0

answered 2014-05-29 02:31:02 -0500

thirunaresh gravatar image

Hi Salvo,

I am in the process of creating pfsense image for openstack. Since you have already done that. Help me on the process of creating image.

Thanks Naresh

edit flag offensive delete link more

Comments

sir yes sir http://ispire.me/pfsense-kvm-virtio/

Xavier gravatar imageXavier ( 2014-06-30 05:45:15 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2014-04-10 07:36:09 -0500

Seen: 2,921 times

Last updated: Jun 16 '14