A while back, I added a pfSense installation to my home lab environment.

pfSense is a opensource network firewall/router operating system which offers a large amount of additional (3e party) modules to extend its functionality such as OpenVPN, Snort, etc. At this time, I am mainly interested in the OpenVPN functionality and I would very much like to play around with the ability to set up a IDS (Intrusion Detection System).

With pfSense being a software only implementation, I started by setting up a VM on my home lab Xenserver and initially I was not disappointed. The installation went very smoothly and in less than 20 minutes after browsing to the pfSense download page, I found myself staring at the pfSense web interface.

I completed setting up a number of basic rules, and performing some basic tests (like pinging internal and external addresses) without incidents, the problems started when i tried to open a webpage through the pfSense NAT. My browser was unable to open the page (located on an other test server). a number of troubleshooting steps later I was able to verify the connections between my PC and the pfSense VM, and the connection between the pfSense VM and the webserver VM were both working as expected, the rule-sets on the pfSense VM ware also configured correctly.

While searching on the web for a solution to my problem I stumbled onto a very interesting topic on the pfSense forums.

pfSense is based on FreeBSD, and FreeBSD wont accept traffic if the checksum on the TCP packet is not valid. to solve this problem two steps are needed.

1. Hardware checksum offloading needs to be disabled in the pfSense configuration. To achieve this navigate to “System > Advanced > Networking” in the pfSense interface and enable the “Disable hardware checksum offload” option.

2. Hardware checksum offloading needs to be disabled on the pfSense VM virtual interfaces. To achieve this we first need to know the interface uuid’s of the interfaces. Use the following command on the Xenserver CLI interface to get the UUID’s:

xe vif-list vm-name-label=<pfSense vm name case sensitive>

The UUID’s can be found after the “uuid ( RO) :” label.

to disable to hardware checksum offloading we need the following commands:

xe vif-param-set uuid=<UUID> other-config:ethtool-tx="off"
xe vif-param-set uuid=<UUID> other-config:ethtool-rx="off"

I was able to get by with only the tx disabled, but I mainly tested with download traffic so some upload testing is still required.