For VMware use the intel e1000e NIC's, not the default ones that you get when setting up the VM using the GUI.

In order to do so, shut down your VM and edit the lines in the .vmx file with the virtual NIC to look like:

  ethernet0.virtualDev = "e1000e"

Repeat that for each NIC.

After that performance should be fine.

4-5 years ago I used pfsense as internet gateway and vpn for point to point in an office with probably 20-30users. We had it clustered between a VM (on ESXi) and a physical appliance on alix (if I recall correctly, or another of the supported sff appliances). The VM was rock solid while the appliance from time to time was experiencing issues (stuck/memory exhausted I think) up to the point that DHCP lease were not released anymore and the office was de facto unable to work.

I think at the end we just kept the VM running alone.

Yeah, you have to disable tcp hardware packet segmentation offloading.

Do you know if I have to do that with regular FreeBSD as well? Like if I were to run just FreeBSD and not pfSense.

The answer here is 'Yes'. TSO and routing / packet filtering are incompatible.

https://wiki.freebsd.org/10gFreeBSD/Router#Disabling_LRO_and...

So why isn't it disabled out of the box (on pfSense, not FreeBSD)?

They are.

https://doc.pfsense.org/index.php/Tuning_and_Troubleshooting...

Do you know when this was instituted? I'm quite sure that wasn't the default when I set up my pfSense systems..

I don't on my FreeBSD hosts and haven't had any problems, but I think it depends on the drivers you have installed. On all my production servers I use standalone Intel NICs w/ the Intel drives; pfSense may be using something else depending on the configuration. FWIW, pfSense has been basically stock FreeBSD + software/skin for the past couple of years.

> FWIW, pfSense has been basically stock FreeBSD + software/skin for the past couple of years.

While we try to move things upstream as much as possible, there are still patches in pfSense that don't make sense for FreeBSD.

> I don't on my FreeBSD hosts and haven't had any problems

TSO and routing/forwarding (and thus filtering) are incompatible.

yep, use Intel e1000e NICs for freeBSD on VMware hosts.

FWIW, I have seen that advice given for problems with networking performance in virtualized environments, regardless of the operating system.

My understanding is that vm is still in development. I don't see a download option from the main page.

I've used pfSense in VirtualBox for years, as VPN-gateway VMs. I'm posting from a VM that hits the Internet through three VPNs in a nested chain. Each pfSense VM uses just ~70MB.

There's not an appliance per se but you can just install it to a virtual machine. I was running a 1 CPU, 256MB instance with a 100mbs line and noticed no issues - ESX running on Core i7-920

I really thought they had a blog post somewhere or maybe a tweet or something stating they were planning to support a vm, but I'm failing to find the link. Maybe I'm remembering incorrectly. In any case, they do have a forum section dedicated to virtualization:

https://forum.pfsense.org/index.php?board=37.0

pfSense works as a Xen guest.

I had the opposite experience, I had to disable all hardware offload to get it to work correctly on XenServer.

There was a bug in pf which made it break with TSO, but it was fixed a couple years ago.

I have pfSense running on a hyper-v server; I haven't noticed any problems with it.