Various networking issues may occur when pfSense is used as a virtual server functioning as a gateway. In one particular case we observed the following:

  • pfSense was installed as a guest on a KVM compute resource.
  • pfSense was used to NAT traffic between the internal and external networks (default configuration).
  • There were no TCP/UDP connections between the client VS and the outside world when both pfSense and the client VS were running on the same compute resource.
  • When the client VS was running on a separate compute resource, TCP / UDP connections were slow.
  • In both cases, ICMP traffic worked as expected.


These issues occur due to para-virtualized drivers (VirtIO in KVM; PV in XEN). To resolve it, do one of or all the steps below:

  • Disable the hardware checksum offload inside pfSense at System > Advanced > Networking > Disable hardware checksum offload. The virtual server has to be rebooted to apply the change.
  • Disable tx checksum offloading on the compute resource.