PFSense as VM

May 11, 2016
3
2
3
47
One compelling argument against virtualizing a router (of any type) is that bringing down the hypervisor for updates/fixes often requires internet access. If the activity goes bad (you need additional packages, look up a config setting etc) you're SOL because your network connection is down. With the proliferation of tethering smart phones it's not as much of an issue but something to keep in mind, especially if the equipment is remote/lights-out. Unless you're really short on funds/space it's probably better to keep your router as bullet proof as possible (no extraneous dependencies, no moving parts, etc).

With that said, I have run pfSense virtualized on ProxMox and Vmware and haven't had any issues.
 
  • Like
Reactions: gigatexal
Sep 22, 2015
61
18
8
One compelling argument against virtualizing a router (of any type) is that bringing down the hypervisor for updates/fixes often requires internet access. If the activity goes bad (you need additional packages, look up a config setting etc) you're SOL because your network connection is down. With the proliferation of tethering smart phones it's not as much of an issue but something to keep in mind, especially if the equipment is remote/lights-out. Unless you're really short on funds/space it's probably better to keep your router as bullet proof as possible (no extraneous dependencies, no moving parts, etc).

With that said, I have run pfSense virtualized on ProxMox and Vmware and haven't had any issues.
One other gotcha is to make sure your hypervisor and motherboard KVM aren't getting anything from DHCP. If your hypervisor fails to start and you can't see why because your remote management doesn't have an IP...you're gonna have a bad time. Ask me how I know this.
 

CreoleLakerFan

Active Member
Oct 29, 2013
478
176
43
One other gotcha is to make sure your hypervisor and motherboard KVM aren't getting anything from DHCP. If your hypervisor fails to start and you can't see why because your remote management doesn't have an IP...you're gonna have a bad time. Ask me how I know this.
Put a Static IP on IPMI, the hypervisor, and one management PC around the house (a NUC, in my case). Ask me how I know this ...

:)
 
  • Like
Reactions: socra

dswartz

Active Member
Jul 14, 2011
509
52
28
One compelling argument against virtualizing a router (of any type) is that bringing down the hypervisor for updates/fixes often requires internet access. If the activity goes bad (you need additional packages, look up a config setting etc) you're SOL because your network connection is down. With the proliferation of tethering smart phones it's not as much of an issue but something to keep in mind, especially if the equipment is remote/lights-out. Unless you're really short on funds/space it's probably better to keep your router as bullet proof as possible (no extraneous dependencies, no moving parts, etc).

With that said, I have run pfSense virtualized on ProxMox and Vmware and haven't had any issues.
All good points. If you run a 2-node cluster like I do, this should not be a concern, though...
 

PigLover

Moderator
Jan 26, 2011
3,012
1,315
113
Put a Static IP on IPMI, the hypervisor, and one management PC around the house (a NUC, in my case). Ask me how I know this ...

:)
Its probably a bigger set than this. Consider which parts of your deployment form the "undercloud" - those elements required to launch "the cloud". Make sure they don't have any upstream dependencies on the cloud itself or any applications/services running in the cloud.

I include Static for all of the following (and distribute a local hosts file for all of them):
  • All switches and router nodes
  • All hypervisor hosts
  • All storage nodes (esp. vsan like Ceph, etc).
  • My primary wireless AP
  • At least one management PC
Just like you - ask my why I know this. I think we may have had similar experiences.
 

PigLover

Moderator
Jan 26, 2011
3,012
1,315
113
how do you distribute the hosts file, i'm curious.
I'd love to give an answer that sounds "cool" like via Foreman or Ansible or some tool that sounds like I know what I'm doing.

Unfortunately the answer is that I do it the old fashioned way - "manually". My lab is small (currently 11 "hosts", 3 switches and one router in what I consider my "undercloud").
 
  • Like
Reactions: gigatexal

epicurean

Active Member
Sep 29, 2014
705
51
28
Is there a guide to setting up Pfsense as VM that you guys suggest? Using esxi 6 for an AIO
Also the specs needed to use it for 10G capable network on a fiber 1G link? Just running 1 VPN from time to time from home to office.

I also have an unused edgerouter er8. Would this be easier to configure? but I was told it won't be 10G capable
 

T_Minus

Build. Break. Fix. Repeat
Feb 15, 2015
7,247
1,701
113
CA
Going to start playing around with pfsense myself! Downloading today :)
 

Keljian

Active Member
Sep 9, 2015
429
71
28
Melbourne Australia
Is there a guide to setting up Pfsense as VM that you guys suggest? Using esxi 6 for an AIO
Also the specs needed to use it for 10G capable network on a fiber 1G link? Just running 1 VPN from time to time from home to office.

I also have an unused edgerouter er8. Would this be easier to configure? but I was told it won't be 10G capable
Being that you have a VM to play with, why don't you try a few different configurations of the VM to see what works best?

The biggest challenge will be what plugins you use. Start with 2 vcores and 4 gig of ram, then scale up from there if required. The faster the cores, the better obviously.
 

spazoid

Member
Apr 26, 2011
91
10
8
Copenhagen, Denmark
I usually see sub 5% CPU usage with 1 vCPU (e3-1275 v3) on a 100/100 mbit line.. Opening up the webinterface is actually a lot more demanding than downloading at full speed. I've only allocated 1GB vMEM, but with only vmtools and RRD summary packaged installed, it is more than enough - I could easily get away with half a gig.
 

epicurean

Active Member
Sep 29, 2014
705
51
28
So no takers for the edgerouter? Pfsense all the way?

Sent from my SM-G925I using Tapatalk
 

wildchild

Active Member
Feb 4, 2014
394
57
28
Well if you like edgeroute , which is a nice device btw, but you like to run it virtual ( and maybe even clustered over 2 vmware hosts) .. you may want to take a good look at vyos both are openvyatta abeid edgeos is an eatlier fork
 

epicurean

Active Member
Sep 29, 2014
705
51
28
I am actually more comfortable with hardware at the front end of the network connection, which is why I am considering the edgerouter. How challenging is it to use a VM(Sophos or Pfsense) instead? Is the network cabling going to be complicated?
 
Sep 22, 2015
61
18
8
I am actually more comfortable with hardware at the front end of the network connection, which is why I am considering the edgerouter. How challenging is it to use a VM(Sophos or Pfsense) instead? Is the network cabling going to be complicated?
Add a separate dual port+ nic for PFSENSE. Pass it through or just create virtual switches with only the PFsense VM assigned. Then you just run two cables (one from the cable modem, one to the switch) and that's it. Your existing VM host LAN connection will remain plugged into the switch as it is now.