Pfsense & Sophos in VM

[mason736]

I'm relatively new to advanced home networking. I currently run a Netgear WNDR3700 using OpenWrt as my router. I needed VLAN support to allow my SAN traffic and wireless traffic to be segregated from the main network traffic.

I have been running this setup, Modem > OpenWRT > Cisco SG200 (2) switches for a few years now. However, I'm starting to have trouble with the Netgear router, and want to move to a new appliance.

I have viewed a few threads on here of people running Pfsense and Sophos in a VM, but I don't understand how running the Firewall/Routing software in a VM, will allow the same functionality of my current setup. How can the firewall/routing software work correctly in a VM vs. having it sitting as an endpoint in my network?

Any help is appreciated. Thanks

 

[Jeggs101]

I'm relatively new to advanced home networking. I currently run a Netgear WNDR3700 using OpenWrt as my router. I needed VLAN support to allow my SAN traffic and wireless traffic to be segregated from the main network traffic.

I have been running this setup, Modem > OpenWRT > Cisco SG200 (2) switches for a few years now. However, I'm starting to have trouble with the Netgear router, and want to move to a new appliance.

I have viewed a few threads on here of people running Pfsense and Sophos in a VM, but I don't understand how running the Firewall/Routing software in a VM, will allow the same functionality of my current setup. How can the firewall/routing software work correctly in a VM vs. having it sitting as an endpoint in my network?

Any help is appreciated. Thanks

I was not big on it at first either. But it's really easy now that you can pass-through or just assign dedicated NICs to VMs. You do 1 WAN physical port, 1 LAN port that can even be a virtual one linked to the virtual switch your hypervisor has. If you want more performance, you can have dedicated NICs even for WAN and SAN traffic. If you have a virtual host, I'd just install pfSense and give it a go. It makes more sense when you do it.

 

[dswartz]

I've been running pfsense under ESXi for several years now. Works just fine...

 

[mason736]

I'm running a c6100. My main nodes have 4 nic addon cards right now, however those nics are all in use.

I May have to purchase another 4 nic card for one of the other nodes and start running that node for pfsense

 

[Jeggs101]

1gb nics are really cheap nowadays

 

[mason736]

Once I make the enhancements to the node, do I run the wan cable from my modem straight into the WAN designated port of that node?

Not sure if it matters, but I'm running hyper-v not esxi

 

[Phenic]

I run pfsense in hyper-v.

Just run the cable like you said from modem->pfsense nic #1 and obviously pfsense nic #2->switch.

 

[cptbjorn]

I'm running 2 Sophos VMs in HA on separate ESXi hosts, each host only has one physical NIC and I do everything with VLANs. My modem plugs into my switch and whichever VM is the current primary will use it.

 

[Hank C]

how did you run sophos in HA? is it the free sophos or paid edition?

 

[ehorn]

The free version offers Active/Passive (Hot Standby) only.

 

[mason736]

I'm running 2 Sophos VMs in HA on separate ESXi hosts, each host only has one physical NIC and I do everything with VLANs. My modem plugs into my switch and whichever VM is the current primary will use it.

Are you running a central SAN for your vm storage across the hosts? On my c6100, I have vm storage local to each node and a separate iscsi San for bulk media storage.

 

[cptbjorn]

Sophos home edition allows hot standby mode. It works great, if I have a one second interval ping going it drops 1 at most when it cuts between them during patches etc.

I'm not running any VMs on shared storage right now, all local datastores.

 

[Hank C]

is there any limitation on running home edition? previously it was allowed for certain number of IPs it can manage.

 

[cptbjorn]

You are limited to 50 IPs so you have to be a little careful with them. I think a single packet within the last week or month triggers it, so I have some stuff like my APC management cards set with no gateway so they don't end up in the list.

 

[markarr]

is there any limitation on running home edition? previously it was allowed for certain number of IPs it can manage.

For the UTM it is 50 Ip's
For the new XG version there is no ip limit only 4 cores and 6gb of ram.

 

[JimPhreak]

I love UTM (use it at work) but they still won't add in the ability to setup a client OpenVPN connection to VPN services. It's been a missing features for at least 5-6 years but they just don't seem to care about it. It's probably the one thing preventing me from using UTM at home.

 

[mason736]

I love UTM (use it at work) but they still won't add in the ability to setup a client OpenVPN connection to VPN services. It's been a missing features for at least 5-6 years but they just don't seem to care about it. It's probably the one thing preventing me from using UTM at home.

Is OpenVPN included in the new XG version?

 

[JimPhreak]

Is OpenVPN included in the new XG version?

I don't know much about the new XG version. I'll have to look into that myself.

 

[markarr]

The ssl vpn client they use is a rebraded version of the openvpn client. On ios devices they use the openvpn client with their config. It is under the Remote access section not the site to site. You should be able to get the normal openvpn client working there if you download the config from the user portal.

 

[mason736]

I'm going to be running plex and some other streaming gear. Can you run link aggregation in sophos to get 2gb links between the networks? I have my San on a separate subnet from my main network. I'd like to run 2gb from my one subnet to the other subnet.