Proxmox and pfsense missing last step

PigLover

Moderator
Jan 26, 2011
3,012
1,315
113
If you follow these instructions then yes - you should just connect other VMs to the "LAN" bridge that you used for the PFSense VM.

As for Gotcha's:

- these instructions assume you have 3 physical Ethernet ports. eth0 for "Proxmox", eth1 for "WAN" and eth2 for "LAN". For most home users you would probably only have 2 physical devices. Just attach the bridge you used to install Proxmox as the "LAN" and then use that for other VMs too (and connect that same Ethernet port to your local switch to use your PFSense VM elsewhere on your LAN).

- Using Linux bridges (or even OVS) for your router/firewall does have some potential issues. One is security - other processes on the Proxmox host may be able to access the WAN port and bypass the firewall. The other is performance. The Linux network stack will become a limiter if you have any high packet per second (PPS) requirements. For most home use cases this is not an issue. But if you are either paranoid or need higher performance networking you should use PCI pass through to connect the NICs directly to the PFSense VM.
 

PigLover

Moderator
Jan 26, 2011
3,012
1,315
113
Also - and this is just personal preference and can fairly be debated - I don't really think running your primary router/firewall in a VM is a really good idea. Sufficient hardware to run a stand-alone firewall is cheap, easy and can be low powered. There are just too many headaches that come from running your router/firewall in a VM to make it worthwhile.

For example, upgrades and maintenance on the VM host will take the router off-line, but yet you may need your internet access to fix things if there are any hiccups in working on the host. There are perhaps dozens of other reasons. Some are probably unlikely, but just the same they are enough to put me off it.

Now, if this is not the primary internet access but an internal router for your setup, or if your setup is more sophisticated and you are able to do failover between multiple routers for the primary internet access then all good. But those are not generally home/lab use cases.
 
  • Like
Reactions: gigatexal

groove

Member
Sep 21, 2011
85
27
18
I totally agree with PigLover. I have been running pfsense on Proxmox for about 6 months (my physical box got bit by the atom 2000 bug) and it has has been quite problematic. Enough to warrant to get a new box going.
 

Sealside

Member
May 10, 2019
53
12
8
Stockholm/Sweden
Hi!
Been doing a similar journey. Went from virtualized pfsense to bare metal pfsense. Ran it virutalized for 4 years, it had its pros and cons.
Best thing I have done the past year is to run it bare metal for all the reasons mentioned here. I have reduced the downtime in my home significantly, I usually "ok let upgrade, oh shit, didn't think about xyz", the family is a lot happier now as well :).

Regards S
 
  • Like
Reactions: gigatexal

Patrick

Administrator
Staff member
Dec 21, 2010
12,181
5,257
113
I have gone a bit of a different direction. I had a virtualized pfSense for years, included a more or less dedicated pfSense virtual host. Being able to rollback changes via snapshots was nice in the old days.

Today, I now usually have a physical box as primary and a virtualized host as a secondary pfSense installation. Physical box because that is always good, virtualized can be the first to get upgraded/ reverted if needed. Having two helps fix if there is a problem with one and adding virtualized pfSense these days as a just-in-case is not a big deal.
 

WANg

Well-Known Member
Jun 10, 2018
1,116
696
113
43
New York, NY
I have gone a bit of a different direction. I had a virtualized pfSense for years, included a more or less dedicated pfSense virtual host. Being able to rollback changes via snapshots was nice in the old days.

Today, I now usually have a physical box as primary and a virtualized host as a secondary pfSense installation. Physical box because that is always good, virtualized can be the first to get upgraded/ reverted if needed. Having two helps fix if there is a problem with one and adding virtualized pfSense these days as a just-in-case is not a big deal.
Just out of curiosity, what type of hardware do you typically use to do pfsense, both on your physical box, and also as a virtualized instance?