Suggestion pfsense virtualization or not?

Discussion in 'Software Stuff' started by CosHiM, Apr 21, 2017.

  1. CosHiM

    CosHiM New Member

    Joined:
    Apr 21, 2017
    Messages:
    4
    Likes Received:
    0
    Hi,

    Recently, I move my 2u server(computing node) to the Datacenter, and already bought some new hardware planning to use it as pfsense router, to run the ipsec between home and DC.

    Hardware List:
    • J3355M
    • 4G *2 DDR3L
    • 32G SSD
    • 2T HDD
    • i340t 4 port NIC card.
    • Tdm400p (from 2u server)
    Today, I finish assembly the hardware, test for the pfsense, the performance really good. (150Mbps over ipsec ase-cbc-128)

    However, by the basic practice the pfsense do not work as my expected that can let me install lots of FreeBSD package. And due to I lost my server, I need this new server to run the Asterisk w/ dahdi and ZoneMinder for Video Surveillance. I not sure is a good idea to install these software under Pfsense(pfSense-install-FreeBSD-Package.sh - Install FeeBSD package at pfSense 2.3.x)

    Otherwise, run Pfsense and Linux virtual machine over Proxmox/Esxi or Pfsense virtual machine over Linux(KVM/VMware).

    Is there any recommendations for my software architecture´╝č

    - Pfsense
    - Asterisk
    - ZoneMinder
     
    #1
  2. cheezehead

    cheezehead Active Member

    Joined:
    Sep 23, 2012
    Messages:
    700
    Likes Received:
    172
    I'd go for ESXi/Proxmox
     
    #2
  3. Patrick

    Patrick Administrator
    Staff Member

    Joined:
    Dec 21, 2010
    Messages:
    11,624
    Likes Received:
    4,580
    If you need to run many different services, then virtualized is probably the way to go. There is a ESXi pfSense image available to pfSense gold subscribers.
     
    #3
  4. CosHiM

    CosHiM New Member

    Joined:
    Apr 21, 2017
    Messages:
    4
    Likes Received:
    0
    If go virtualization, is there a huge performance effect on network?
     
    #4
  5. RTM

    RTM Active Member

    Joined:
    Jan 26, 2014
    Messages:
    443
    Likes Received:
    143
    One of the downsides to virtualizing your primary firewall, is that you may run into a chicken or the egg situation when updating the hypervisor.
    It has been my experience that with some setups, where mgmt traffic goes through the firewall, you have to put the host in maintenance mode before updating it, requiring stopping VMs resulting in dropped connection to mgmt interface.

    There are probably ways to deal with/minimize this issue, but you should be aware of what might happen.

    I will give you another recommendation, while I am at it ;):
    If you chose to use virtualization, find something where the impact of the platform is relatively small, think of it this way, why should it have a large assortment of web services etc.? Your machine does not have loads of RAM, CPU or disk resources, so what it has should be used for the VMs.
    One way to help save some of your resources, might be to look into using containers for some of your apps rather than full blown VMs (though this can have an impact on security, as containers are not as isolated from the host environment as VMs).
     
    #5
    PigLover likes this.
  6. CosHiM

    CosHiM New Member

    Joined:
    Apr 21, 2017
    Messages:
    4
    Likes Received:
    0
    In the first place, I think to install few software in the pfsense. However, it is really difficult to install extra software in pfsense, when I test to install those software in my pfsense VM, whole pfsense stop to work.

    The main problem is that many 3party software would broke the pfsense, I have to go virtualization to resolve the 3 party software problems.

    Do you know other *unix router/firewall project which could install many 3rd party software packages?


     
    #6
  7. poutnik

    poutnik Member

    Joined:
    Apr 3, 2013
    Messages:
    119
    Likes Received:
    13
    I would ask, are you cash-constrained? (not meaning anything bad). Because I think that in a home environment, it's good to have a separate pfSense box. You could either use some old hardware you have (saving on cost, but paying more for energy), or install pfSense on something like the Alix APU boards. I know, they are not free (or cheap), but they get the job done very well, use very low energy and last years. I have 3 pfSense boxes like these and the youngest of them (HW-wise) is 3years old. The oldest is I think something between 7 and 10 years old. And they just run, no reboots, no maintenance (apart from occasional checking for update)...
     
    #7
  8. T_Minus

    T_Minus Moderator

    Joined:
    Feb 15, 2015
    Messages:
    6,888
    Likes Received:
    1,511
    I believe in keeping your primary hardware to the "internet" not virtualized for reasons mostly mentioned by others.

    It's VERY cheap relative to the servers most of us run to have 100% dedicated hardware for pfsense / routing to the internet.
    The time saved from actually being able to get online to fix problems during any issue vs. having to use your phone or a hot spot that's slow, etc, alone is enough for me to run it dedicated :) non-virtualized. I'm running Cisco router now and even with that I purchased a 2nd identical unit loaded my config, and set it ready to swap out! I can go a day or two with no internet and no issues but I'm sure not going to wait a week+ for a new unit to arrive, reconfigure/test/etc and then get online again!!! I actually need to sell my old router I kept it JUST IN CASE even, ha haha!! (after cisco).

    My vote = NO virtualized router
     
    #8
  9. RobertFontaine

    RobertFontaine Active Member

    Joined:
    Dec 17, 2015
    Messages:
    666
    Likes Received:
    148
    I have more ram and processing available to a vm then I have on my pfsense box. It would be easy to dedicated a couple of ethernet ports to pfsense for bandwidth to the switch.

    BUT I'm old fashioned and the idea of a firewall on its own hardware makes me feel better.
     
    #9
  10. ttabbal

    ttabbal Active Member

    Joined:
    Mar 10, 2016
    Messages:
    726
    Likes Received:
    193
    I have a pfsense under proxmox on a dedicated server. The idea is to have some basic firewall/router/VPN stuff for everything else. It works, mostly. There's a nasty bug in the BSD virtio network drivers that kills throughput. I'm still trying various options to get it working well. Annoyingly, it only shows when using pf, which is sort of the point of the VM. It's been there for years, the BSD guys don't seem all that bothered by it.

    At home I run it on its own hardware and it works great there.
     
    #10
  11. CosHiM

    CosHiM New Member

    Joined:
    Apr 21, 2017
    Messages:
    4
    Likes Received:
    0
    No. In the first place I design this hardware, I only considered low TDP and high ipsec throughput. In my mind, I thought the pfsense would allow user to run some light process (such as asterisk, python script and Zoneminder). However, it really difficult to do that with pfsense.

    I planning to add more hardware in the future after the basement finished(server noise problem).
     
    #11
  12. cheezehead

    cheezehead Active Member

    Joined:
    Sep 23, 2012
    Messages:
    700
    Likes Received:
    172
    Use to run ESXi + pfSense VM for a few years...no perf issues for home/homelab use. I wouldn't want to have it handle 10GB wan links as a VM but light duty it works just fine.

    "use to..." , I've since split it back out to a separate physical box due to the chicken and egg issue. Anytime the hypervisor needs patching your internet goes down. Also provides some electrical isolation in the sad event of a power surge from the cable company....copper on the wan side, glass internally just in case.
     
    #12
  13. spazoid

    spazoid Member

    Joined:
    Apr 26, 2011
    Messages:
    91
    Likes Received:
    10
    Same for me as for some of the others; running virtualized at the moment, but intend to switch to a dedicated setup when I find something that'll handle 1000/1000 mbit relatively cheap (low TCO).

    Virtualized pfsense
    Pros:
    Cheap (as in free since you have the hardware)
    Low power (you're already running the server)
    Easy to snapshot
    Scaleable (just give it more resources if required)
    Flexible (easy to move to new hardware, but pfsense generally is with the backup/restore feature)

    Cons:
    Chicken and egg when updating the hypervisor
     
    #13
  14. K D

    K D Well-Known Member

    Joined:
    Dec 24, 2016
    Messages:
    1,412
    Likes Received:
    301
    +1 for dedicated device. Keep home and Lab separate. That way your tinkering will not interfere with anything else.

    Also if I am reading it right, it looks like you need pfsense only to establish an IPSec tunnel to your Colo and are not bound to using it as your edge device. Can't you have a dedicated edge device and have your IPSec software run in your new local server? Ubiquiti er-x is small, low power and has a decent CLI(not that I know how to use it but I've always been able to find the required scripts in their forum)
     
    #14
Similar Threads: Suggestion pfsense
Forum Title Date
Software Stuff Suggestions for expandable backup box with vms for rendering May 12, 2018
Software Stuff Suggestion - Standard Web Server Benchmark Open Source Feb 5, 2013
Software Stuff A silly Question, is there a better alternative to pfsense for home use? Dec 13, 2017
Software Stuff pfSense 2.5 - Hardware Requirements May 1, 2017
Software Stuff Project Proposal: ELK Stack for Monitoring Proxmox, pfSense, FreeNAS Apr 26, 2017

Share This Page