use case evaluation for pfSense on Proxmox setup

vl1969

Active Member
Feb 5, 2014
611
69
28
Hello everyone,
as the subj. says I am trying to get opinions and maybe some help setting up a router replacement box.

I have a Lenovo ThinkCentre M58p Desktop - Intel Core 2 Duo E8400 3GHz
which I got specifically to build a router/firewall for my home.
have 3 1Gb NIC ports. on builtin and 2 on PCI-e card
all ports are Intel.
6GB RAM
currently it has a 250GB HDD in it with a Sphos install. never used.
depending on what my decision will be I might replace the HDD with SSD.
biggest issue with this machine is that it only has 2 SATA ports. so I can either have 2 SSD/HHD or 1 drive and DVD. for most part I do not need DVD so I can put 2 drives in and use raid-1 for system setup.


I have 2 options in front of me.
option #1 : setup pfSense right on the hardware. and this is simplest as it can be

option #2 : load Proxmox on the box and run firewall/router in VM.

cons, pros please voice your opinion.

if decided to go with option #2 will ask more specific questions on best posible config.

thanks...
 
Last edited:

MiniKnight

Well-Known Member
Mar 30, 2012
3,034
940
113
NYC
If you're just going to run pfSense install it bare metal. If you want to run more, virtualization.
 

vl1969

Active Member
Feb 5, 2014
611
69
28
I though I have read some blog or forum that it is a good idea to run in in VM as it makes it easier to backup
and try out and switch to other distro if want.
but at this moment I just thinking pfSense only.
it gets much more positive reviews over Sophos.

so you say, go hardware?
 

PigLover

Moderator
Jan 26, 2011
3,051
1,351
113
I'd go bare metal. You don't want a router getting its NICs via Virtio - the performance penalty, while OK for muse normal VMs, can be deadly for a router. You could do PCI pass through to avoid this but setting it up will overcome any perceived convenience benefit from running pfSense inside a VM.
 

fractal

Active Member
Jun 7, 2016
312
69
28
31
I too recommend installing pfSense on the bare hardware. That way you can boot from usb stick.

Backup on pfSense is trivial. Click the button in the web ui and save the file. Restore is equally trivial. Install pfSense on new hardware, perform a basic minimal configuration to get a LAN up, then restore your old configuration. The minimal install does not even have to be in the proper ip range. I have done it several times and it works great.
 

niekbergboer

Active Member
Jun 21, 2016
140
53
28
45
Switzerland
I've been running pfSense on my three-node Proxmox setup for a while now, without trouble. Especially since pfSense 9.3, with better FreeBSD-pre10 Virtio support, latencies are good as well (they used to be a bit jittery before).

I run that pfSense VM as a single gateway (no pfSense HA), but I do use Proxmox' HA functionality. The virtual disk is on Ceph, and I've seen some nice failover events (me pulling a cable, accidentally, while working on the rack). These Proxmox HA failover events are not live, but take a few minutes. I can live with that in a home situation though.

Edit: my WAN connection is 150/40, and I can fill that pipe. Iperf shows about 2 Gbit/s max internally, so for 10Gbe it won't do.
 
Last edited:

vl1969

Active Member
Feb 5, 2014
611
69
28
well in my case it is not about HA but simply a ?"convenience"? maybe.

I mean if I run a hypervisor on the box I can load several firewalls in VM and try them at my leisure,safely.
I can have a clone VM always ready to pickup the slack if I screw-up the main thing somehow.

it makes it easier to switch to other distro to try, knowing that in a matter of minutes I can be back on the old setup if need be.

things like that.

I don't have to use virtio driver if I don't want to. Proxmox supports Intel NIC Pro emulation just fine, at least it used to.
 

zhoulander

Active Member
Feb 1, 2016
181
46
28
I had pfsense on bare metal, then moved it onto my proxmox box.

It was and is running on hardware way more powerful than it needs to be, so I now get the benefit of being able to run other services like pihole/freepbx/guacamole without adding more significant power draw.
 

vl1969

Active Member
Feb 5, 2014
611
69
28
I had pfsense on bare metal, then moved it onto my proxmox box.

It was and is running on hardware way more powerful than it needs to be, so I now get the benefit of being able to run other services like pihole/freepbx/guacamole without adding more significant power draw.
so what do you think/ I have a Core Duo 2 @ 3gHz with 6GB ram
should I run bare-metal or can I put proxmox on it and run VM?

I do not plan to run anything else on it except firewall, just want to have an option of eazy testing other things when needed.
as in if I want to try Sophos I can spin up a VM set it up and switch to it. if not good, move back to main distro and be done.
 

watabigeye

New Member
Oct 26, 2016
4
0
1
30
I had pfsense on bare metal, then moved it onto my proxmox box.

It was and is running on hardware way more powerful than it needs to be, so I now get the benefit of being able to run other services like pihole/freepbx/guacamole without adding more significant power draw.
Hi, zhoulander

Do you have any tutorial to import pfsense to proxmox? coz every time I import pfsense in a ISO file, it wont work... Thanks
 

Patrick

Administrator
Staff member
Dec 21, 2010
12,341
5,469
113
Hi Patrick,

Not yet but I will try this :) Thanks a lot!

btw. It will work Pfsense to Openvz temp?
I have only done pfSense to KVM VM not OpenVZ. Proxmox VE is moving to LXC for containers so I would not build anything on OpenVZ for Proxmox at this point.

TBH I do wish Proxmox VE went with Docker instead of LXC but that is a longer story.
 
  • Like
Reactions: MiniKnight

watabigeye

New Member
Oct 26, 2016
4
0
1
30
I have only done pfSense to KVM VM not OpenVZ. Proxmox VE is moving to LXC for containers so I would not build anything on OpenVZ for Proxmox at this point.

TBH I do wish Proxmox VE went with Docker instead of LXC but that is a longer story.
Is it possible that Pfsense to OPEN VZ will work? Because all of my containers are using OPEN VZ. I hope there are tutorials on this. :)

Thanks.
 

Kybber

Active Member
May 27, 2016
138
43
28
46
Proxmox replaced openvz with lxc in 4.0, so that would be the obvious choice.