Should You Virtualize Your pfsense Firewall?

Подписаться 333 тыс.

Просмотров 56 тыс.

50% 1

lawrence.video/pfsense
How To Use pfsense Plus ZFS Boot Environments
• How To Use pfsense Plu...
Level1 THE FORBIDDEN ROUTER
• Level1 Presents: THE F...
Connecting With Us
---------------------------------------------------
+ Hire Us For A Project: lawrencesystems.com/hire-us/
+ Tom Twitter 🐦 / tomlawrencetech
+ Our Web Site www.lawrencesystems.com/
+ Our Forums forums.lawrencesystems.com/
+ Instagram / lawrencesystems
+ Facebook / lawrencesystems
+ GitHub github.com/lawrencesystems/
+ Discord / discord
Lawrence Systems Shirts and Swag
---------------------------------------------------
►👕 lawrence.video/swag/
AFFILIATES & REFERRAL LINKS
---------------------------------------------------
Amazon Affiliate Store
🛒 www.amazon.com/shop/lawrences...
UniFi Affiliate Link
🛒 store.ui.com?a_aid=LTS
All Of Our Affiliates that help us out and can get you discounts!
🛒 lawrencesystems.com/partners-...
Gear we use on Kit
🛒 kit.co/lawrencesystems
Use OfferCode LTSERVICES to get 10% off your order at
🛒 lawrence.video/techsupplydirect
Digital Ocean Offer Code
🛒 m.do.co/c/85de8d181725
HostiFi UniFi Cloud Hosting Service
🛒 hostifi.net/?via=lawrencesystems
Protect you privacy with a VPN from Private Internet Access
🛒 www.privateinternetaccess.com...
Patreon
💰 / lawrencesystems
⏱️ Time Stamps ⏱️
00:00 Virtual VS Physical pfsense
00:33 Hypervisor pfsense Complexities
01:19 Inexpensive X86 Systems
01:44 pfsense is easy to backup, reload, restore
02:00 Boot Environments
02:25 Hypervisor Updates & Security Concerns
03:55 Reasons To Run pfsense Virtual
04:33 Network Card Pass Through
#pfsense #firewall #virtualization

Наука

Опубликовано:

23 июл 2024

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист

Посмотреть позже

Комментарии : 327

@MikeG4936 Год назад

My homelab is running a virtualized firewall with NICs passed through to the VM. Has worked flawlessly for years and brings many benefits for home users!

@oldschool1079 Год назад

But we aint gonna deploy your homelab to customers 😂

@MikeG4936 Год назад

@@oldschool1079 certainly not! 😂

@theangelofspace155 Год назад

@@oldschool1079 i work with gov contractors and they do use virtualized routers in some dov department, I dont work wirh the network infrastructure in those agencies but I have seen it, so they are out there. Also rhe video clearly says "It is very complex to t/s for most" so he is not refering to coporate deplotment and more to homelap and home user which dont have thr IT background to foes thise T/S 🤷🏻

@sfsfsdfsdification Год назад

Same here.... but a little pain in the butt to fix if its broken....

@nicholasfranks2616 Год назад

Same for me , been running great. But must admit if vm goes down...more of a pain .

@truckerallikatuk Год назад

When I virtualised pfSense, I made sure Proxmox wasn't using the WAN port. I let pfsense handle the WAN port entirely.

@roymorrison1075 Год назад

I have tried all ways, virtualised pass through is certainly the better way to go if you have to virtualise. But I have found the most reliable is bare metal. Agree with Tom, if you’re running a bunch of virtualise systems, if the platform goes down, then you also lose your gateway to help. Other food for thought, if all you system sits on the same hardware virtualised, and someone is trying to hack there way through your firewall, then they are already on the same tin holding all of your other devices. I firmly believe that your first line of defence should be stand alone. Always apricate your videos and time Tom.

@jenniferw8963 11 месяцев назад

I want to run it in a high availability proxmox cluster. I already use the cluster for so many other apps, would be nice if the firewall can just be in the cluster as well. Have each machine wired to the WAN but only the active node currently runnign the pfsense VM will connect to the ISP Modem for passthrough.

@dycedargselderbrother5353 Год назад

I handle the "everything's down" scenario by keeping a cheap WiFi router handy. It doesn't do everything pfSense does but it'll allow me to get online and easily connect with standard devices. I think many "homelab" people don't actually have proper labs, rooms that look like server closets. They'll have a set number of devices limited by available space, heat output, power draw, etc. that they want to maximize, which is where virtualization comes in. For a lot of people, it's a bit of a waste blowing anything past around the Nehalem or Sandy Bridge era on just a router. In fact, this was where the whole virtualization vs. bare metal debate began in the first place. Back when virtualization was new, it was the same set of arguments regardless of what you're running: bare metal installs are easier to deal with but virtualization gets you more density and efficiency from a space/power/heat/unit cost perspective. Bare metal failures affect one install while virtual server fails take a chunk of functionality down. Pick your poison and plan appropriately.

@hottroddinn Год назад

Lot of us here are home labbers and after moving from a virtualized instance to a baremetal one, I can say I'm very glad I moved. We play around a lot with the settings and new tech all the time and sometimes, we end up kicking ourselves out of the network or the Internet goes down for the whole house and that's not a pleasant feeling for the family. I'll continue to run on baremetal well into the future.

@abidsaleem6149 11 месяцев назад

Thank you Lawrance, you are doing great work. We are running Pfsense with CARP as Master Backup in Proxmox cluster. Master and backup pfsense VMs are on separate bare metal proxmox servers.

@danielkirk8571 Год назад

My home lab is running a virtualised firewall with NICs passed through to the VM using ESXI. I have 2 WANs at home. Worked great for years. I now have one of those low power Chinese firewall boxes. It doesn't feel as snappy as the VM but does have some benefits. For me, the learning opportunity (learning ESXI, networking and PFSense) is valuable. I have deployed PFSense on hardware in the office. That hardware is now well over 10 years old and not been powered off at all for about 5 years. Still works great.

@danielkirk8571 Год назад

What was even more complex is that my Truenas instance was virtualised also passing though the HBA card to control my storage. The storage for the PFSense VM as reliant on the Truenas VM being up. Was great for years. It is possible and i wanted to try it for the learning opportunity. I have since scrapped Truenas and gone to XP..Synology.

@JustinShaedo Год назад

PFS virtual hub and PFS hardware spokes (+ HA proxy external interface) Load balancing & redundancy @ hub, cheaper on-site spokes. Was able to do this effectively largely from watching these videos, so respect for that!

@jason-budney7624 Год назад

I started out running pfsense virtually. It was a great learning experience, and it ran well. My issue was when changing setting I'd get instability with it causing some strange network behavior for a while. Now running bare metal no issues at all.

@crazybrainos Год назад

I started looking into pfSense a few years ago after a colleague told me about it. I did a search and stumbled on this channel and have been using it ever since. I originally bought a pfSense appliance but later migrated to a purpose build small computer that solely hosts pfSense. I've thought about running a hypervisor on there, but as Tom pointed out, there are many downsides to it (those and others that werent mentioned are ones are why I didn't do it). The power cost savings wasn't enough to justify the risks. I have all of the needed equipment to run my home network connected to a pfSense and am able to get 4+ hours of availability in the event of a power outage. At least in my opinion, physical hardware is the way to go.

@jasonwarnes Год назад

I run two virtualized pfSense firewalls on separate hypervisors. I wanted to play around with high-availability and it also helps to address Lawrence's thoughts around updating either pfSense or the hypervisor itself. The pfSense high-availability fails over firewall to the available pfSense node and network access is uninterrupted. Works pretty slick. I've also been using VLAN's on pfSense with my hypervisors and I personally haven't had any problems with them. I do agree that a hypervisor adds complexity, but I was whiling to accept that for the sake of convergence. Thanks Lawrence for the video. Great topic!

@DigiDoc101 Год назад

How would setup up 2 WAN addresses? I am only able to get 1 WAN from my ISP. I don't to want to run another upstream router to hand over WAN IPs as I may end up with double NAT.

@matrixnew00 Год назад

I’m curious myself as you would need 3 ISP WAN IPs which would be very hard to get: 1-CARP (Floater IP or VIP), 2-Primary node, and 3-Secondary node. You must have an L3 device upstream of pfSense issuing RFC1918 private IPs introducing double NAT as mentioned by Digital Doctor. When the primary node fails over to the secondary node (a gratuitous ARP will incur so a slight pause will happen), devices behind the firewall use the Floater WAN IP as their default GW and continue to get internet access using the secondary node just like HSRP/VRRP.

@jasonwarnes Год назад

@@DigiDoc101 @NinjaKat is totally right. My setup is for my home, so here’s a bit of a peak into my architecture - I have a GPON service to my house which is also used for television services. This requires me to use the ISP’s modem/router/firewall (at least for now) because the television services are multicast streams. This is the upstream L3 device NinjaKat mentions. You’re correct in that you’d need 3 WAN IP addresses for pfSense’s CARP high-availability feature: 1 floating IP and another IP for each pfSense node. For me that’s 3 IP’s since I have two pfSense nodes. Because I need to use my ISP’s GPON modem/router/firewall, my pfSense VM’s are behind it. So, my pfSense WAN interfaces are technically on the LAN interface of my ISP’s GPON modem/router/firewall using unroutable IP space. Consequently, there are plenty of IP’s for me to use for pfSense. I have my ISP’s GPON modem/router/firewall configured in “DMZ” mode which essentially points all external ports to a single “internal” IP, which is the floating WAN IP configured with CARP. When I fail-over any of my pfSense nodes for maintenance, the ISP GPON modem/router/firewall continues to forward traffic to the new “active” pfSense node because it’s updated it’s own forwarding table as a result of the gratuitous ARP from the new active node.

@jasonwarnes Год назад

@@matrixnew00 Not sure if my reply tagged you properly. So I thought I'd send another note that you're totally right in your guess. Bravo! :)

@jerryjohansson9236 Год назад

@@DigiDoc101 I´m using 2 hosts (esxi) with pfsense. I installed a switch between my isp modem and my hosts. Then I can migrate pfsense between the 2 hosts without interruption. Not best practice maybee but it works :)

@davidsavino1 Год назад

I was literally just searching for this topic this morning. Thank you

@Bertman29 Год назад

Been running Proxmox with pfSense 2.6 and TrueNAS Scale virtualized. Basically started playing around with those after watching some of your videos. I'm going to try running TrueNAS Scale on bare-metal and running a pfSense VM on that. Haven't had any issues with the current Proxmox setup but figure it would be best to not virtualize TrueNAS. Thanks for the great content you post on here.

@sfsfsdfsdification Год назад

Same here for 2 years.... with passthrough pci nic

@ShiggitayMediaProductions 7 месяцев назад

I would suggest and recommend against virt-ing OPN/pfSense under TrueNAS Scale's KVM... I tried it and it was unstable as hell. I'm tempted to run Proxmox as my hypervisor and then run VMs with hardware passthru (HDDs and at least one NIC for OPNsense). I'm sure you can make it work, but it was a disaster for me.

@kesawi Год назад

Have run pfSense in both bare metal and virtualised for our home network. Agree with the pros and cons raised in the video. Biggest disadvantage with virtualisation for me was having to lose internet to perform updates on the hypervisor or when working on the hardware (not being able to Google a problem easily as raised in the video). Now run pfSense on bare metal and despite having the extra PC, power consumption, and heat in my rack I wouldn't go back to a virtualised setup for pfSense in my environment.

@jenniferw8963 10 месяцев назад

I'm running pfsense in a proxmox cluster. I can migrate pfsense over from one node to another without any downtime. Also if the current node pfsense is running on fails, the cluster will spin up pfsense automatically on another node, using a zfs replicated image. (I regularly zfs replicate high availability vm's) I haven't updated a hypervisor yet. Hopefully I can migrate all the apps to the last node, upgrade the first two nodes, then migrate them back, and then finally update the 3rd node. Using 3 x m920q's with dual SFP+ nics.. about $250 each used including the nics. (i5-8500T, 512GB WD SN730 NVME, 1 x 16gb ram)

@tajjej3649 Год назад

Less than a minute in and you answered a question I have had. I will keep saving money and buy hardware meant for pfSense. The last thing I want is to spends hours/days tweaking, just to START using pfSense and replacing my current setup. I don't need the hassles of learning, say Proxmox. Then once it's as functional as I can get it, start learning pfSense and get it up and functioning. Then shutdown my router, convert it to an access point (for the WiFi) and connect it to pfSense/Proxmox and HOPE that all I've done up to here let's me finish the switch-over in just another hour or so. My luck on MY personal equipment is almost never that good. And I spent decades as a field tech for computers. Computers, networks and customers are fun. MY equipment always hates on me!

@Digitus250 Год назад

I bought a used sophos appliance, low cost, low energy use, good quality components, 19", so fits in the rack and stable as a rock. Also nice to directly plug my SPF fiber connection in. Bare metal for regular use, virtual for lab setups.

@tw3145wallenstein Год назад

While I love virtualization Pfsense and TruNAS will always get their own box to run on. I don't need the extra complexity on those work loads

@idahofur Год назад

i did that years ago with Virtual box and some nics. Mostly to test stuff. Not a full production machine. But it worked great for messing around with the higher end features.

@noranoxica Год назад

Doing home IT for the sculptor I work with. Ran pfSense virtually for my own subnet in a proxmox vm on a Dell r620 before ditching that when summer came (Gulf Coast). Recently bought the main house a r210ii to experiment with visualizing pfsense as well as running a nas. All this became to much of a hassle and I ended up just installing pfSense bare-metal. Everything runs fine now and my r620 can be used for more interesting things like Scale and other self hosted work.

@acuteaura Год назад

I have very limited network cabinet space, and throwing a switch in there made is extra painful, so I just make a large bridge on the host OS to span all but one interface, direct attached the WAN port and attach another interface to the bridge as LAN port. Works wonderfully and all settings are by now available in Cockpit if you use Fedora. All I needed a terminal for was setting up IGMP on the bridge in NetworkManager. It also helps we have a very overzealous Firewall in the (residental) building and connecting with the wrong (Fritz!Box) MAC kicks you out for several hours. Direct attach in KVM lets me force that right into the VM.

@Blasserman Год назад

I had my home lab installation running on a windows server with Hyper-V, and with dedicated network cards. It worked amazing well, even though the server is running on pretty old hardware. The biggest drawback was having to deal with Windows updates every month and having my home internet down while the computer was rebooting. It did sell me on pfSense however, I'm a huge fan now.

@danknemez Год назад

Very nice video outlining the pros and cons of each solution! I feel like this is generally one of those "holy war" starter topics one shouldn't ever mention on the internet, but you laid it out quite objectively I believe. Obviously dedicated router box is the "proper" and definitely hassle-free way to go, but there is a certain homelab charm to having a "do it all" machine. I'm mostly virtualizing it for the power savings as even those tiny 10-20w aliexpress router boxes are 50-100€/year in electricity I don't have to pay this way. As I'm passing-through 2 dedicated NICs (WAN/LAN, using VLANs to split it up further) I haven't run into any issues in that regard, mainly just the obvious one - hypervisor or hardware maintenance/issues = no internet - but that isn't annoying enough to make me switch to a dedicated router... yet

@Monarchias Год назад

My main pfsense is virtualized, but already testing another instance on a spare hardware i put together. So far so .. impressive. In my case the future (testing in present time) is dedicated machine for pfsense. It's really, just works as i start to see. My Virtual pfsense is really the way it's been mentioned. If I have to restart the hypervisor, then I have to shut down everything. Always hurts a little bit. With other virtualised pfsense instances I have no problem running them virtualised, because those are not running always, but only when playing with them. If anyone is keeping it virtualised, be kind to yourself and have another dedicated, separate eth interface for your hypervisor management and leave the other interface(s) to pfsense.

@Phelper99 Год назад

esxi hosts my windows server, pfsense, and home assistant. Haven't had any problems. I'm not a professional, I just started a home lab and this is what I grew into, learned everything on this setup.

@HtopSkills Год назад

It's great when you use pfSense the right way on virtualization. When I'm outside, I personally enjoy using it on my laptop along with a spare cell phone to pickup WIFI signal; And everything is already set up on it including my VPN.

@SimonBoonstra 6 месяцев назад

Thanks for the video. I'm running pfsense as VM on Proxmox. Reason for this is. It's only in my own homelab. I live in a small 1 chamber flat. Therefore space is very limited and so I'm glad. Especially as I have already plugged in many devices into a single wall plug already. Therefore, I don't want to add another device so that the only available wall plug in this part of my room doesn't overload.

@vk5ztv Год назад

There is a valid use case for virtualising pfSense to create a DMZ for certain VM's within a fully virtualised server environment. It plays very nicely inside VMware using VSwitch across the VXRails cluster.

@arubial1229 Год назад

I’ve used both for years. My preference is bare metal, but there are many situations where virtualizing it makes sense.

@kodemasterx Год назад

Wow, you thought of making this video while I'm having issues with my pfSense VM in Proxmox, I was thinking of using an old laptop I have instead by adding a USB to Ethernet adapter.

@talbech Год назад

I like the flexibility of having several of our firewalls virtualized. We do however run everything behind a Juniper HA edge router/firewall configuration.

@javiej Год назад

You can virtualize it in your home server but you really need to have a plan B ready to use on bare metal. Home labs are all about experimentation, and once all your internet (and your family) depends on that particular VM you will be anxious everytime you want to do risky experinents, reboots, passtroughhs, etc. Having an alternative ready to power on (even if slower or energy intensive, as it is only for temporal use) can solve this issue, otherwise I would not do it

@kesawi Год назад

I have pfSense as physical for that reason, but a virtualised instance ready to go as my back up.

@crazybrainos Год назад

Whenever my wife says 'daddy broke the internet,' my daughter calls me 'Ralf.'

@mikescott4008 Год назад

I have it running really nicely (23.01 Plus) on an old Sophos XG230 Rev2 unit including the LCD screen working. I like Sophos XG, but I keep exploring pfsense more again. I need to look at endpoint coverage more for protection.

@reidprichard Год назад

As a total networking noob, I started out running pfSense in Proxmox. What an absolute nightmare - would not recommend for a novice. Any time my network config got messed up, I would lose access to the pfSense web GUI (obviously). However, I couldn't just plug in a keyboard and monitor to revert my changes, as I only could access the Proxmox console, not the pfSense one. This meant hooking up another router to get a working network to get into Proxmox to get into pfSense to rollback changes. Oof.

@210Artemka Год назад

I used to connect to a Proxmox machine with a laptop over an Ethernet cable directly in such cases. Had some troubles figuring out the IP, but it worked. Moved pfSense to bare metal after my network went down and my laptop died at the same time (probably earlier, I just haven't used it for a while). That was hell of a night...

@tsueri Год назад

My use case for a virtualized pfsense is running it both on prem. bare metal and in the cloud. This makes it very easy to manage.

@dbmandrake Год назад

My first experience of PFSense was setting it up as a temporary/test router/firewall between two VLAN's running within in a (Gen 2 I think) Hyper-V virtual machine, on fairly high spec hardware that was built as a dedicated Hyper-V host and had previously hosted other servers. Unfortunately for reasons I could not work out, network performance was quite poor - for example doing a test restore of a Barracuda backup where PFsense was doing nothing more than acting as an inter-VLAN firewall/router with a few rudimentary rules was struggling to achieve even 200Mbps throughput on Gigabit interfaces. I then installed it directly on a several year old decomissioned 1U 4 core Xeon server, with hardware specs only a fraction of the Hyper-V host and was able to get solid Gigabit performance with the Barracuda test restores with relatively low CPU usage. If I had to guess I would say there is a performance issue with the Hyper-V Gen 2 virtual network adaptor drivers in PFSense, as Windows and Linux server VM's on the same host easily achieved full Gigabit throughput. I did not try a Gen 1 VM (which would use a completely different network driver in PFSense) nor did I try another virtualisation system, once I installed it on physical hardware I decided to stick with that as I had spare hardware available for it. So my thoughts are running PFSense virtualised is great for learning, testing, (apart from performance testing) and quickly trying out complex configurations, but if you want performance, install directly on bare metal hardware.

@FabianNorman Год назад

I'm just a hobbiest and when I got really into this hobby, I only had one box for my lab so I virtualized pfsense on it with everything else. But that was a pain maintenance wise for the reasons mentioned. Then I built a separate box for pfsense and ran it dedicated. But in the last year, I have installed proxmox on that box and virtualized pfsense again! Only this time, the only things I run on that box are network-focused applications and nothing else. I did that because I wanted something easier to setup and configure than pfblocker and decided on adguard but I didn't want to run it on my main VM host because then I'd be back at square one, when I did maintenance DNS would go down which is effectively the internet. The box was over-powered for just pfsense so it wasn't any problem CPU resources wise, just added some RAM. But now I've also got it so that if I need to bring the networking host down for extended time I can migrate pfsense to my other host and be just fine. This is the way to do it IMO, you end up getting the best of both worlds.

@Foiliagegaming Год назад

I have been having some issue with the logs filling up and not finding a good solution for it. I thought I configured it correctly. I am hoping that I can get it figured out because it has been affecting the network. With this in mind, I think it would be nice to have it in a virtualized environment to be able to just be able to load a snapshot back up if there is an issue. I am new to networking so I have a ton to learn.

@throttlebottle5906 Год назад

I agree on it being a complex pain, I've been using virtualized pfsense for years and also migrated everything to one machine(all eggs in one basket) boy it does suck when it needs serviced or breaks, as it takes down everything. nothing is critical though, so mainly an annoyance. what I do is keep pfsense with similar settings on an old machine ready to run, updated, ports labeled, then physically move the cables over and power it on. that's enough to get internet back and functioning for the time. but now the machine is a dinosaur and I'm thinking about moving the routing back to a machine.

@jh491 Год назад

i was running bare metal but recently picked up a lenovo m720q i5 and riser card. i threw in my connectx-3 and use that virtualized for pfsense while proxmox and pi-hole use the onboard nic. pfsense is doing all the VLANs and everything is working well atm. did have a weird issue where i couldn't log into my hupervisor through a regular firefox window but it would come up in a incognito window. somehow that fixed itself and it's been working fine.

@zertali3291 Год назад

I feel that going with virtual vs. physical depends on your specific use case. In my case, I have been running a fully virtualized production environment that includes pfSense for 2+ years. Multiple ESXi hosts on HPE ProLiant HW, 10G DAC uplinks (trunks) to core switching, and VLANs implemented of course... No complaints about this configuration; it’s been rock solid. Note: Not a 24x7 business, so I have a bit of flexibility to perform any needed maintenance outside of core business hours, and this solution fit within the budget allocated for infrastructure upgrades, if you get what I mean... Previously, at other companies where HA is a major consideration and the budget is less limiting, I have always gone for Cisco ASA HW in an HA config. I guess my point is that one solution does not fit all situations (and budgets),.. 😉

@paulvancyber1979 Год назад

very well explain your case. totally agree with you

@dheijnemans Год назад

"Well, it depends" is the only real answer to this question 😊

@cybersecuritydeclassified4793 Год назад

Bingo

@magnuslindgren9460 Год назад

Low power bare metal is the way I use pfsense today. Allows med to turn off most stuff when not in use but still have a working network.

@dorvinion Год назад

For about a year I ran PFSense as ROAS on an old laptop. Not ideal since I have fiber (1G/1G) but in the grand scheme of things I never noticed any problems with this since its hard to saturate 1G. I wanted the laptop back so I moved to virtual on proxmox with passthrough of a 4 port nic. If I just left it alone and did monthly patching this would be fine and I'd still run it today. Got more annoying the more I played around with other workloads on proxmox. Did this for about a year as well. Recently I moved pfsense to a 5070 thin client. Only downside here is no PCIE slot(5070 extends are very pricey) so using an adapter to convert the M.2-A+E slot to a PCIE and now just have the NIC laying exposed on the case of the 5070 with the adapter ribbon cable floating around. Ugly but it works If I had a 3d printer I'd print a more secure mount/cover for it, but since it hides out in a closet I don't really care how it looks, and its tucked away from people touching/moving it.

@johnvanwinkle4351 5 месяцев назад

I have always used bare metal hardware to run PFSense. Since I am downsizing to move in the near future, I am getting ready to virtualize it and see how it works.

@ClickNextDemos Год назад

My firewall of choice is Untangle and I used to run in a VM and it worked great. But if I ever wanted to do anything with the host, reboot, upgrade etc it meant losing internet access. I've since purchased a small fanless pc with dual NIC and now run untangle natively on that and I think I prefer it. It means I can reboot the host server any time without losing internet access.

@captainwasabi Год назад

yeah, I ended up with that chicken and egg problem when I had pfsense virtualized. I was down for more than a day. Now, I have my main pfsense for the house on hardware with a 4 port intel nic and I have set up a virtual pfsense to run lab vms behind to isolate them. I doubt I'll do that again, easier to just wire up a second interface from the hardware pfsense box to a second nic on my big server and then set up a second bridge with that port to run the lab VMs.

@TheMongolPrime Год назад

I've run both mare metal and virtualized pfsense. I'm currently in the process of migrating OFF proxmox and back to baremetal after having the exact issue you outlined. The only "problem" I faced with virtualizing was that my 10G SFP+ card can't be seen as 10G for some reason. Annoying, but minor overall because of my workload. However the main issue is whenever Proxmox has an issue, the entire LAN has an issue. Lately I've had a VM hanging during backups, causing all VM's to hang. That's a problem when 4 people work from home, and you have to reboot a dell poweredge 620 at 6am before work starts. Not ideal.

@jenniferw8963 10 месяцев назад

I just bought 3 x IBM Mellanox ConnectX-3 for $25 each from ebay. Installed in three m920q's for proxmox cluster. Running everythign virtualized with no pass through. Getting 10gbe transfer speeds between two vm's (each on a separate node), using iperf3.

@jaredluker947 Год назад

I've been running pfSense on the same ESXi and Lenovo server for about 8 years. When the 32 bit branch EOL'ed, I was stuck on there (in my mind,) until a friend firewall shamed me for not being up to date. When I took the time to think about it, it wasn't that difficult. I spun up a new VM, configured networking, installed pfsense, configured the LAN port to be on the same vlan as everything else, logged into the UI, restored the backup, shut down the old vm, rebooted the cable modem, and BAM. Up and running on the latest x64 build. The rebuild took maybe an hour and cut over maybe 20 minutes. Unrelated, I didn't know that pfSense+ was free for home until I watched this, so I got that now as well.

@SteveMasonCanada Год назад

I initially ran PFSense virtually, just to try it. Liked it a lot, but because I was often doing maintenance etc. on my hypervisor, I moved it to a Qotom mini pc. It lived there nicely for a long time. Then I got a stupid good deal on an Edgerouter 8, so ran that for a while. Gave the Qotom to my Mom when she downsized her living space. Then the Edgerouter died after a power failure, back to PFSense in a VM. Mom can no longer use a computer so will be moving back to the Qotom. I have no issues running it in a VM. Normal patches etc. can be scheduled to reboot in the middle of the night, but there are often other things I want to do that would result in no Internet, so better a hardware device.

@awstott Год назад

Ran virtualized at home for a number of years, but got mad when my hypervisor cratered and I had no interewebs to troubleshoot until I stood up a physicals box. Now it's running on an old Dell Optiplex 7010 or something like that. I've been tempted to get a netgate appliance just so I can run something a little less power hungry but it's $$$$ to get them up here in Canada.

@JPEaglesandKatz Год назад

Ran virtualized pfsense for a while in proxmox... Then I got a 240 euro minipc out of China and it has been running great ever since... 4x 2.5gb LAN ports as well... If that cost is no issue for people.. go that route always.. it will save you many headaches like Tom described in the video...

@XSTAYUPX 10 месяцев назад

This is a perfect video

@Rickety3263 Год назад

Bare metal with a custom backup solution: I run pfSense baremetal, and I virtualize a container on proxmox to ssh into pfsense every hour to grab an encrypted copy of the configuration and write it to shared storage.

@bradclapp4022 Год назад

Mine is virtualize inside of proxmox on a i5 Lenovo M720q with a quad nic. The main purpose of the M720q is to be my Pfsense router. It also then runs PiHole, Nut, and a TP Link omada controller.

@connclissmann6514 Год назад

Running hardware and no wish to risk otherwise. The HP Intel i5 SFF box with modest SSD, four-port Intel NIC and 4GB RAM (running headless, no keyboard or monitor) uses circa 15W so energy is similar to a dedicated router. If you don't have one around, they can be typically bought for under $100 and the SSD for under $20. The used 4-port Intel NIC cost me $35 but took a few days to arrive. I had the HP, so the out of pocket cost was less than $60 and 15W per hour to run.

@danielmitchell5615 Год назад

I am using a vm with the NICs passed through. I'll eventually go bare metal but beyond a few hiccups in the first few months my setup is really stable for about 3 years. knock on wood... lol I'm just keeping an eye out for a good deal on hardware since it isn't urgent at the moment.

@210Artemka Год назад

I have started with running pfSense virtualized in Proxmox on an old Lenovo workstation. Had no problem configuring it (I am not utilizing VLANs yet). The installation process is easier that way in my opinion. I initially done it because the hardware was quite an overkill for only a router to run and most people on the internet suggest to virtualized it... But I had to reinstall it bare metal. This particular Lenovo machine have some troubles starting after a reboot. And if I turn it off with a button on the case or the electricity goes out the OS gets nuked. As I control the hypervisor over the network, once its down, my whole network is down. It made maintenance very tricky (the machine itself is in the rack and I don't have any other PC rather than a desktop, so I have to bring monitor to the rack every time). I don't have a UPS yet, so if the power goes out even for a moment and I am not at home all my infrastructure is down. I am still having same issues when it runs bare metal. The OS still gets corrupted when hardware turned off (I believe it's Lenovo's issue, I was unable to install it at all until I have noticed the "Lenovo fix" partition option in the installation wizard). But it is easier to bring back up at least...

@210Artemka Год назад

And yeah, I had one Ethernet port (on the mb) dedicated to the Proxmox and 2 other ports (Intel NIC) dedicated to pfSense as WAN and LAN ports when I virtualized it.

@MrMcp76 Год назад

The production firewall is baremetal, and I run additional virtualized firewalls for testing and projects.

@LL-ck4ei Год назад

Great vid

@ShaneL295 Год назад

Biggest "issue" I had with virtualizing pfsense was the boot times. Maybe it was just my hardware, but XCP-ng always seemed to take a long time to come up.

@jmlc11 Год назад

The way i have it setup is an old x86 machine running proxmox with a pfsense VM and other VMs. The integrated NIC is for proxmox management only and is not passed to any VMs and i have 2 extra NICs (One for WAN and one for LAN) both passed through to the pfsense VM and a virtual NIC (from the LAN one) to other VMs. Have not had any issues for years on a homelab.

@Crystawth Год назад

I was running a VM on proxmox of my pfsense, followed by switching to opnsense. I ended up getting a miniPC with dual NIC, N95 CPU, and 8GB RAM for ~160 and running bare metal with it. I wanted to have it just run and not be affected by the hypervisor updates, and I also wanted the RAM to use for other things as the system running it was very RAM limited.

@kevinhilton8683 Год назад

Tom do you have a video on NIC passthrough for xcp-ng? Been running pfsense virtualized at home for years however I'd agree with your overall sentiment of probably best to have actual hardware. I was very cost constrained at first as well as space constrained so it was the best choice at the time.

@thegreyfuzz Год назад

Homelab has virtual and physical instances, typically I leave the virtual instances up as one also does a a fair bit of VLAN routing and the hypervisors have multiple 10G NICs vs 1G on the bare metal device. For my DEV lab at the office I keep everything virtual.

@caseyknolla8419 11 месяцев назад

I have been running virtual with passthrough for several years, but I was nodding my head through your list of concerns. I'd like to migrate it to dedicated hardware so that I'm not delaying updates or risking losing internet due to an unrelated dependency.

@rdwatson Год назад

Physical all the way. My primary path to the internet should not be part of any lab environment or accidentally caught up in any experimentation or testing. That is a security and availability risk. Virtualizing a single router provides little value when boot environments and restore files are available in case of an issue.

@jc5604 11 месяцев назад

It's all physical no matter how you look at it. The entire cloud is virtualized production systems running critical workloads for 1000's of businesses on physical machines. Using your logic, that should not exist because virtual = experimental? Claiming in any way that virtualization is riskier than bare metal represents a fundamental misunderstanding of modern computing architectures. If your hyper visor is taking action on a vm without your explicit command, there are much bigger issues with your architecture and having a virtual lab is the least of your worries.

@kienanvella Год назад

Currently doing pure hypervisor, but in a couple weeks I'll be moving to hypervisor with passthrough, doing an HA pair of VMs, running on different hosts.

@NightHawkATL Год назад

If the firewalling is done right or if the physical NIC is passed directly to the VM then a VM would be good as I plan to see if I can do that as well. But I have run a physical pfSense device for almost 2 years and have been with pfSense since 2014 or so and really started with physical hardware. I plan for my next setup to be hypervised and have pfSense and Pihole be on the same hardware and any other "edge" service that I may need. In most cases though, anyone starting out in a HomeLab should run it as a physical device until they can understand networking and how things are routed and how they act before moving forward to hypervised.

@ZoeyR86 Год назад

I run pfsense in esxi runs great, but I'm using a hardware pass on Mellanox ConnectX-5 Dual Port 25gbps card 1 port feeds to a managed switch on my home network. The other takes fiber directly from isp. The server is diy built using an asrock creator board and a TR 5995wx and 512GB's of ddr4 ecc. I have small thin clients I use for my home gaming Lan party 🥳 the server has 2 RTX A6000 Quatro cards. And makes for a mini home cloud gaming setup.

@dewdude Год назад

I've had good luck virtualizing pfSense on my Xen machine. The hypervisor is very stable. I don't do much with vlans, but I can do that on a dedicated interface and my managed switch if I choose. I also pass my WAN interface right in to Xen, but keep the LAN on the virtual ports. Still have all the issues with Intel NICs and hardware offloading.

@dukenuk9509 Год назад

As very much home enthusiast (not even close to run home lab) I love to run all I need in vm/container. I have one machine running all, no need for extra space, no extra electricity cost and it looks nice in case I've picked.

@210Artemka Год назад

I am on the different side of this spectrum. I like playing with hardware so I dedicated a separate machine for pfSense and put it in a big ugly rack alongside with main server, switch, power destruction unit, patch panel and left some space for more servers and UPSes 😂

@snives7166 Год назад

For me, going virtualized was just as much about ensuring performance and uptime as anything. With everything on one box, I stop what would have been nearly half my traffic from ever leaving the same hardware. One virtual switch in proxmox vs having extra layers of physical hardware that each introduce a new potential issue. Result is PFSense has one virtual connection and then two NICs passed directly. Only downside I've found is the lack of PCIe lanes/ports available on decently priced hardware limits how much you can get a single motherboard to support. Gotta choose between more nvme, HBA, or GPU.

@Mr.Leeroy Год назад

And virtual switch has more throughput to VMs compared to common hardware. P.S. More PCIe lanes could actually be cheaper (e.g. LGA2011), but if we take idle power consumption into account it definitely is a challenge. I managed to get 37 lanes across 5 slots with Supermicro 1151 before playing with bifurcation, risers (and possibly Thunderbolt).

@geepeezee5030 Год назад

@@Mr.Leeroy I think it all depends on the use case. How much bandwidth is really needed between vm's..... That depends what those vm's are doing. If moving lots of data from one vm to the nas vm, sure virtio would be faster. But there's a cost, higher resource overhead due to vnics. In testing *sense on proxmox with wan in passthrough, lan as virtio, I see very high *sense vm cpu util when running line speed (gigabit ) tests. With both wan and lan in passthrough, the overhead is much much less. Again, this is at line speeds, with typical traffic there is some overhead but probably not enough to make a difference. tl;dr it's a compromise. If one wants to do virtual, going with passthrough nics is the best way to go. But 3 are actually needed; 1 - wan 2 - lan 3 - hypervisor virtio nic 3 is needed to connect vm's using virtio to the lan.

@Mr.Leeroy Год назад

@@geepeezee5030 Good point. At 2.15Gbps avg iperf (1275v6) between two virtio pfSense VMs I am seeing 25% CPU load on each VM and 70% host load, so probably ~20% for vSwitch itself.

@geepeezee5030 Год назад

@@Mr.Leeroy My tests were even simpler. PF as a vm, wan in passthrough, lan as virtio. Running a ookla speedtest (or iperf to public servers) that saturated gigabit fiber, proxmox which had 4 vcpu's assigned to pf, would spike up to 300-350% cpu usage (meaning nearly all vcpu's at 100%). With lan in passthrough, that would be around 100% (or 25% on the vm). Big difference.

@KebraderaPumper Год назад

i think the best scenario is a cluster with HA (because now you have a HA firewall too ) but i never run it and never see this type of implementation on production, other good thing to run on hypervisor you can easy scale up your firewall when you need or hypervisor hardware (up or out depends on hypervisor cluster software)

@bgrossish Год назад

Hey, something I was wondering for a while and thinking you might know/want to a video on is how to do off site backup of unifi protect video where there is a protect video onsite and an additional copy on a NAS off site.

@johnwestby7913 Год назад

I’ve been running a dual port nic with pfsense as a virtual machine on proxmox for the last 5 years and have absolutely no issues with performance or security. I’ve got gigabit fiber and have been able to verify the service throughout my network using various benchmarks while maintaining several outgoing vpns for various machines in my home network. Is this optimized?…. Probably not but I do have nightly backups running and am confident I could recover fairly quickly in the event of catastrophic failure. All in all it’s a fantastic way to deploy a home/hobby instance of pfsence. Love the experience as a VM with pci pass through.

@johnvanwinkle4351 10 месяцев назад

I believe running PFSense on bare metal hardware is the way to go. I do have a Dell R720 server that I could run it virtually, but its that "everything in the same box" idea that I am not comfortable with for my network. I agree, a homelab to run it virtually is a great idea while the main network stays up.

@1edgararias Год назад

At home, bare metal, but for work, they run it on ESXi. The trickiest part is that the hyper visor uses the pfsense VM as a gateway so troubleshooting pfsense while being unable to remote into the box has always been a PITA, but we manage. Definitely lots of quirks you need to overcome, Totally doable nonetheless

@toumpanis 5 месяцев назад

I used to have in a VM in my intel nuc 10th gen i5 but as you said, proxmox had an update, I couldn't apply that update cause the internet would go down etc. So I bought a mini-pc from Aliexpress with intel N100 and 8gb ddr5 ram with 4x2.5gbps ports for like 184€ with customs, I made a clean install of pfsense there and now everything runs faster! Just one question, here in Greece the ISP give PPPoE login method which from what I read and not sure how accurate that is, is like single threaded and I got 1gbps internet connection with 2.5gbps ONT connecting the FTTH to my 1 port of that mini pc, the ISP is supposed to give like 1.1gbps internet to account for the TCP/IP Overhead, I am having some issues with reaching max speeds even from hosts that I know can serve that kind of speeds. Is there something that can be done to make the PPPoE MT instead of ST in pfSense? Also from the same source I've read that MikroTik handles PPPoE as MT and performs better but I can't stand MikroTik. I did their cert etc but it way too brutal/savage for 2024+

@auliogil Год назад

I run it virtualized in my in proxmox home lab and do nic passthru but I keep a netgate hardware as a backup ready to go. Not issues so far...

@Thracx Год назад

I'm looking into deciding right now... Leaning towards ProxMox VM with NIC passed through.

@davepusey Год назад

I went with a RouterBoard RB2011IL-RM. Silent, rack mounted, and very lower power (less than 28W).

@shambles3833 Год назад

I've been running pfsense virtualized in my home for a couple of years. I don't recommend it unless you have a cluster of hosts where you can live migrate pfsense to another host when you need to troubleshoot or do maintenance. Currently I have a 2 node proxmox cluster, not sure if I'm going to keep the second host. If I don't i'll be picking up a low power router box and not virtualize pfsense any more.

@RellyOhBoy Год назад

I have pfsense running as a VM in ESXi on an old maxed out HP Z220 SFF workstation I picked up on ebay a few years ago. Two dedicated NICS passed through to pfsense. One quad port RJ45 and one dual port SFP. Handles my 300M Spectrum circuit and a few VLANs without a hiccup. Only issue was migrating from a single dual port NIC to the two NICS I have now. The old card ran em drivers and the new cards run igb and ix drivers so the interfaces had to be re-mapped and all my VLANS got nuked. Other than that, no issues.

@ShiggitayMediaProductions 7 месяцев назад

I currently run custom built by me systems for TrueNAS Scale and OPNsense and it runs great, but I want to try and virtualize it all on my current TrueNAS Scale box's hardware (running Proxmox) to save on the amount of computers I have running in my bedroom here. I'm aware of the pros and cons that Tom mentioned here, but I still want to try it at some point. Suggestions?

@benoitcloutier6228 Год назад

I use an old Sophos SG210 rev2 , love the multiple ports. Actually looking into moving either towards Omada or Ubiquiti as this firewall is so much overkill for my home… not to mention the WAF is low because of the complexity… Anyway, I love it personally

@mikescott4008 Год назад

Have you tried XG Home on the Sophos hardware too? Works nicely.

@JeffHiggins Год назад

I run it virtualised on my ESXi cluster, the biggest reason for this is my cluster is highly available, I can loose multiple hosts and still have a router. It's worked great for many years, but there have been a few issues, biggest learning is make sure you have a way to access the hypervisors without any routing between vlans.

@Shoult55 Год назад

I run on raw hardware. As an ex-IT guy (recently retired) I've ended up with piles of old hardware. My home pfSense box is running on an old Dell Core i5 Haswell SFF box with an Intel X-540-T2 nic installed to serve up 400Mb cable internet. The medium sized company I used to work for uses the exact same hardware to serve up 1Gb symetric fiber internet. Both boxes have been in use for several years now and just keep chugging. Running one on a hypervisor just never seemed like the best idea since it runs so well on old hardware and putting it in a VM just adds complexity.

@t3keen0ob 3 месяца назад

I prefer hardware over virtual for the simple fact if the hypervisor goes down everything goes. I usually only use pfsense virtually if I’m running some labs/projects and know I will be destroying them later. Good stuff, thanks for sharing.

@gregzavertnik1204 Год назад

Mine is a dedicated VM on Proxmox with a 2 - dual port 10Gbe cards passed in with PCI passthrough. All my core systems run on that 1U server and sits on a dedicated UPS. So far, knock on wood, it has not failed me in many years. Regularly scheduled backups of VM and server to a TrueNAS server where the backup share is regularly replicated to second separate TrueNAS server. Considering looking at backing up the config files and a few datasets offsite to CloudFlare. I haven't looked yet but I bet Tom has a video on baking up offsite from TrueNAS.

@jamesking890 Год назад

Bare metal, my main bare metal's PSU took a hit, luckily I found a power saving x86 machine I threw a dual nic in. What I've learned about backups and restores... yes very easy to do... but... pFsense Plus is registered with the NIC mac address of your primary WAN. customer support was amazing on helping me figure out i had registered it twice because Installed that other NIC.

@StephenLuisi Год назад

I wouldn't go as far as to say it's my preferred method. But I guess it has to do with not having other hardware at the moment. So it boils down to financial and of course I enjoy the benefit of having it all in one machine. But I'm virtualizing PF sense on TrueNAS scale, with a 1 gig NiC pass through for wan and a 10gig nic for lan.

@redknightmajor8679 Год назад

I use hardware, but can't set boot enviroments with PFSense Plus.. May need to do a reinstall and restore.

@allhandsonberk Год назад

Honestly, the main draw behind virtualizing pf/opnsense is in a smaller environment when you've got an overprovisioned system. I don't want to waste 32/64GB of ram and several cores on the firewall. Yes, there's a lot of plugins that can add utility, but they're actually really annoying to set up compared to other systems. Containers and a Caddy install can make for a way better plugin experience. The centralized UI of pf/opn is great, but it never has full support for the software it works with, so you end up managing it directly anyway for more complex scenarios. If pfsense and opnsense had better virtualization support for running VMs and OCI containers inside, I'd do it that way. But that's all in the weeds, which makes it far simpler to virtualize the firewall instead. It doesn't need to be perfect, but it feels like the sense distributions are kind of resistant to modern networking and computing needs.

@projectspakistan Год назад

can we redirect a specific domain to specific url

@tobimai4843 Год назад

For me its mainly power saving. I run my Homeassistant also on my Router, so I can shut down my NAS when I am away. Also Snapshots are great. For WAN, I simply have the NIC passed through to the VM, works good for me.

@gh8447 Год назад

I had pfSense and two FreeNAS servers (and a bunch of other OSs) virtualised on a single ESXi host. The WAN NIC and HBAs were all passed-though and it all worked flawlessly.... _except_ when I needed to take down ESXi for some reason (updates or adding / removing hardware) and then it became a huge pain in the butt. Moved pfSense and FreeNAS (TrueNAS by that time) on bare metal and any OSs I want to virtualise I do in TrueNAS.

@Subbeh2 11 месяцев назад

Great stuff. Any chance of doing a video on setting up HA pfsense on proxmox (CARP)?

@LAWRENCESYSTEMS 11 месяцев назад

I don't use Proxmox

@Subbeh2 11 месяцев назад

@@LAWRENCESYSTEMS I should have said any hypervisor for that matter

@bfrd9k Год назад

I run a three host proxmox cluster, with virtual pfsense. My motherboards have 2x 1Gb ports, I use one for LAN and one for WAN, passthrough with hardware offloading. The hypervisors also have 1x 1Gb 4port NIC in LACP for VLAN bridges and 1x 2 port 10G NIC for ceph private network. Pretty slick, except if pfsense migrates I have to manually move cables.😅

@lesfilanto Год назад

I am running my firewall virtually. I was running opnsense but it really didn't play nicely with vlans and my zyxel AP. I reverted back to an installed Sophos XG. I never thought I would say Sophos was easier to configure. Also, it doesn't seem to use as many resources

@TheThrub Год назад

Hi, i run my pfsense on rocky linux 9 with kvm and nic passthrough, works pretty. hardware is some pcengines apu2 board.

@FranckEhret Год назад

I run OPNsense but I don't think it makes such a difference for the topic. So my own experience : I started full virtual and run it for 2 years or so in my home lab and I was very pleased (I'm a VMware admin). Then I got 1 GB/s symmetrical fiber connection and I could not max my line anymore with virtualized firewall (IPS active). I decided to migrate it to a physical server and I'm pleased with it since then. I still plan to make it virtual again when I'll replace one of my hosts with newer hardware/CPU, due mainly to power costs.