Right now I’ve got a “homelab” server that I re-purposed from an old gaming rig. It has pfSense running in a VM bridged to my physical LAN, and behind it is a “virtual subnet” with a few VMs and no connection to the outside aside from pfSense.
With this setup, I thought I’d experiment with pfSense as an OpenVPN endpoint. I installed the necessary packages and certificates, and then forwarded a non-standard port on my DD-WRT router to the pfSense VM. (OpenVPN on DD-WRT was a bust.) And it works. But its not consistent - I lose the connection sometimes (though reconnects are quick), and some open WiFi portals won’t pass the port I’ve chosen.
Which leads me to my question…would I be better off with a physical pfSense box? Cost is definitely a concern, and I want to keep down power consumption and minimize the amount of space such a device would take up. A micro PC would seem ideal, except the cost goes way up when you start adding extra NICs beyond the first.
Is a physical box a good idea? If so, any recommendations on hardware? I’m not adverse to trawling eBay…
I don’t like pfsense (or IPfire in my case) in a VM.
AMD AM1 with an Intel quad gigabit card might be something for you.
Or look at the PC Engines machines, those are fine too.
From a security standpoint, running a firewall in a VM can be dangerous, because it adds more complexity and potential security holes (such as ones that haven’t been publicly disclosed). However, at the same time, it’s so darn handy to have.
I run PFSense in a HyperV instance, and it’s amazing. I love that when I fuck something up badly, I can just revert to a previous snapshot, without needing to do a complete reinstall of the O.S.
A big part of networking is about decisions like these; choosing the right balance between security and convenience.
For a home lab, the more VMs and experimentation, the better.
For a perimeter security device, you want to minimize your attack vectors, by disabling/uninstalling any unneeded features. Virtualizing your main firewall not only adds the existing attack vectors of your hypervisor to the mix, but may also create new vulnerabilities due to the way pfSense interacts with the hypervisor. All these will be added to any already existing vulnerabilities in pfSense, itself. Security is one area to which the KISS principle should be adhered.
It’s difficult to say if it will run better on dedicated hardware as it depends on what the problem is.
I used to run pfsense as a vm and had all kinds of problems and have never had stability problems on dedicated hardware but there’s no guarantee. If you can test it before you commit to buying new hardware then I’d try that.
Not being able to connect to it on some hot spots is outside of your control, the best you can do is use a port which they’re unlikely to block. Udp 443 usually works but not always, udp 53 is also a good option. Usually they will just be blocking udp ports above the standard range as these are used for torrents, unless they’re really strict then they won’t block too much in the 1-1024 port range.
Thanks for the feedback. Some great thoughts here.
I did want to clarify one point. PfSense is not acting as a firewall for my entire LAN…just the VMs behind it. When my efforts to get DD-WRT to act as an OpenVPN endpoint failed, I decided to see if I could manage it with pfSense…and it worked.
Right now DD-WRT is acting as my main firewall. Not ideal, but I’m not working with a corporate budget either.
And I may have figured out the dropping connections. I had trouble using virtio NICs on the pfSense VM so I had resorted to virtual Realtek NICs. After the latest update though, the VirtIO drivers seem to be working fine. Hopefully that’ll fix the disconnects.
Most people running pfSense aren’t gonna be able to do that. Plus, it requires multiple pieces of equipment to do, and normally virtualization is done to reduce needed equipment.
I’ve got an Apple USB 2.0->100Mbps adapter. For one it’s probably too slow, for another it would probably put a heavy I/O load on the PC. USB comes with a heavy price…
They do indeed work but your mileage may vary depending on the support FreeBSD has for that particular Ethernet adapter,I have a 1Gbps RTL8150 based adapter and it works fine but can only get 750/90mbps on it with pfSense.
Here is a list of supported Ethernet adapter for FreeBSD if you want to do any further research on it
Nope, all my vm disks are stored on a different machine and connected via iscsi, super handy if you need to switch to a different vm host machine when things break.
But I’d stick with local storage for pfsense as I’d rather have the router not depending on anything else to work, especially if it’s depending on network storage when it is a core network device.
Not to say it couldn’t work but, atleast on a home environment Its much easier to keep the router up with local storage.
Current versions of pfsense can use zfs as the root file system, I don’t think there’s a gui option for this but it should be possible to create and revert to snapshots using zfs.
When I installed this instance of pfSense I don’t recall seeing a ZFS option, though I pretty much took the default options. Do you have a link with more info? That sounds intriguing. I’ve seen at least one pfSense upgrade crater.
I’ve ran pfSense fine in a VM as my main home router and it definitely works well, just need to pass through an intel 1000VT and off to the races (though don’t use zfs on the virtual hard drive, bad things hapoen). I would recommend, if you have the option, to use emulated intel NICs on the pfSense side, as virtio and vmxnet3 adapters (depending on your hypervisor) seem to cause odd issues I’ve found