Server/Router combo with pfsense in a VM

Hi there,

I'm currently looking at building a decent server, in particular with a supermicro soc board, with 4xgigabit ethernet ports. I have experience with Linux servers, however I'm curious as to whether it would be possible, let alone recommended to run pfsense (or other similar router distro), in a virtual machine, and also something like Debian as a server on the same system.

As far as I am aware it would be possible, however I can find little documentation of doing so, and have no idea on performance, security etc. The system will be used within a LAN as a subnetwork with very few attached devices, so stuff like firewall and DNS servers are not a major issue.

I would appreciate if anyone a bit more experienced with this kind of stuff could give me an idea of how it could be done, and whether it would be even close to recommended. :P

I wouldn't run them on the same system, if for no other reason than to keep it secure. Not to mention that pfSense's NICs will be slow like molasses in a virtual machine compared to a real physical gigabit NIC.

I had thought about doing this, and had numerous problems getting pfSense installed in a VM. Best advice I can give you is to go buy a really cheap ITX board. I run my small home testing network that mostly only I (but 10-15 people have used it fine at a LAN party or two)) use off an OLD 1.24Ghz VIA ITX embedded board. I wouldn't go out and buy one of those now, because the new Intel Celerons are so cheap and well suited for this sort of thing. Just proves you don't need to have a supercomputer to run pfSense :P

As for running other OSes as virtual machines for servers, that's a fantastic way to do things. I would use Proxmox as a hypervisor (I have used it for years and LOVE it), but if you just want to be different you could try oVirt or PHPVirtualBox or something. Proxmox is just easy and most of us are lazy :P

The reason I say to use Proxmox is because of the different kinds of VMs it supports. If you watched Wendell's video you know it can do full virtualization (like Virtualbox or almost anything else) but it can also do container virtualization (watch his video on Proxmox if you haven't, hes better at explaining it than I am). Containers are so fantastic for Linux, saves time, hassle and processing resources.

So that's my two cents, lemme know if you have questions (I have a pfSense + couple of managed switches + Proxmox system at home and I love it. I can test just about any sort of thing I can dream up, especially with those managed switches' VLAN support.)

1 Like

Yeah, I was planning to build a server based on a hypervisor and then Virtual Machines for the different processes I would require, but just had a thought about combining the router in there too as I will be moving house shortly and will be either buying a nice router (had experience with the ubiquiti EdgeRouter, so may go for that) or building my own with some cheap and low-power kit.

I'm not particularly surprised that you wouldn't suggest running pfsense virtually with other systems, even just thinking about the system generally it seemed like it would be super janky and require a ton of finagling, but thought the question may as well be asked.

Had a brief look at proxmox, having not heard of it before now (unlike phpVirtualBox and oVirt), and it does look really compelling, I shall definitely have a better look at it, thanks for recommending it to me!

Yeah fire walls/routers should be on their own hardware. You can build a pretty nice pfsense box for about $200.

On the VKMside proxmox, ESXI and xenserver are all good routes

No problem. If you have questions shoot me a message, I've been running it since 2012 on an AMD FX-6300 machine with 24GB of RAM. Best. Cheap. Server. EVER.

I'm in favor of running pfsense in VM at the very least in a home network. I've been doing it for years and it has been solid. I'm running it on KVM by the way.

Is it slow? No. Virtualization is very good these days. I'm not even using a virtio NIC - just e1000 that is supported by pfsense out of the box. The OS for the most part I think would generally be faster because it would be using resources of a more powerful server.

Is it insecure? I can't imagine why it would be. I just bridge one of the NICs on WAN and share it with pfsense. You could do hardware passthrough if you were more concerned. Can anyone explain why these apporaches would be insecure? What actual exploits are possible? Also, if anything remotely advanced is required to break said security, how likely is it to be used against some random unimportant home network?

Security is not a major issue for me, as the system will be a subnetwork behind another firewall, and in another network. I shall definitely try running pfsense virtually on the server when I get it, as it will save me a little money and will be a fun experiment. Also, I'm not too familiar with hardware passthrough in regards to virtualisation, I presume that the motherboard* I'm looking at which has quad gigabit ports on the back panel under a single controller would not support just two of those ports being passed through to pfsense?

*If necessary the board is a Supermicro MBD-A1SRi-2758F-O

It is less about security than it is having a single point of failure for the system.

If you have this system behind another firewall, I wouldn't worry about it. I currently have a Windows Server 2012 running Hyper-V. It hosts pfsense as a guest OS and handles traffic and routing for about a dozen VMs. This is all in my test network, and I don't really care about security or stability.... However it has proven to be quite stable and fast.

Security is always a big question. NOTHING is 100% secure if it is attached to the internet. If someone want's to break in, and they have the motivation they can. Networks are breached every day, and the majority of this is due to flaws in hardware and software designs. If your just a dude sitting in your house playing games and storing media files on a home server, there's not much at risk as far a security goes. Back your stuff up, stay behind a decent hardware firewall and you are "safe enough".

There is one thing I would recommend that should filter out 99% of so called "hackers" and script kiddies. TURN PUBLIC ICMP RESPONSE OFF ON YOUR ROUTER. (Yes, I just yelled that.) Don't let your router respond to public ping requests. They will be on you like vultures.

One security concern that I can think of is if you're virtualising and aren't using dedicated NICs then if someone is able to gain control of your pfsense machine they would be able to see and probably manipulate the network traffic going to your server. But in a home environment I wouldn't worry too much about it.

I used to run of sense in a vm and switched to hardware latter, it's a good way to get started with it but I found it a little buggy, I think that was an amd thing though. With 4 NICs you could dedicate two to the offence vm and have the other two for your server or other VMs. If you have a switch which supports link aggregation you could bond your NICs and share the bond between your VMs, but I'd at least have a dedicated nic for WAN.