pfSense VM on Synology NAS
-
So is anyone running pfSense as a VM as their primary FW on their Synology NAS? I have a DS1621xs+ with a Xeon processor, 32GB of RAM, (1) 10 gig NIC, and (2) 1GB NICs that I am only using for basic file storage. I am considering using it to host pfSense on it, but I am slightly concerned about passing public Internet traffic to the Synology VMM hypervisor (which I think is Proxmox under the hood). That concerns me first and foremost.
I do understand and accept the general shortcomings of running a firewall on a VM and I don't think the Netgate 6100 is powerful enough to do what I need it to do (pfBlockerNG, ntopNG, Suricata, network-wide VPN to PIA, etc.) with a 1gig or 2 gig fiber connection. I have also outgrown the capabilities of my UDM (network-wide VPN, policy-based routing, etc.).
Just wanting to hear from others that are using their Synology NAS for this purpose. Thanks!
-
S stephenw10 moved this topic from General pfSense Questions on
-
@cloudified I used my QNAP NAS for quite a while exactly as you describe. It works, and if you do the NIC/vSwitch setup correct (isolate Synology NAS on one NIC, and vSwitch WAN on a unused adapter), there should be little risk of issues security wise.
But to be honest I stopped doing it regardless of the powersavings and horsepower the QNAP offered.
The trouble with WAN being unavailable everytime i needed to do something with the NAS - and especially the trouble with QNAP OSs bootphase without Internet and DNS, was just too annoying.So I got myself a 6100 and have never looked back. SWEET box :-)
-
@keyser Very valid points. Thank you for sharing your experience. My AT&T Fiber gateway has a 5GB ethernet handoff, so if I ever upgraded my service past a 1 gig I'd have to use a copper SFP+ module to the 6100 if I went that route. I think my other requirements are going to tax it though.
-
@cloudified said in pfSense VM on Synology NAS:
@keyser Very valid points. Thank you for sharing your experience. My AT&T Fiber gateway has a 5GB ethernet handoff, so if I ever upgraded my service past a 1 gig I'd have to use a copper SFP+ module to the 6100 if I went that route. I think my other requirements are going to tax it though.
True that.
One observation: The 6100 seems to perform more consistent and better than my VM did, even though the VM should be more powerfull on paper. So perhaps the hypervisor scheduling impacts a bit on percieved latency. Mind you, my NAS is not a XEON but a desktop class processor.One thing to be aware off - I think I read somewhere that the 6100’s SFP+ ports does not support copper modules or split rates (2,5 or 5Gbit)
-
@keyser Interesting, thanks again for sharing that! I just assumed that it would drop down to 5Gb or 2.5Gb or let you hard set it. I probably won't ever move to 5 gig service although I can get it. At least I could use a 2.5Gb port if I ever upgraded to the 2 gig plan. Thanks again, man!
-
@cloudified said in pfSense VM on Synology NAS:
@keyser Very valid points. Thank you for sharing your experience. My AT&T Fiber gateway has a 5GB ethernet handoff, so if I ever upgraded my service past a 1 gig I'd have to use a copper SFP+ module to the 6100 if I went that route. I think my other requirements are going to tax it though.
But it will solve all your requirements @ 1 Gbit, and if you do not enable all suricata rules it will handle 2Gbit as well - no issues. (Though not 2 Gbit VPN in single sessions)
-
@keyser So I just setup a VM running pfSense on my Synology NAS along side my UniFi network.
I'm really glad I spun up an isolated VM this way (with one of my extra public IPs) without having to eff with my production network. I just configured a VLAN-only network on my UDM and assigned it to some switch ports to test with.
Man, I am absolutely loving pfSense so far! What a great product. I might end up having to buy a 6100 after all. Everything just works on the first try (DDNS, PIA, pfBlockerNG, Suricata, and ntopng).
Thanks again for sharing your experiences and opinions.
