Do you have performance tips for Proxmox virtualized pfSense?
-
@NollipfSense said in Do you have performance tips for Proxmox virtualized pfSense?:
May I suggest this guide: https://docs.netgate.com/pfsense/en/latest/recipes/virtualize-proxmox-ve.html
If you follow the above, you'll see that both WAN and LAN are required to pass-through. It's best to have a separate interface for Proxmox. So, in essence, the requirements is three Ethernet ports, two of which pass-through to the pfSense VM.
Thanks.
But it’s not the _number _ of interfaces connected to pfSense. (Yes, it’s a minimum of three.)
The question I am asking is about the hardware configuration in Proxmox of those three (minimum) interfaces.
-
@yobyot said in Do you have performance tips for Proxmox virtualized pfSense?:
The question I am asking is about the hardware configuration in Proxmox of those three (minimum) interfaces.
When you were installing Proxmox, didn't you select an interface for Proxmox...so, I can fully understand the question. Didn't you configure this via the installer? There is not much to configure, just assign an IP and gateway. How I do mine is make pfSense LAN, Proxmox's gateway. Then, connect a smart switch to pfSense LAN, then connect an Ethernet cable from Proxmox's Ethernet port to the switch...it should be obvious that Proxmox Ethernet is on the same exact network as pfSense LAN.
-
@NollipfSense said in Do you have performance tips for Proxmox virtualized pfSense?:
When you were installing Proxmox, didn't you select an interface for Proxmox...so, I can fully understand the question. Didn't you configure this via the installer? There is not much to configure, just assign an IP and gateway. How I do mine is make pfSense LAN, Proxmox's gateway. Then, connect a smart switch to pfSense LAN, then connect an Ethernet cable from Proxmox's Ethernet port to the switch...it should be obvious that Proxmox Ethernet is on the same exact network as pfSense LAN.
Maybe a picture will help.
In the composite screenshot below, you can see that in pfSense a PCI passthrough Ethernet adapter on the physical host is passed through as
igc0. This connects to the ISP and could run at 2.5Gbps, if I had that service now, because the physical adapter on the appliance is 2.5Gbps capable. pfSense accesses this adapter directly, not through Proxmox. It is shown in the screenshot ashostpci0.The LAN interface for CIDR 192.168.2.0/24 ('vtnet0') is on a Proxmox bridge. This is configured in Proxmox as a Virtual I/O (paravirtualized) device (
enp2s0) to pfSense, which sees it asvtnet0.vtnet[x]is pfSense's device assignment to virtualized network hardware. IOW, it is not directly connected to pfSense; Proxmox is handling interrupts and data transfer into pfSense's memory.Proxmox is accessible on this bridge as I added an address for it (10.69.0.2). The
vmbr2bridge onenp3s0is solely for the case in which pfSense is down and therefore cannot be accessed. By adding a bridge onenp3s0and assigning a management address of 10.68.0.2 to Proxmox, I can simply connect a laptop to that port on the appliance, manually configure an address in 10.68.0.0/16 and connect to Proxmox when pfSense is crashed or won't start. I prefer not to have the Proxmox management address on the same interface as the LAN interface; losing a physical port to access it isn't an issue for me.So, the question -- or at least the networking portion of my question -- boils down to, "how much performance penalty might there for running pfSense LAN/OPTx interfaces paravirtualized in Proxmox if the connection to the ISP runs faster than 1Gbps?
I could dedicate additional PCI appliance Ethernet ports to pfSense LAN/OPTx interfaces, but there are two trade-offs (maybe more). First, you're locked to that device, making Proxmox node migrations harder. Second, if the FreeBSD kernel is handling I/O directly for a device on the PCI bus, what's the impact in pfSense's CPU and memory requirements vs. letting Proxmox handle that?
Finally, does anyone know if a paravirtualized FreeBSD interface (
vtnet[x]) can even run at 2.5Gbps?
-
@yobyot said in Do you have performance tips for Proxmox virtualized pfSense?:
VM to the new Proxmox 8 x86-64-v2-AES type.
I use processor type "Host" as I don't anticipate needing to live migrate my pfsense VM to another Proxmox host,
@yobyot said in Do you have performance tips for Proxmox virtualized pfSense?:
It also has six Intel I225-V 2.5Gbs ports.
Nice, I recently bought a similar unit.
Given the generous physical NIC we have, I pass through all NIC pfsense VM uses. Proxmox (and other VM's) connect to the pfsense VM via an external switch.@NollipfSense said in Do you have performance tips for Proxmox virtualized pfSense?:
If you follow the above, you'll see that both WAN and LAN are required to pass-through. It's best to have a separate interface for Proxmox.
Agree
@yobyot said in Do you have performance tips for Proxmox virtualized pfSense?:
The Netgear switch would will support two Ubiquiti POE+ APs, upstream connection to the ISP, a NAS running at 1Gbps and, possibly, two wired connections.
That's a bit weird. It is not clear why you are connecting the ISP to the Netgear switch.
Why are you not using a WAN connection:
ISP -> pfsense VM (optionally passed through) NICLan connection
pfsense VM (optionally passed through) NIC -> Netgear switch
(if pfsense Lan NIC is passed through, Proxmox & other VM will use a different physical NIC to connect to the Netgear switch / LAN. That also means if your Proxmox install has a problem you can easily connect it to another lan to fix it) -
@Patch said in Do you have performance tips for Proxmox virtualized pfSense?:
I use processor type "Host" as I don't anticipate needing to live migrate my pfsense VM to another Proxmox host,
Interesting. How do you get pfSense to then use hardware AES support, which is crucial for TLS performance?
That's a bit weird. It is not clear why you are connecting the ISP to the Netgear switch.
Why are you not using a WAN connection:
ISP -> pfsense VM (optionally passed through) NICI misstated it. I do plan to connect the ISP directly to the appliance. Not sure what I was thinking. :-)
Thanks.
-
@yobyot said in Do you have performance tips for Proxmox virtualized pfSense?:
How do you get pfSense to then use hardware AES support
My understanding is VM processor type "Host" means the VM is told it has the same processor as the Proxmox hypervisor is running on. So if the physical processor supports AES then the VM will be told that's the case.
-
@Patch said in Do you have performance tips for Proxmox virtualized pfSense?:
@yobyot said in Do you have performance tips for Proxmox virtualized pfSense?:
How do you get pfSense to then use hardware AES support
My understanding is VM processor type "Host" means the VM is told it has the same processor as the Proxmox hypervisor is running on. So if the physical processor supports AES then the VM will be told that's the case.
Hmmm....until I changed to the AES-specific host, none of the crypto showed as active in the pfSense summary. Weird.
-
@yobyot
Proxmox hardware settings for pfsense VM
pfsense GUI System information
-
@Patch said in Do you have performance tips for Proxmox virtualized pfSense?:
@yobyot
Proxmox hardware settings for pfsense VM
pfsense GUI System information
Hmmm…I wonder what the difference is between your appliance and mine is when it comes to the “Host” type.
-
@yobyot said in Do you have performance tips for Proxmox virtualized pfSense?:
Hmmm…I wonder what the difference is between your appliance and mine is when it comes to the “Host” type.
Looking at this screenshot below, WAN should be vtnet0 and LAN should be vtnet1...
Also, I have only followed the pfSense recipe quoted in earlier post and that required to use BIOS > OVMF for UEFI boot with machine Q35...
-
Yes. Use ESXi.
-
@NollipfSense said in Do you have performance tips for Proxmox virtualized pfSense?:
Looking at this screenshot below, WAN should be vtnet0 and LAN should be vtnet1...
Actually, no.
pfSense was running on an external Vault. When I migrated it to Proxmox, I put it on vmbr1. I haven't found a way to renumber the bridges so that it "looks" right and now I kinda like it.
-
@yobyot said in Do you have performance tips for Proxmox virtualized pfSense?:
Actually, no.
pfSense was running on an external Vault. When I migrated it to Proxmox, I put it on vmbr1. I haven't found a way to renumber the bridges so that it "looks" right and now I kinda like it.
Well, if it works for you, hooray...I just shared what the pfSense document says...like I installed using UEFI for pfSense on Proxmox, as well as, install Proxmox on ZFS.
