Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pfSense+ licensing on Proxmox HA cluster

    Scheduled Pinned Locked Moved Virtualization
    12 Posts 3 Posters 3.9k Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G Offline
      griffincash
      last edited by

      I'm at a crossroad and my options are buy two 6100s or use virtual pfSense+ on my Proxmox cluster.

      If space was no concern, I'd just pick the 6100s, but I'm trying to build the smallest fully redundant rack for my test lab.

      I have 3 nodes in my cluster and will run 2 pfSense instances. I know that the licensing "can't' be transferred between servers so will I need to license pfSense+ for each node? 3 nodes x 2 instances = 6 licenses?

      G 1 Reply Last reply Reply Quote 0
      • G Offline
        Gblenn @griffincash
        last edited by Gblenn

        @griffincash Hmm, what is the setup here in terms of incoming connection (fiber/cable) into what? Do you have two separate WAN IP's? Or was the plan perhaps to run a HA/failover setup two instances of pfsense?

        The license is anyway tied to the HW, and the ID used for licencing is calculated during setup. It will change if you change the HW. So in case of upgrading from e.g. 1G NIC's to 10G NIC's you would need to update your license. A simple thing really, and supported by Netgate.

        So when you virutalize, you create the VM, configure it, and once it's up and running and you have everything as you want it, then you register the license. If you destroy that VM and create a new one, you would need a new license though... But you can create backups and, for example, have an active VM running and a copy (with that same license) on standby to spin up if something goes wrong with the other... Essentially no need for more licences than you would need if you went with the 6100s...

        G 1 Reply Last reply Reply Quote 1
        • G Offline
          griffincash @Gblenn
          last edited by griffincash

          @Gblenn
          Cable WAN has 5 IPs, 1 for each pfSense, 1 for CARP, 2 extras. LTE modem acts as a router, for fail over internet only

          Cable modem<->small switch<-lacp/mlag-> 2 mikrotik switches. LTE modem <->small switch<-lacp/mlag-> same 2 mikrotik switches.

          Proxmox servers connected with lacp to mlag on the mikrotik switches.

          Proxmox will be running two pfSense instances in HA mode. One instance on Proxmox1 another on Proxmox2. If either server dies, the pfsense VMs will automatically migrate to another host, thus changing the hardware.

          G S 2 Replies Last reply Reply Quote 0
          • G Offline
            Gblenn @griffincash
            last edited by

            @griffincash Yes well, running pfsense on two or three different proxmox machines does not necessarily mean different "hardware". At least as long as they are all copies of the same VM, running entirely virtualized (no pass thru of NIC's).
            IF on the other hand, you do in fact pass thru the NIC's, then yes, they are truly different.

            So, it depends, virtualized you don't need more licenses than you do running 6100s...

            G 1 Reply Last reply Reply Quote 1
            • G Offline
              griffincash @Gblenn
              last edited by

              @Gblenn thanks for the help. Yes, it would be completely virtualized unless the performance wasn't there(which I can test with CE first). If performance with virtualized nics isn't where I want it to be I'll be going with the 6100s anyway

              G 1 Reply Last reply Reply Quote 0
              • G Offline
                Gblenn @griffincash
                last edited by

                @griffincash It will of course depend on what HW you have in your Proxmox machines.
                And on top of that, what packages you run, like Ntop or Suricata/Snort. But I don't think should have any trouble exceeding 1Gig at least.

                I run Ntop in a separate VM on the same machine, and Suricata in Legacy mode, and I have pass thru of my NIC's (x520s). The best result I have seen from speedtest is 8.5G.

                But I am also playing around with some other firewalls (Sophos XG) which I have running both with passthru and virtualized NIC's.

                I just ran a quick test from behind one of my test FW's, which is NATed behind my pfsense+... So, speedtest through two firewalls, with Sophos XG having virtualized NIC's (Listed as VirtIO paravirtualized) I got this:

                f5231eaa-9c27-488e-af27-e37a901e09b0-image.png

                G 1 Reply Last reply Reply Quote 0
                • G Offline
                  griffincash @Gblenn
                  last edited by

                  @Gblenn I'm from Alabama, if you can find internet faster than 1gbps that isn't dedicated, I'd be willing to move and find a new job. Jk. But seriously I'm looking at 200mbps down and 50 up on coax and 50/25 on LTE. Traffic between LANs shouldn't need to exceed a gig either, as all the servers with 10g nics are physically connected to each other. Those are just for fast data syncing.

                  G 1 Reply Last reply Reply Quote 0
                  • G Offline
                    Gblenn @griffincash
                    last edited by

                    @griffincash Well, then you should have no trouble whatsoever...

                    Actually the 6100s you were looking to match would be quite a bit of overkill and even the 1100 could do the job. Even if you are running VPN's. But given your serious setup with cluster, failover and HA... I'm thinking your proxmox machines definitely have the HW for it.

                    1 Reply Last reply Reply Quote 0
                    • S Offline
                      SteveITS Galactic Empire @griffincash
                      last edited by

                      @griffincash Note adding/removing NICs in the VM will result in a new hardware ID and invalidate the license.

                      Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                      When upgrading, allow 10-15 minutes to reboot, or more depending on packages, CPU, and/or disk speed.
                      Upvote 👍 helpful posts!

                      G 1 Reply Last reply Reply Quote 1
                      • G Offline
                        Gblenn @SteveITS
                        last edited by

                        @SteveITS said in pfSense+ licensing on Proxmox HA cluster:

                        @griffincash Note adding/removing NICs in the VM will result in a new hardware ID and invalidate the license.

                        Ok, so adding a NIC to be used for a failover connection would mean the ID is different. Even if the first two NIC's are the same?
                        Best then to add the NIC's you need from the start I suppose. No harm having them if they are virtualized...

                        S 1 Reply Last reply Reply Quote 0
                        • S Offline
                          SteveITS Galactic Empire @Gblenn
                          last edited by

                          @Gblenn Yes it calculates the NDI based on detected hardware.

                          I haven’t tried but you might add a few extra NICs just in case for future use.

                          Also you’ll need two Plus licenses for two routers.

                          Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                          When upgrading, allow 10-15 minutes to reboot, or more depending on packages, CPU, and/or disk speed.
                          Upvote 👍 helpful posts!

                          G 1 Reply Last reply Reply Quote 0
                          • G Offline
                            Gblenn @SteveITS
                            last edited by

                            @SteveITS said in pfSense+ licensing on Proxmox HA cluster:

                            @Gblenn Yes it calculates the NDI based on detected hardware.

                            I haven’t tried but you might add a few extra NICs just in case for future use.

                            I guess the way @griffincash should do it is to wait with registration until decided on a good config.

                            Also you’ll need two Plus licenses for two routers.

                            Agree, since they are both active in a HA config. But I don't see that he should need more licenses when virtualizing vs the alternative of running two 6100s...?

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.