A virtual pfSense as ^config viewer^ and as ^back-up pfSense^

louis2

A couple of weeks ago I encountered a situation for which I did want to compare an older pfSense config with my actual setup.

The only option for that turned out to:

• run an pfSense instance in a VM and
• modify the original config in such a way that:
  a) one of the inter faces is a full NIC (without vlan's) to be used as management port
  b) assign all other vlan's including the WAN to a second NIC
  After doing so I could start a (TrueNAS based) VM only having two virtIO interfaces. One as management interface and one as trunk for all other pfSense vlan's

At the same time I felt the need to have an backup for my physical pfSense system. And when having the VM I felt it could serve both purposes.

In the picture my actual setup.

At this moment I have this setup running as ^pfSense-config viewer^, but not yet as real pfSense system.

I hope I did help others with this Idea, but I also have questions.

As said at this moment I have only used this setup as ^pfSense-config viewer^ so I wonder:

• if my idea to assign a complete physical TrueNas NIC as virtIO-1 works / if that interfaces is going to transport the set of vlan's the pfSense VM is trying to forward to the 10G switch above (I did not do any test in that regard yet)
• of course I can not expect the VM to be as powerfull as my normal physical pfSense system, however would a setup as this allow a thru put of a couple of Gbit !??
• Of course I am interested to hear the experience of others heaving more ore less the same setup

PS. the NAS is relatively power full. The VM has a NVME-SSD, a couple of virtual CPU's and GB of RAM assigned. However .. I had to do that to make the VM reasonable responsive.

Gblenn

@louis2 I run my pfsense virtualized and have been able to get around 4 Gbit speed using Proxmox VirtIO.

However, on the same HW I get over 7 Gbit running Speedtest if I do passthru of the NIC's. And this is with fairly modest HW (i3 n305).
I get similar or perhaps slightly better performance on an i5 11400 with passthru of the NICs. Have not tried VirtIO on this machine though, but would expect a bit better performance than on the i3.

louis2

@Gblenn

Thanks! My system is completely different but given your result I will probably have a reasonable performance.

As you can see in my post I am using two virtio channels:

• Actually effectively I am only using virtio-0 the one vlan channel needed to access and if needed to change the virtual pfSense
• The Intention of the second channel (VirtyIO-1) is to have quasi direct ^physical^ access to a the second (unused) 10G port of the NIC (mellanox connect X4-Lx).

In TrueNas I did select ^enp4s0f1np1^ as VirtIO-port in opposite to a vlan related bridge I used for virtio-0

Will that work in your opinion?

Gblenn

@louis2 I do passthru of disks to TrueNAS and I pass thru the NIC's (LAN and WAN) to pfsense, simply because I want the application to be in total control of what they each do best. But I also have a second TrueNAS at our summer home where disks are virtualized and I have been running firewalls with virtualized NIC's, no problem... In fact I do have my failover WAN assigned using VirtIO, and no issues whatsoever...