Virtualized VM's on pfSense host?
-
I have a project that requires a new firewall at each site (~40), and a tiny VM (256MB RAM, ~100MB disk, runs at about 47Mhz avg). These sites have zero infrastructure beyond an ISP delivered gateway.
I would like to place a small mini-ITX system on site and deploy both pfSense and the other VM on the single host. I would normally deploy a hypervisor and then place the VM's on top of that, however, given that the physical system will be directly connected to the WAN, I either have to be comfortable opening management to the big bad web, or run it through the pfSense then to the LAN side. I'm comfortable doing that, but if I screw up a rule on pfSense I could lock out management access to the hypervisor.
Is it possible to install virtualbox or some other virtualization platform alongside pfSense? That way pfSense is a true demarcation point for the WAN, and I can still access the WAN even if I screw up some rules.
This is all very early stages, so if it's no, that's okay. If it's maybe, I'll start experimenting.
-
For a production firewall, you're going with a mini desktop-PC running Windows/Linux + Virtualbox, and pfSense under THAT? I'm getting shivers just thinking about it, and not the good kind.
I'm using pfSense under ESXi 5.5 with about 15 users. The VM consistently uses ~300 MHz of CPU and ~256Mb of the 2Gb allotted, but I have a few optional packages installed.
-
I get it, believe me. However I've been given a budget of $500/location to get this going. I've speced out a few Haswell configs that just sneak under that wire (by $0.88). The performance of pfSense in ESXi isn't a concern. It's more about management of the hypervisor environment in the event of an issue with pfSense.
I would obviously prefer to have pfSense as its own entity, I just can't make it work on my budget.
The upside is the VM for desktop imaging is tiny and really isn't that important. It doesn't even have to be terribly stable or on all the time. I just need to turn it on when we image.
-
I don't understand. You can buy pfSense appliances for less than $500.
With this proposed config, you've got a live Windows/Linux box directly connected to the Internet. Never a good idea. You're going to use something much less secure as the platform for something you need to be much more secure. ESXi is free and has a small footprint, along the order of 50MB or so, and has a much smaller attack surface than a full Linux or Windows install. A better solution might be to load these ITX's up with ESXi and then base your VMs on that, depending on the RAM these boxes have.
Instead, you want to keep Windows as the platform so that you can RDP into it if you manage to bork pfSense? Yuk.
-
Perhaps spend your money on the pfSense box and run (only) pfSense on it. Then dual purpose a local computer behind the firewall.
Or tell your budget planners that you'll do as many sites as you can for the amount of money you've been budgeted and you'll finish the remaining sites when the rest of the money comes available…perhaps in next year's budget.
-
@KOM:
I don't understand. You can buy pfSense appliances for less than $500.
With this proposed config, you've got a live Windows/Linux box directly connected to the Internet. Never a good idea. You're going to use something much less secure as the platform for something you need to be much more secure. ESXi is free and has a small footprint, along the order of 50MB or so, and has a much smaller attack surface than a full Linux or Windows install. A better solution might be to load these ITX's up with ESXi and then base your VMs on that, depending on the RAM these boxes have.
Instead, you want to keep Windows as the platform so that you can RDP into it if you manage to bork pfSense? Yuk.
I've done a poor job explaining my goals, because you're inferring things that I didn't intend. Sorry about that.
First, I don't want to expose anything externally other than the pfSense instance. That's it. The VM is not for RDP when I break pfSense. It is not externally accessible. It just serves up data it relays from a central server via the LAN port.
Second, my issue with ESXi is that I would have no direct and secure management method from the remote. I could do some NAT/tunnel trickery in pfSense if I had to, but that all depends on pfSense being up. If, for instance, a tech got into the ESXi console and accidentally shut down rather than rebooted the pfSense VM… we would be hosed. Two thousand miles away and nothing we can do. It's a rare thing to happen, certainly. The users then would have to power cycle the esxi host, which then takes 5-15 minutes for ESXi to get rolling again. The 15 minute delay means they miss their first appointment, or show up late, which causes a loss in revenue due to missed SLAs.
I'm not trying to put a VM out there for recovering a system that it's being hosted on. That makes zero sense. I'm trying to put in a pfSense device and run a tiny VM to do a few menial (but unfortunately proprietary) tasks.
Perhaps spend your money on the pfSense box and run (only) pfSense on it. Then dual purpose a local computer behind the firewall.
Or tell your budget planners that you'll do as many sites as you can for the amount of money you've been budgeted and you'll finish the remaining sites when the rest of the money comes available…perhaps in next year's budget.
Dual purposing a system might work if there's a desktop there. These offices are largely like rest stops for our employees unfortunately. They just stop by throughout the day, get their marching orders from our ERP, and leave with their laptops. It could work though, thanks for the suggestion.
I wish telling my budget planner that would work, but it's falling on deaf ears. I originally proposed a higher budget, but thinking he's been the whipping boy lately on a few issues, so he wanted to low ball it and come in as the hero when presenting the finalized IT budget to the CFO. I won't even start on the other things that were cut.
-
I always virtualize my VMs. (joke)
Stack a couple of fanless low power boxes on top of each other. You can do it on the cheap.
-
I'd second kejianshi's suggestion as the best option, if you can find two low power boxes under $250 each.
Barring that, I'd probably end up using a general-purpose OS and carefully configuring it to serve both purposes. It wouldn't be my first option and certainly isn't the best option, but given your seemingly short-sighted budget constraints, the emphasis seems to be more on "do it cheap" rather than "do it right". You get what you pay for.
-
If you're not going to go with a Type 1 hypervisor then you're stuck with a Windows or Linux host directly connected, which is bad unless you have experience hardening Windows/Linux servers for the Internet. You can go with the option kejianshi suggested and put two boxes in serial, WAN <-> pfSense <-> LAN <-> Custom Server. However, if you've only got the one router with no redundancy then no matter what someone does to it, you're hosed regardless of whether it's hosted on a Type 1 or physically installed. Going with small PCs also has the hassle of failing fans and hard disks to maintain which can bring the house down when they fail. It's going to be a challenge to get high availability on that budget.