2.2 on Hyper-V on Windows 8.1
-
I'm no expert on this and I agree things seem to have moved forward since I was last paying attention. Hyper-V server appears to be at least type 1-ish although it's built with Windows components. However the versions built into Windows OS appear less so.
@http://en.wikipedia.org/wiki/Hyper-V:A hypervisor instance has to have at least one parent partition, running a supported version of Windows Server (2008, 2008 R2, or 2012). The virtualization stack runs in the parent partition and has direct access to the hardware devices.
If the OS running in the parent partition has access to the hardware directly it still represents an attack surface no?
If I were doing this I'd choose another hypervisor or at least use the Hyper-V server variant.
Steve
-
@KOM:
..Client Hyper-V is Type 2 with a Windows base OS and then MS's Virtual PC layered on top of that, similar to VMware Workstation.
Unless OP is short on hardware, I would recommend that he install Windows Server 2012 R2 if he wants to run pfSense under Hyper-V.
I'm 99,9 % certain that Client Hyper-V is also type 1 (Win8+/Srv2012+)
As a side note, there is also a free windows hypervisor called "Hyper-V Server 2012 R2)
Yes, HyperV on Server 2012r2 and Win 8.1 are a type 1 hypervisor and are not the same as Vmware Workstation, which is similar to Virtualbox or the former MS-VirtualPC, all classic type 2 hypervisors. HyperV is similar to ESXi.
For sure if an application, which runs on my homeserver has a security hole, a bot can enter my network. But I see no difference, whether I run it on a different PC or on my homeserver, the bot is also able to enter and doing all the bad things he want to do.The advantage of the free Hyper-V Server 2012 R2 is, that it uses less resources and has more build in utilities for managing the VMs, but i am satisfied with the Win 8.1 Tools and resources I have more than enough.
-
Yes, HyperV on Server 2012r2 and Win 8.1 are a type 1 hypervisor…
This statement is a contradiction.
AFAIK the definition of a type 1 hypervisor is that it is the OS and runs on bare metal without any host OS. Therefore a type 1 hypervisor doesn't run ON Server 2012r2, Win 8.1 or any other host OS.
-
That same wiki link lists hyper-v as a type 1.
All systems have a host os (esxi kernel is linux) just nobody wants to call is an OS. :) -
@P3R:
Yes, HyperV on Server 2012r2 and Win 8.1 are a type 1 hypervisor…
This statement is a contradiction.
AFAIK the definition of a type 1 hypervisor is that it is the OS and runs on bare metal without any host OS. Therefore a type 1 hypervisor doesn't run ON Server 2012r2, Win 8.1 or any other host OS.
Wrong, ESXi is a Linux derivative, thats why you need ESXi drivers to run your diskcontroller, raid, etc…
-
Hyper-V IS type 1 hypervisor and it is exactly the same thing as ESXi as far as TYPE is concerned…
My Hyper-V is locked down completley and it is just secure as any other ESX box.
I used ESXi for many years bt now I`m on Hyper-v 3 years already.Stop bullshitting about ESXi being more secure than Hyper-V it is a matter of configuration and admin decisions...
I`ve seen ESX boxes with port 22 being available on the net, U/P root/toor, root/root combos etc...And yes, do not install pfsense on Win 8.1 hypervisor, use 2012 R2 for that.
And no, I`m not a MS fan I just try to combine best of the 3 worlds (MS, *nix and BSD).My 2 cents.
-
@P3R:
Yes, HyperV on Server 2012r2 and Win 8.1 are a type 1 hypervisor…
This statement is a contradiction.
AFAIK the definition of a type 1 hypervisor is that it is the OS and runs on bare metal without any host OS. Therefore a type 1 hypervisor doesn't run ON Server 2012r2, Win 8.1 or any other host OS.
All I`m gonna say to this statement is a big fat LOL.
ESXi uses vmkernel for it`s OS. ESXi vmkernel IS NOT LINUX BASED.
-
That same wiki link lists hyper-v as a type 1.
I have no problem with that and it wasn't what I argued. I'm neither a MS fanboy nor a basher.
What is problematic to me is when someone think it is important to make distinctions between type 1 and type 2 hypervisors, claiming that one product is of a certain type and at the same time saying things being in total opposition with the very definition (known to me) of how hypervisors are grouped into types. I just pointed at the contradiction and flawed logic in that statement.
-
I'm 99,9 % certain that Client Hyper-V is also type 1 (Win8+/Srv2012+)
Yes, you are right. I read some more incorrect information.
-
Regarding Type 1 or 2 hypervisor: I wrote how, why and when a hypervisor is type 1 or 2. but I'll post this link instead as I'd rather talk about the installation issue I have with pfsense on win8.1 hyper-v
Very simple but clear description: http://www.altaro.com/hyper-v/hyper-v-terminology-host-operating-system-or-parent-partition/My installation issue with Beta 2.2:
On win 8.1 it fails partitioning/formatting the disc (VHD drive) every time. I tried a LOT of different configuration and even tried the "use FreeBSD to setup drive before pfsense" All without luck.
FreeBSD install fines on Win8.1 Hyper-V though.I ended up installing pfsense2.2 beta on Server 2012r2 and just moved the files to my client afterwards.
Running on client to test the Beta without installing potential security hassard on my server.
Any ideas why this happens?
-
As a side note, there is also a free windows hypervisor called "Hyper-V Server 2012 R2)
which is Server 2012R2 core with only the hyper-v role and no ability to add another other roles
In 2012 and R2 core dramatically reduces the attack surface compared to a full install of server, in 2008(r2) the reality was there wasn't a huge difference -
I deployed the latest snapshot on Hyper-V 2012 R2 today, but the only way I could get it to boot the ISO at all was to do so in an old Generation 1 VM. Does pfSense still not support UEFI in 2.2 or was I being retarded. It's pretty easy to redeploy if I was just being dumb, I prefer to stay away from Gen1 VM if possible.
Other than that it is working extremely well, even if I had to use an old Gen 1 VM.
-
did you disabled "Secure Boot"?
This is required for ubuntu, I think it will also be required for pfsense. -
I also tried Gen 2 installation of pfSense and Debian and it did not work.
There is a table: http://technet.microsoft.com/en-us/library/dn848318.aspxBeside that i build a machine for pfSense, FreeSwitch (Debian) and Win8 and it was not easy to find
a motherboard with the right NICs that support i3, i5 and i7. I wish there would be a board with
3 NICs but the ones out there just support i3 or Xeons.Here is my build:
ASRock Rack Z97M WS
Core i5-4570S
8GB Crucial Ballistix Sport VLP
40GB Intel SSD 320
240GB Intel SSD 530
250Watt Delta Electronics DPS-250AB-53A from eBay for $10Power usage is around 19~21W surfing the web.
My Asus Dark Knight router was using 10W so i think for what this machine can to
in comparison to the Asus the 20W are ok.I'm still waiting for an answer from Intel on power consumption of PCIe NICs:
https://communities.intel.com/message/261778Oh and i run all that on the 2012R2 Hyper-V Core :)
-
did you disabled "Secure Boot"?
This is required for ubuntu, I think it will also be required for pfsense.Yes, the error is the same… no boot device found. I get the impression that FreeBSD does support GEN2 but the pfSense installation ISO does not have the required UEFI boot files. If this is the case, it should probably be updated to allow for UEFI installations this day in age. I have not tried a UEFI install outside of virtual machine though.
-
My experience after 6 month Pfsense 2.2 on my HyperV-Homeserver under Windows 8.1 (6 clients with Windows and 3 Androids):
It works flawless.
Every reboot because of Windows updates starts Pfsense regular. Every update of Pfsense (every 2 weeks) works as it should.
I only had to restart my Fritzbox LTE three times because it was getting slow, but Pfsense switched reliable to the DSL WAN.
On my Homeserver I feel no difference in speed with or without Pfsense (HyperV shows 0% CPU). -
My experience after 6 month Pfsense 2.2 on my HyperV-Homeserver under Windows 8.1 (6 clients with Windows and 3 Androids):
It works flawless.
Every reboot because of Windows updates starts Pfsense regular. Every update of Pfsense (every 2 weeks) works as it should.
I only had to restart my Fritzbox LTE three times because it was getting slow, but Pfsense switched reliable to the DSL WAN.
On my Homeserver I feel no difference in speed with or without Pfsense (HyperV shows 0% CPU).I agree, it is working flawlessly for me on Hyper-V Windows 2012 R2 for me, I just wish the install would support Gen2 VM but it doesn't seem to matter much. It also doesn't report the status of the virtual NICs properly and in Hyper-V Manager they show as degraded but this is probably a FreeBSD thing. It's nice that I was finally able to retire a much slower Atom based box I had dedicated to routing to my server running on an i5-4590.
I was planning on having to move my dual NIC card to the server but as it turns out pfSense works fine sharing the LAN Virtual Switch with everybody else and I only have the second integrated NIC assigned solely to the pfSense machine with no host access. I did just move off of the pfSense DHCP to the Windows Server DHCP because I plan on one day playing around with the idea of running a domain instead of the workgroup… then I can rule over the family's internet access with godlike power.
-
Has anybody else noticed a pretty high system interrupts amount running pfSense on hyper-v?
Even just doing large file copy over the LAN (110MB/s) causes the server to use up about 10% of CPU time just on system interrupts as reported by Windows Server 2012 R2 task manager. Is there something I'm doing wrong with NIC/Virtual Switch setup? All of the offload features are enabled on the LAN NIC, VMQ is enabled. LAN NIC is even an Intel NIC. Seems a bit much to me… on a client with a similar intel NIC copying a large file from the file server to the client results in a less than 1% CPU time for interrupts.
-
Has anybody else noticed a pretty high system interrupts amount running pfSense on hyper-v?
Even just doing large file copy over the LAN (110MB/s) causes the server to use up about 10% of CPU time just on system interrupts as reported by Windows Server 2012 R2 task manager. Is there something I'm doing wrong with NIC/Virtual Switch setup? All of the offload features are enabled on the LAN NIC, VMQ is enabled. LAN NIC is even an Intel NIC. Seems a bit much to me… on a client with a similar intel NIC copying a large file from the file server to the client results in a less than 1% CPU time for interrupts.
I use my HyperV-Win8.1-Homeserver with a cheap dual Realtek-Nic, which is only connected with the Pfsense-Client for the DSL and LTE Wans and not connected to Windows (which uses only the local Intel nic).
The Homeserver is also doing the DVB-S Satellite connection with a dual link dvb-s-nic and recording and streaming it in my homenet with the software dvbviewer. Copying large video files produces nearly no CPU time.
The board I use is a Asrock Z87pro3 . -
@P3R:
Yes, HyperV on Server 2012r2 and Win 8.1 are a type 1 hypervisor…
This statement is a contradiction.
AFAIK the definition of a type 1 hypervisor is that it is the OS and runs on bare metal without any host OS. Therefore a type 1 hypervisor doesn't run ON Server 2012r2, Win 8.1 or any other host OS.
All I`m gonna say to this statement is a big fat LOL.
ESXi uses vmkernel for it`s OS. ESXi vmkernel IS NOT LINUX BASED.
http://www.v-front.de/2013/08/a-myth-busted-and-faq-esxi-is-not-based.html
