Installing pfSense on same VM box as other "mission critical" servers?
-
So I've got a VM box (Intel Xeon E3-1245 3.4Ghz, SuperMicro X9SCM-F-O, 24GB ECC RAM, 500GB SSD for VMs, 4 Intel NICS, etc.) that is running 2 VM's right now (Plex + Subsonic on 1, Win 7 Pro Torrent machine on the other). I want to replace my home router with either a pfSense box or Sophos UTM (since I use this at work). Since I started looking into it I've mostly been looking at a hardware solution so as to keep it seperate from my VM box. However, in the interest of saving money I want to know what the viability is for me to run my firewall/router solution on the same VM box that I have running Plex.
My #1 priority with regard to running pfSense or UTM is for a 75Mbps site-to-site VPN (I do offsite backups to my second home) and intrusion protection. I'd also like to put a cap on the connection speed of those who remotely connect to my Plex server for video streaming.
So I guess my first question is, do I have the hardware necessary to achieve these goals?
Secondly, is it viable and/or recommended to run pfSense on the same VMware box as some "mission critical" servers are running? I put mission critical in quotes because obviously this isn't a production environment. It's just a home network but when that server goes down or is interrupted it's a headache for me.
-
I guess it is a philosophical one if you ask me so I will tell you my thoughts. While it is nice to have everything in one box I think about it from a mantenance point of view, if you have a hardware issue on your VM box then everything is down and people in your home might not like that. Remember too that when you are transcoding videos that takes a ton of cpu and you don't want that slowing down your vpn connections.
If you decide on the one box solution then you will more than likely need a switch that is capable of vlans as I don't see how this can be done without having a ton of NICs in your machine.
-
I guess it is a philosophical one if you ask me so I will tell you my thoughts. While it is nice to have everything in one box I think about it from a mantenance point of view, if you have a hardware issue on your VM box then everything is down and people in your home might not like that. Remember too that when you are transcoding videos that takes a ton of cpu and you don't want that slowing down your vpn connections.
If you decide on the one box solution then you will more than likely need a switch that is capable of vlans as I don't see how this can be done without having a ton of NICs in your machine.
How would it be any different than using a dedicated pfSense box with 4 ethernet ports?
-
Me personally never saw the need for so many physical ports when you could just use vlans plus your switch. But I would say give it a shot and see how things go for you.
-
"Me personally never saw the need for so many physical ports"
Because when you physical you have full bandwidth, every vlan on a nic is sharing the speed of that nic.
How fast you move a file between machine on vlan 1 to machine on vlan 2 when, when you have 1 physical nic with both vlans?
Hairpinning sucks!! When it comes to peformance. Every vlan you put on a nic normally means another hairpin when vlans are talking to each other. Now if your only talking to the internet from your vlans, and your interent is 100 and you have gig interface, then not a problem. But intervlan traffic going to take a hit with more vlans on fewer physical.
I run pfsense on vm, N40L esxi 6, I don't have any problems streaming movies to my popcorn. I have multiple other vms running 24/7, my storage/nas box - this is what serves up video files to my popcorn hour.. It doesn't do any transcoding on the fly like plex does - its just a smb share. So this requires way less cpu overhead, etc.
If I were you fire it up - how does it perform, if doesn't work then get hardware.. BTW I have 4 gig nics in mine as well, wan, lan, wlan, vmkern - I run 1 vlan on the wlan connection for the guest wireless connection.
-
"Me personally never saw the need for so many physical ports"
Because when you physical you have full bandwidth, every vlan on a nic is sharing the speed of that nic.
How fast you move a file between machine on vlan 1 to machine on vlan 2 when, when you have 1 physical nic with both vlans?
Hairpinning sucks!! When it comes to peformance. Every vlan you put on a nic normally means another hairpin when vlans are talking to each other. Now if your only talking to the internet from your vlans, and your interent is 100 and you have gig interface, then not a problem. But intervlan traffic going to take a hit with more vlans on fewer physical.
I run pfsense on vm, N40L esxi 6, I don't have any problems streaming movies to my popcorn. I have multiple other vms running 24/7, my storage/nas box - this is what serves up video files to my popcorn hour.. It doesn't do any transcoding on the fly like plex does - its just a smb share. So this requires way less cpu overhead, etc.
If I were you fire it up - how does it perform, if doesn't work then get hardware.. BTW I have 4 gig nics in mine as well, wan, lan, wlan, vmkern - I run 1 vlan on the wlan connection for the guest wireless connection.
Thanks for the reply, helpful information for sure. What are the specs of your VM box? Most notably what CPU are you using?
-
Its a few years old, its a HP Microserver N40L, it has AMD Turion II 1.5ghz dual core. I bumped it to 8GB of ram, using a SSD for datastore and added some nics. It runs really sweet, uses very little power, I have 5 disks in it not counting the SSD. I get 100MBps pulling files from the storage VM that I have raw mounted the other disks too.
-
Its a few years old, its a HP Microserver N40L, it has AMD Turion II 1.5ghz dual core. I bumped it to 8GB of ram, using a SSD for datastore and added some nics. It runs really sweet, uses very little power, I have 5 disks in it not counting the SSD. I get 100MBps pulling files from the storage VM that I have raw mounted the other disks too.
Nice. I'm just hoping my Xeon X3 will perform well in conjuction with my Plex server. My site to site VPN should be the most taxing thing it has to handle.