Virtualized pfSense on QNAP NAS
-
Anyone have any thoughts on this because from what I've read, this seems like a good fit for my storage needs etc.
In normal you will only run a firewall in a vm if you are not able to realize it with any other hardware
or if the company and the number of employees is really fast growing up so that you are able to give
each month or half year more CPU cores and RAM to make is flawless, smooth an liquid running without
any kind of problems, or if you will be able to offer a HA setup likes 2 VMs working as a cluster. But then
often or mostly this device holding the VMs is only made or taken for this action to hold the firewall(s) and
not a NAS inside of the LAN but more likes as right reported before at the edge pr border of your network.And there is then often nothing else on this device, only the one or both VMs holding the firewall(s).
Also for a home setup I would more to love to take a dedicated hardware device for the firewall. -
Bad idea. You want a firewall at the edge of your connection, not running in a VM on your LAN.
Not at all. We run pfsense in production in VMs all the time. There's two ways to segregate it from your LAN. One is to use VLANs and virtual networking, the other is to dedicate NICs to the pfsense instance(s). Nothing wrong or inappropriate about that.
-
Thanks everyone. Looks like it's pretty much 50/50 on which way to go. I'll definitely give it a go and let you all know how it works out.
-
Did you ever got it working?
-
QNAP now supports pfSense officially
https://www.netgate.com/blog/qnap-to-add-pfsense-to-its-products.html -
hi all,
is the good news… and if there are a expert here... i'm have question...
i have a ISP connection at 1Gb/s (optical fiber)
i have a QNAP TVS-663 (AMD 64Bit quad core 2,4Ghz) - 2 gigabit nic (agregate with Trunk 4 VLAN)
i installed into the VM one pfsense with 2 core, 4 gigabit VNIC, 512Mo of RAM.
i use virtualization station for tag my VLAN (my switch support 802.1q)when i generate hight traffic... my pfsense's cpu override at 100% and my bandwitch does not exceed 130Mb/s ... when i connect my laptop direct with my ISP modem (in the WAN side) my bandwitch is 600-700mb/s ....
i think the default config of psense are not correct for this usage (QNAP virtualisation). someone would have an idea of tuning/custom for this issue ?
thank, and have a good day.
-
You are probably emulating a whole bunch of things in software. First, stop using VLANs for now, and don't do any special networking on the QNAP side. Also see if AES-NI works and if you have checksum offloading disabled. Also check if you are using PPPoE.
-
@johnkeates:
You are probably emulating a whole bunch of things in software. First, stop using VLANs for now, and don't do any special networking on the QNAP side. Also see if AES-NI works and if you have checksum offloading disabled. Also check if you are using PPPoE.
thank for your answer…
first for AES-NI ... the crypto hardware as set to none.... but, i not use vpn for the moment... why this feature can help me for my issue... normally for the normal traffic (routing and firewalling) there is not use ? right ?
for the VLAN config....i m not sure i can set my virtual nic to passtrought (if my pfsense manage the VLAN that instead QNAP).... in my nas i am only 2 NIC... if i m not use VLAN.... is difficult for me... my network topology does not allow to do that (is not for the works, is my home installation :P )... but for example, when my PC use the LUN ISCSI to my nas, my network use my nas physical nic with VLAN ID, and my bandwitch is good ( 90Mo/s),soo i suppose the issu is not the networking in QNAP side...
and for the last point.. my ISP give me a internet box (a router) my fiber is connect into the little box (convert optic to RJ45), this little box are connect to WAN port in my ISP box, and ma pf sense is connect in the LAN port of my ISP box (i m set the DMZ to IP adresse of pfsense (all request in all TCP/UDP port automatic sent to pfsense), Therefore i m not use PPPoE.
for example actuality my NAS download many file from amazon drive...
last pid: 14113; load averages: 9.83, 8.31, 8.00 up 2+00:08:27 21:30:30
134 processes: 7 running, 112 sleeping, 15 waitingMem: 12M Active, 129M Inact, 94M Wired, 67M Buf, 229M Free
Swap: 1024M Total, 1024M FreePID USERNAME PRI NICE SIZE RES STATE C TIME WCPU COMMAND
0 root -92 - 0K 256K CPU0 0 441:25 100.00% [kernel{em0 taskq}]
0 root -92 - 0K 256K - 1 300:08 71.39% [kernel{em1 taskq}]
12 root -92 - 0K 256K RUN 1 90:49 17.38% [intr{irq11: em0 em1++}]
20828 root 38 0 247M 40468K piperd 1 0:39 9.77% php-fpm: pool nginx (php-fpm)
12 root -60 - 0K 256K WAIT 1 8:17 0.20% [intr{swi4: clock}]
14056 root 20 0 16676K 2284K bpf 0 5:24 0.10% /usr/local/sbin/filterlog -i pflog0 -p /va
11 root 155 ki31 0K 32K RUN 1 35.2H 0.00% [idle{idle: cpu1}]
11 root 155 ki31 0K 32K RUN 0 34.4H 0.00% [idle{idle: cpu0}]
0 root -92 - 0K 256K RUN 1 9:23 0.00% [kernel{dummynet}]
36938 root 20 0 21632K 6080K select 1 7:48 0.00% /usr/local/sbin/openvpn –config /var/etc/
21384 root 47 0 255M 52412K accept 1 5:28 0.00% php-fpm: pool nginx (php-fpm)
93326 root 52 0 255M 50572K accept 0 4:40 0.00% php-fpm: pool nginx (php-fpm)
55210 root 20 0 14512K 2312K vmpfw 0 1:53 0.00% /usr/sbin/syslogd -s -c -c -l /var/dhcpd/v
12 root -72 - 0K 256K WAIT 1 1:38 0.00% [intr{swi1: netisr 1}]
4 root -16 - 0K 32K - 1 1:27 0.00% [cam{doneq0}]
0 root -92 - 0K 256K - 1 1:14 0.00% [kernel{em2 taskq}]
12 root -88 - 0K 256K WAIT 1 0:55 0.00% [intr{irq14: ata0}]
0 root -16 - 0K 256K swapin 1 0:41 0.00% [kernel{swapper}]in my NAS the used bandwitch is 13Mo/s.
in my virtualisation station, the CPU usage showing 46% … (in he pfsense the CPU is 100% ... )
ps : sorry for english... is difficult for me, explain correctly my issu.
-
Alright, it looks like the biggest problem is the fake intel emulated card:
0 root -92 - 0K 256K CPU0 0 441:25 100.00% [kernel{em0 taskq}]
For starters, give the VM more memory, like, 2GB. Then, see if you can use a virtio/virtual network card instead of emulated Intel.
-
Wow.. I hope solve my issue,
Fine tonight, I will stop my vm, add the new interfaces with device type virtIO and force same mac Adress than old nic..
If everything work fine, my pfsense assign the new interface at the right vlan (mac is the same) right?
-
Wow.. I hope solve my issue,
Fine tonight, I will stop my vm, add the new interfaces with device type virtIO and force same mac Adress than old nic..
If everything work fine, my pfsense assign the new interface at the right vlan (mac is the same) right?
yes
-
fine…
there two news, one good, one bad :P
the good is, the cpu consumption is now normal.... when i launch a transfert the cpu up at 3 or 5% ....
the bad is the bandwitch is worse for than before..... (mi ISP connexion is up 250Mbps / down 1Gbps) the bandwitch test down 15Mbps / up 1Mbps) .....any ideas ?
-
fine…
there two news, one good, one bad :P
the good is, the cpu consumption is now normal.... when i launch a transfert the cpu up at 3 or 5% ....
the bad is the bandwitch is worse for than before..... (mi ISP connexion is up 250Mbps / down 1Gbps) the bandwitch test down 15Mbps / up 1Mbps) .....any ideas ?
That is because of this: https://forum.pfsense.org/index.php?topic=88467.0
Disable checksums! On both sides (host and vm)
-
OK, I'm check this tonight, have a good day
-
hi….
good news, the network speed is good :D
i am install pfsense from scratch with 2.3.5. (i don't know if virtualization station support freebsd 11), i restore my conf, reassign the interface, reboot, disable checksum offloading, reboot, and after... everythink works fine, except the openvpn layer... the daemon don't start....
-
so….
after troubleshooting, the issu was the loose of auth digest algo config and encryption algo.. i remake it, reload conf and everything works fine...
thank you very much for your precious help, and time :D
-
Excellent work! good to know that you can use virtio and disable checksum offloading without any extra hacking. Should keep the CPU usage low, but the performance high.
-
@killpilot , as I'm sure you know, Netgate just released pfSense as a Virtualization Station app for QNAP devices. I know your TVS-663 supports VS. I'm just curious if you have tried running this app, and if so, any issues? Also, if you don't mind me asking, are you running pfSense with any of the security packages (like Snort, pfBlocker, OpenVPN, LightSquid)? If so, are you able to maintain bandwidth with all of these running?
I ask because I am in need of a new firewall/UTM (to replace an ageing Zyxel device) as well as a new NAS. So I'm thinking of buying a supported QNAP device and running pfSense (kill two birds with one stone). My main concern, aside from stability (which seems good from what I've read) is not throttling my bandwidth when running pfSense with the various packages. Any thoughts on this?
Hopefully you're still following this thread.
Thanks!.
-
hi, i so sorry for the long wait....
so.... finally i remove the Nas pfsense to a dedicated hardware. after this topic, i have a issue with the bandwitch performance.i have a Gigabit Fiber connection, and with my TVS-663 and CPU at 100%, i can exceed 250mbps. and when i installed ntopng, the performance is worse.......
finally i move the pfsense into the minipc with i5 and AESNI support.
I think that the qnap solution is not yet mature enough to be effective
-
@killpilot , thanks for the follow-up. After giving it a lot of thought, I also decided against virtualizing pfSense. I decided it would would be better to run something this critical on dedicated hardware. I ended up going with a different solution (Fortigate) as I wanted something pretty robust with good support. So far it's working well.
