[Real world case, Sharing] Seems it's ok to run pfSense on VMware Workstation
-
Just want to share some points here, regarding to running pfSense within VMware Workstation.
The pfSense + VMware Workstation combination has been running for 2 or 3 years.
The OS is Windows Server 2012 R2.
The Server has 1 built-in 1Gbps NIC (not used with pfSense), I put 2 extra USB 3.0 1Gbps NICs for pfSense to use.
At very first, I was using VMware Workstation 10 + pfSense then Worstation 11, now 12. (pfSense is always up to date)
It seems it's quite stable.
Currently my home network flow look like this. ISP <–> ADSL <--> USB NIC <--> pfSense (used for login to ADSL, and Firewall) <--> another USB NIC<--> Switch <--> original wireless router currently used as Wireless Access Point
To me, it seems it's fine to run pfSense with VMware Workstation, no big problems.
Hope this post can give some ideas to those who want to go with same solution.
Also please tell me if there's any disadvantage or potential security issues, as I'm not a pro.
Thanks :)
-
To me such design should be adopted only when there is definitely no other choice.
Main reason is that pfSense acts as a key component in term of security and, because of this and because one very important part of security aspect is stability and robustness, I don't see any reason why one would put this extra layer (VM) that is bringing obvious weakness as long as above criteria are concerned.If you compare benefits vs. risks, what are the main benefits of having pfSense running on VM?
- power consumption?
- backup-up easiness?
- high availability?
My motto here is to say:
- to make it robust and safe, make it as simple as possible with as few human operations as possible
If I had, for whatever reason, to go for VM, I would at least ensure that I've 2 different hosts in provide to support high availability (using CARP or not) because the risk that you break or stop your VM is much higher in your design that risk with standalone pfSense.
IMHO only, of course ;)
-
To me such design should be adopted only when there is definitely no other choice.
Main reason is that pfSense acts as a key component in term of security and, because of this and because one very important part of security aspect is stability and robustness, I don't see any reason why one would put this extra layer (VM) that is bringing obvious weakness as long as above criteria are concerned.If you compare benefits vs. risks, what are the main benefits of having pfSense running on VM?
- power consumption?
- backup-up easiness?
- high availability?
My motto here is to say:
- to make it robust and safe, make it as simple as possible with as few human operations as possible
If I had, for whatever reason, to go for VM, I would at least ensure that I've 2 different hosts in provide to support high availability (using CARP or not) because the risk that you break or stop your VM is much higher in your design that risk with standalone pfSense.
IMHO only, of course ;)
Thanks for sharing your ideas!
I totally agree with your points, without any doubt.
Yep, it is much better to install it on bare metal instead of add a middle-ware there from security and stability perspective, even CPU resource perspective (VM can split CPU resources, but itself also has some footprint).
The reason I'm doing this way is, the Windows Server is doing other stuff at same time, but that won't consume 100% CPU resources, so I guess I can put pfSense just on top of that, to utilize some of the CPU resources, and give me more control over the gateway (consumer routers won't have that much control, I began to like pfSense as soon as I tried it in VM first time).
Also yes, since I go for VM for previous reason, it also makes backup/upgrading of pfSense easier, I don't need to worry about breaking pfSense when I'm exploring it or upgrading it.
For high availability, that's definitely what I want to have and want to explore as well, but currently that's like luxury to me :) Don't have enough machine to play with haha, actually currently the Windows Server is running on top of laptop, which generally use less power than desktops (not compare to ATOM platform)
Among the 2 or 3 years while it running, there was one time, the VM just turned off, don't know what's wrong, as you guess, the internet goes down. but most of the time, this combination is quite stable I'd say.
If I have those resources/equipments, I will definitely go with luxurious plan, dedicated physical machine for robustness and CARP for high availability etc. ;)
-
Just want to share some points here, regarding to running pfSense within VMware Workstation.
I think this is the ultimate solution for home users like me, I started using it two weeks ago on a similar setup and I have no plans to dedicate a PC for a router/firewall even if its so handy like pfsense.
my HTPC is already running 24/7 because i have freenas mapped to two physical WD red hard drives for backup/Plex/Torrent.the HTPC is very old but its sporting i7 920 with 18GB RAM, i have dedicated 10GB RAM to freenas and only 1GB to pfsense firewall, it seems like its very stable no matter what i did to abuse it and the performance is far better than my costly asus AC66U router.
the new setup is ISP fiber box >> HTPC win8.1 WAN NIC >> PFsense on VMware workstation 12 >> HTPC LAN NIC >> Asus AC66U router now acting as Access point.
so all my machines are connected over WIFI or router's Gigabit switchports and getting the IP address from PFsense VM…i can't be happier as the router has 600MHz single core processor with 256 MB RAM and my PFsense VM is rocking i7 2.6Ghz quad core with 1GB RAM, plus i now have squid3 in transparent mode cacheing to a RAMDISK, not to mention the add blocker and all the other PXE goodies that comes with PFsense.....just started exploring ;D
-
Just want to share some points here, regarding to running pfSense within VMware Workstation.
I think this is the ultimate solution for home users like me, I started using it two weeks ago on a similar setup and I have no plans to dedicate a PC for a router/firewall even if its so handy like pfsense.
my HTPC is already running 24/7 because i have freenas mapped to two physical WD red hard drives for backup/Plex/Torrent.the HTPC is very old but its sporting i7 920 with 18GB RAM, i have dedicated 10GB RAM to freenas and only 1GB to pfsense firewall, it seems like its very stable no matter what i did to abuse it and the performance is far better than my costly asus AC66U router.
the new setup is ISP fiber box >> HTPC win8.1 WAN NIC >> PFsense on VMware workstation 12 >> HTPC LAN NIC >> Asus AC66U router now acting as Access point.
so all my machines are connected over WIFI or router's Gigabit switchports and getting the IP address from PFsense VM…i can't be happier as the router has 600MHz single core processor with 256 MB RAM and my PFsense VM is rocking i7 2.6Ghz quad core with 1GB RAM, plus i now have squid3 in transparent mode cacheing to a RAMDISK, not to mention the add blocker and all the other PXE goodies that comes with PFsense.....just started exploring ;D
Nice to see that I'm not the only one doing this haha.
Your solution looks great to me ;D
Just thinking, since you are exploring and adding more packages, I would suggest you to give pfSense a bit more ram ;) especially for squid, a bit more ram the better the performance generally. Also if you are thinking make use of Snort in pfSense, add much more ram for that. It is ram hunger. But for home use, i7 is definitely more than enough I think ;)
-
I have been running pfsense on vm for quite some time.. As a home/lab solution it really does rock.. If you want to use a type 2 hypervisor ok, but its better with 1 if you ask me.. Take your box and use your fav hypervisor, be it hyper-v, esxi, xen, whatever.
Advantages I see, biggest one is ability to take snapshots for when you want to play with a package or update or run snapshot versions. Also since my router is in vm, I can switch that out with another vm whenever want to really easy.. No wires to move, my public IP doesn't even change since I just use the same mac on the new vm.. Shutdown old vm, boot new vm there you go playing with a new router distro be it beta snapshot of pfsense latest and greatest or some distro.
-
I have been running pfsense on vm for quite some time.. As a home/lab solution it really does rock.. If you want to use a type 2 hypervisor ok, but its better with 1 if you ask me.. Take your box and use your fav hypervisor, be it hyper-v, esxi, xen, whatever.
Advantages I see, biggest one is ability to take snapshots for when you want to play with a package or update or run snapshot versions. Also since my router is in vm, I can switch that out with another vm whenever want to really easy.. No wires to move, my public IP doesn't even change since I just use the same mac on the new vm.. Shutdown old vm, boot new vm there you go playing with a new router distro be it beta snapshot of pfsense latest and greatest or some distro.
These are definitely nice advantages :D
Only problem that stops me from using esxi instead of VM Workstation is, I won't be able to control/use the laptop directly, since with esxi, the screen will only display configuration interface :-\But type 1 would be better for firewall I agree with that, especially from performance perspective I guess.
-
I have been running pfsense on vm for quite some time.. As a home/lab solution it really does rock.. If you want to use a type 2 hypervisor ok, but its better with 1 if you ask me.. Take your box and use your fav hypervisor, be it hyper-v, esxi, xen, whatever.
Advantages I see, biggest one is ability to take snapshots for when you want to play with a package or update or run snapshot versions. Also since my router is in vm, I can switch that out with another vm whenever want to really easy.. No wires to move, my public IP doesn't even change since I just use the same mac on the new vm.. Shutdown old vm, boot new vm there you go playing with a new router distro be it beta snapshot of pfsense latest and greatest or some distro.
These are definitely nice advantages :D
Only problem that stops me from using esxi instead of VM Workstation is, I won't be able to control/use the laptop directly, since with esxi, the screen will only display configuration interface :-\But type 1 would be better for firewall I agree with that, especially from performance perspective I guess.
well, in ESXi (and XEN, and KVM…)you can use a GPU in passthrough mode (and an USB port at least, for keyboard & mouse), and use a virtual machine as your main workstation, That's what I do (and many other people). From that same virtual machine you can control all vmware tools&apps.
Apart from that, I was wondering about running pfsense in virtualbox, ¿is that posible? If it runs ok in vmware workstation, there's no reason why not in virtual box.
One question, which USB3/gigabit ethernet adapters are you using?
-
¿is that posible?
Yes. Lots of people run pfSense inside VirtualBox.
-
well, in ESXi (and XEN, and KVM…)you can use a GPU in passthrough mode (and an USB port at least, for keyboard & mouse), and use a virtual machine as your main workstation, That's what I do (and many other people). From that same virtual machine you can control all vmware tools&apps.
Apart from that, I was wondering about running pfsense in virtualbox, ¿is that posible? If it runs ok in vmware workstation, there's no reason why not in virtual box.
One question, which USB3/gigabit ethernet adapters are you using?
Thanks for sharing! That's Cool!
Do you have any tutorial/guide links? It's first time I hear it :) The power of sharing haha :D
Yes, as KOM said, it is possible, also I've ran pfSense in Virtualbox before, it was working fine.Edit: Sorry, forget to tell which USB adapter. It's UGreen, chip is ASIX AX88179 USB 3.0 Gigabit Ethernet Adapter.
-
well, in ESXi (and XEN, and KVM…)you can use a GPU in passthrough mode (and an USB port at least, for keyboard & mouse), and use a virtual machine as your main workstation, That's what I do (and many other people). From that same virtual machine you can control all vmware tools&apps.
Apart from that, I was wondering about running pfsense in virtualbox, ¿is that posible? If it runs ok in vmware workstation, there's no reason why not in virtual box.
One question, which USB3/gigabit ethernet adapters are you using?
thanks for this tip…now i know am very rusty.
i hope you or anyone can answer few of my questions: pleaaaase1-Dose the passthrough option require especial processor support like VT-d
2- can i also passthrough digital audio via SPDIF port?
3- if the GPU is built-in within the processor, will that be a problem or i can still use it in passthrough mode?
4-where do you install the ESXI hypervisor, on a USB or directly to the SSD where the other vms reside?got the answer to this, i installed esxi6 on a vm and i can see that it allows me to add the same ssd as storage to install my other vms.
I tried esxi5 when my reg was new and I ran into compatibility issues with my Realtek 8168 nic card, it did not detect it easily. i hope i will have better luck with esxi6 -
well, in ESXi (and XEN, and KVM…)you can use a GPU in passthrough mode (and an USB port at least, for keyboard & mouse), and use a virtual machine as your main workstation, That's what I do (and many other people). From that same virtual machine you can control all vmware tools&apps.
Apart from that, I was wondering about running pfsense in virtualbox, ¿is that posible? If it runs ok in vmware workstation, there's no reason why not in virtual box.
One question, which USB3/gigabit ethernet adapters are you using?
thanks for this tip…now i know am very rusty.
i hope you or anyone can answer few of my questions: pleaaaase1-Dose the passthrough option require especial processor support like VT-d
2- can i also passthrough digital audio via SPDIF port?
3- if the GPU is built-in within the processor, will that be a problem or i can still use it in passthrough mode?
4-where do you install the ESXI hypervisor, on a USB or directly to the SSD where the other vms reside?got the answer to this, i installed esxi6 on a vm and i can see that it allows me to add the same ssd as storage to install my other vms.
I tried esxi5 when my reg was new and I ran into compatibility issues with my Realtek 8168 nic card, it did not detect it easily. i hope i will have better luck with esxi6Nice questions, I would like to know the answer for that as well :)
-
Nice questions, I would like to know the answer for that as well :)
unfortunately, the advanced configuration options are not supported if you install the hypervisor on VMware workstation 12, I have to do a bare-metal installation on a compatible hardware which I don't have ATM.
i still have few months to research it until I upgrade to Skylake setup.initial thoughts:
the hypervisor consumes about 1.3 GB ram and it will hold my HTPC, freeNas and PFsense as vms, which makes me wonder if the performance and manageability boost really worth it.
looks like my setup requires 32GB of RAM!! -
Nice questions, I would like to know the answer for that as well :)
unfortunately, the advanced configuration options are not supported if you install the hypervisor on VMware workstation 12, I have to do a bare-metal installation on a compatible hardware which I don't have ATM.
i still have few months to research it until I upgrade to Skylake setup.initial thoughts:
the hypervisor consumes about 1.3 GB ram and it will hold my HTPC, freeNas and PFsense as vms, which makes me wonder if the performance and manageability boost really worth it.
looks like my setup requires 32GB of RAM!!Yea, I know. I was just thinking if I can use the machine directly with hypervisor installed then I might give a try on it.
Hypervisor like ESXI itself will only require several hundred MB RAM if I remembered right :)
-
This looks very promising, when I get my new reg, i will try this first then ESXI and my last option is the same windows 10 host with guest VMs.
https://youtu.be/LuJYMCbIbPk
-
This looks very promising, when I get my new reg, i will try this first then ESXI and my last option is the same windows 10 host with guest VMs.
https://youtu.be/LuJYMCbIbPk
Ummm, looks interesting, that's something new to me :)
Thanks! ;D
