Why is pfsense in VMware supposedly such a bad idea?



  • Hey,

    I allready have a powerful 24/7 server running bittorent and other servers, and id like to get some traffic shaping to control it. I found pfsense for this pupose. Now id like to instal pfsense on a virtual machine on this winXP server and then add an extra (third) NIC to it so that i have:

    • one for pfsense WAN (connected straight to my ADSL router)
    • one for pfsense LAN (connected to a switch for ny network to access it)
    • one for the host winXP OS that is connected to the switch.

    That way, even the bittorrent traffic on the server machine would get traffic shaped by pfsense.

    Now, the thing is… I hear all over the place that this kind of setup is a bad idea, but I dont understand why! Apart from some problems with network speed when not using the right drivers, I cant find any concrete problems with the little research I did on the forums. Security would of course be an issue if you only used 2 adapers and bridged them, but not if you use 3 so that nothing reaches the host OS before going through pfsense anyway. Besides, Im only really interrested in the traffic shaping, not the security for the most part. Its just a regular home network after all.

    The whole setup would only require an investment of 20$ for a cheap extra NIC, but before I give it a ty I want to ask if anyone can clarify for me extractly why this would be a bad idea. Perhaps Ive just misunderstood the other post ive been reading where the situation isnt exactly like mine... I hope someone can enighten me. Its not like I will miss 20$, but it would be a shame to waste hours of work on setting it up if there is some reason I dont know about that it just wont work...

    -Stigma



  • This has been discussed in a number of threads - search and you'll get more.

    The short answer is - if there are security vulnerabilities in VMWare or the drivers VMWare is using then it could be possible to bypass pfSense completely.  If you don't care about that (and it sounds like you don't) then there's nothing wrong with using VMWare that way.



  • Ah, right I see. This is basically what I thought also.

    Well, since I am behind a NAT and thus have basic security covered anyway (I never felt a need for more firewall security anyway, I just need the traffic shaping), then doing it this way atleast wont reduce my security from what it allready is.

    I can fully apreciate that it is not a good idea if your gonna use this for a business or other application where security is a top priority, but for my own home network that really isnt a big issue.

    Thanks for clearing this up for me :)

    -Stigma



  • pfSense in VMware is absolutely unsuitable for simple traffic shaping, by the way. The VMware optimized drivers are broken in that they don't support ALTQ, which pfSense uses for shaping. So you'd have to use an emulated driver, which is much slower and clunkier, and basically ends up defeating the purpose anyway.

    I got tired of the lack of pfSense support on these forums, and the broken state of the FreeBSD community, so I'm currently playing around with DD-WRT in VMware. So far I'm quite impressed, it runs very smoothly with a 24mb hard disk image and 32mb virtual RAM, as opposed to 2gb HDD and 192mb RAM for pfSense to "just run". It also has traffic shaping as well as a plethora of other features. Might be worth trying out ;)



  • Falcon4 - while you're entitled to your opinion, you might want to try to avoid coming across like a troll ;)

    FreeBSD has a massively smaller developer base than Linux, and companies like VMWare put less effort into supporting it.  As with any open source project, only the things the developers care about have work put into it.  With few developers the rate of change can't be the same as with Linux.  The support it gets from commercial vendors tends to be focused on the server space (Intel, 3Ware and others produce and support drivers for their products).

    That said, if you enable the e1000 network driver instead of the default then you can use the em driver for FreeBSD, which is supported by ALTQ.


Log in to reply