Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Hyper-V or bare metal: perfomance, stability and security

    Scheduled Pinned Locked Moved
    Virtualization
    3
    6
    3.5k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      andipandi
      last edited by

      Dear forum,

      I want to use pfSense as a firewall, for load balancing (DSL + LTE), connecting distant LANs via VPN tunneling, allowing people to connect in via VPN, and split networks into a public WiFi and a shielded network part.

      I am not sure yet which route to go. I can either extend an existing Hyper-V server by buying a 2-4 port NIC or buy a dedicated, small box, based on a Celeron with 4 ports. The Hyper-V hardware (CPU) is a lot faster.

      I am wondering:

      1. Is this stable at all? I read some posts about issues, like connection loss, packet drop and the like.
      2. With the NICs, since I don't have access to the real ones from a VM (I guess), does that matter at all, or do I just need to be a little more careful who connects to who, since I want all the other VMs and the host to be behind the firewall already.
      3. How secure is it? Do I get security holes only of pfSense or of pfSense + Hyper-V, since some part of Hyper-V would be directly exposed to the WAN, is that correct?
      4. Do I lose a lot of performance? The Hyper-V CPU should be ~4x faster than the CPU of the dedicated box, but I don't know how much I would lose.
      5. Failover. I would not buy redundant parts now but still would rely on the hardware working correctly. I think I can way easier replace NICs if broken, or the VM, since I would replicate it anyway. For the dedicated box that is not an option (I think).

      The small box I am thinking about buying would be similar to the one mentioned here https://forum.pfsense.org/index.php?topic=114202.0 something like https://www.aliexpress.com/item/Topton-Fanless-Mini-PC-J1900-Quad-Core-4-Intel-WG82583-Gigabit-Lan-Firewall-Multi-function-Router/32723123803.html .

      Thanks for any pointers!

      1 Reply Last reply Reply Quote 0
      • A
        AndroBourne
        last edited by

        I've been running it on a SuperMicro server with 2x CPU's at 2.26ghz on a X8DA3 motherboard. It's been running like a champ for almost a year now.

        But to go about answering your questions.

        1) Is this stable at all? I read some posts about issues, like connection loss, packet drop and the like.

        It's just as stable as running it on a stand alone box. connection losses, packet drops etc… are normally not due to running it in a VM. It is due to the equipment and with PFSense the NICs are the most important part. Get good, compatible NICs and you wont have those problems.

        2) With the NICs, since I don't have access to the real ones from a VM (I guess), does that matter at all, or do I just need to be a little more careful who connects to who, since I want all the other VMs and the host to be behind the firewall already.

        I'm not quite sure what you mean by this question but I'll take a shot at what I think you are asking. All the VM does is emulate a virtual adapter to a physical NIC. So in a sense you do have access to the physical NIC and it just done via the emulated adapter. With my setup I have 4 VM's running on the same server. Mix between application servers, game server and a web server\mail server and then finally my PFSense box. What I ended up doing was creating a general LAN for house hold PC's and devices (192.168.1.x) then used the OPT network in PFsense to make a 10.0.0.x subnet that I place all my servers on. Then created rules to block traffic from OPT to my LAN for security reasons. To do this on a VM you dont even need a switch for the OPT network. If you have enough NICs you can just dedicate a port for OPT in traffic and OPT out traffic and actually piggyback those NICs together with a cable and then adjust the VM's virtual adapters accordingly. It surprisingly works greats and saves me from buying a dedicate switch that can handle VLANing.

        3) How secure is it? Do I get security holes only of pfSense or of pfSense + Hyper-V, since some part of Hyper-V would be directly exposed to the WAN, is that correct?

        This really depends on your setup. Will you be exposing the host server to the internet? (I personally wouldn't, I only expose my VM's on selected ports, but can understand why some people would). I dont believe Hyper-V has any real connections to the outside world other then adapters like I mentioned earlier. The biggest loophole would be if your host server was exposed to the internet then hacked. As for adapters, you have the same issue you would with any server, VM or not. If the adapter is open to the outside world and the support for firmware of that adapter is trash, then you could get a leak through. However, vendors like Intel and Microsoft tend to know what they are doing and in this day and age, good luck getting a leak through via adapter firmware. Just keep your devices up-to-date and you will be better off.

        4) Do I lose a lot of performance? The Hyper-V CPU should be ~4x faster than the CPU of the dedicated box, but I don't know how much I would lose.

        Again this depends on what you plan on doing with the PFSense box. For general usage it would be fine with that standalone box you picked, however because you are talking about load-balancing and VPN etc… that will require more CPU usage. Especially if you plan on running and packages like SNORT you may want to consider the faster, more expandable option of the VM Server for the PFSense box instead.

        5) Failover. I would not buy redundant parts now but still would rely on the hardware working correctly. I think I can way easier replace NICs if broken, or the VM, since I would replicate it anyway. For the dedicated box that is not an option (I think).

        True failover is not having to power down anything and keep the internet connection alive. If you are not going to by a secondary server to clone PFSense on and setup in failover mode. Then it doesn't matter what option you go with because either option wont be a true failover. If you stick with a VM Server based PFSense, parts are easily replaceable and easier to troubleshoot etc… however there is more points of failure (more hardware etc...) for that small standalone box, normally a lot of those units are parts that are not replaceable or upgradable. Because of this if something in that unit fails (such as the PSU) then you are pretty much SOL and have to replace the whole unit.

        If I were you just to save money you could perform a real failover with a spare PC or something if you have one just standing around. Even an old decent spec'd PC can easily handle the functions it looks like you are going for, especially if it is just a standby failover and not the active host 100% of the time. But thats just an idea.

        1 Reply Last reply Reply Quote 0
        • A
          andipandi
          last edited by

          Many thanks for your in-depth answer!

          As for 3), security, and exposing the host server: I have to expose the host if I am running pfsense in a VM? The host (hypervisor) has to at least forward the traffic to some virtual nic/the VM?

          I can only choose not to expose e. g. the Windows Server installation originally behind the Hyper-V, but that already is not the host, but just a privileged guest that has direct access to the host.

          So I could have 2 NICs, have all VMs but the pfSense VM listen on the internal NIC, and have pfSense additionally talk to the WAN NIC?

          Since the server is rather potent for just a firewall (also, the WAN is <50MBit/s) so I plan on running additional production VMs on it.

          1 Reply Last reply Reply Quote 0
          • M
            Mats
            last edited by

            If you configure it correctly then No - you would not be exposing the Windows system to the Internet

            The connection chain looks like this

            Internet -> physcal Wan nic -> Hyper-V virtual switch -> Pfsense Wan Nic.
            The only things that are exposed is the Nic and Wswitch drivers.
            Since you do NOT have a protocol like TCP/IP bound to this adapter there is no way to talk to the host system on it.

            1 Reply Last reply Reply Quote 0
            • A
              andipandi
              last edited by

              Thank you, Mats.

              I just checked and tcp/ip is indeed disabled on all adapters that have a vSwitch on them. I tried disabling the adapters in the host before, but that did not work at all (loss of connectivity on the vSwitch as well). With tcp/ip missing I am a little more relieved.

              1 Reply Last reply Reply Quote 0
              • M
                Mats
                last edited by

                @andipandi:

                Thank you, Mats.

                I just checked and tcp/ip is indeed disabled on all adapters that have a vSwitch on them. I tried disabling the adapters in the host before, but that did not work at all (loss of connectivity on the vSwitch as well). With tcp/ip missing I am a little more relieved.

                Good.
                One way to se it is that that binding for the Vswitch is the virtual cable between the nic and the vswitch. If you unbind it - you unplugg the switch.

                As long as the only binding fot the external card is the vswitch and the only thing using that vswitch is the external interface on the PFsense box - then your safe. I haven't heard of any security issues with the vswitch in al years with hyper-v

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post