Upgrade and virtualize under ESXi 6.5



  • Ok, I'll cut and paste (and slightly modify!) a message that I posted on the unRAID forum because it concerns virtualizing both products (unRAID and pfSense).

    Let's start from the beginning. I built a pfSense server 3 or 4 years ago and I'm now in the process of upgrading it because it still run on version 2.1. I can really see your reaction, I know…I'm a bad guy but hey, if it ain't broke, don't fix it. So, I have a couple of questions for the community before diving head first in the upgrade process. First, since I'll probably upgrade the pfSense host machine, I would really like to virtualize it under ESXi 6.5. Is that possible and secure? Then, will I have to passthrough a couple of dedicated NIC to pfSense or virtual ones will do the trick? Since I'll run unRAID from the same box and probably a couple of Windows and/or Linux VM so, what kind of hardware can support this setup? pfSense doesn't need much so I don't think that I need a really powerful machine for them (unRAID and pfSense) but I would like to have some feedback from others. I have on hand an AMD Phenom II X4 945 or 965 Black Edition (can't remember exactly, but I can confirm upon request) on an Asus M4A89GTD Pro/USB3 or an Intel Q6600 on a P5K. From what I have read on the web, both of these boards don't support passthrough so, I'm looking at the Asus M5A99FX PRO R2.0. I would really like to find a board compatible with passthrough that I can use one of the processor I have on hand so, I can cut down the cost a little bit. I'll probably throw 16 or 32GB RAM, depending on the feedback I'll receive of this post. And, am I forced to use ECC ram for ESXi or non-ECC will do just fine?

    For now, that's about it. I would like to thank everyone who took the time to read and answer my post.

    Have a nice day.



  • @Draven666:

    Ok, I'll cut and paste (and slightly modify!) a message that I posted on the unRAID forum because it concerns virtualizing both products (unRAID and pfSense).

    Let's start from the beginning. I built a pfSense server 3 or 4 years ago and I'm now in the process of upgrading it because it still run on version 2.1. I can really see your reaction, I know…I'm a bad guy but hey, if it ain't broke, don't fix it. So, I have a couple of questions for the community before diving head first in the upgrade process. First, since I'll probably upgrade the pfSense host machine, I would really like to virtualize it under ESXi 6.5. Is that possible and secure? Then, will I have to passthrough a couple of dedicated NIC to pfSense or virtual ones will do the trick? Since I'll run unRAID from the same box and probably a couple of Windows and/or Linux VM so, what kind of hardware can support this setup? pfSense doesn't need much so I don't think that I need a really powerful machine for them (unRAID and pfSense) but I would like to have some feedback from others. I have on hand an AMD Phenom II X4 945 or 965 Black Edition (can't remember exactly, but I can confirm upon request) on an Asus M4A89GTD Pro/USB3 or an Intel Q6600 on a P5K. From what I have read on the web, both of these boards don't support passthrough so, I'm looking at the Asus M5A99FX PRO R2.0. I would really like to find a board compatible with passthrough that I can use one of the processor I have on hand so, I can cut down the cost a little bit. I'll probably throw 16 or 32GB RAM, depending on the feedback I'll receive of this post. And, am I forced to use ECC ram for ESXi or non-ECC will do just fine?

    For now, that's about it. I would like to thank everyone who took the time to read and answer my post.

    Have a nice day.

    pfSense is commonly virtualized, the security is good and the performance is good. It works on KVM, ESXI and Hyper-V, but is easiest to setup (GUI-wise) on the last two. (well… probably runs on Xen too, but it's not nearly as popular as the other 3 hypervisors mentioned)

    You can choose to passthrough dedicated NICs, which would theoretically increase security, as the NICs are not shared with any other VMs, nor does the Hypervisor do any packet routing for you via vSwitches, but you lose some flexibility in configuration, as well as if you ever wanted to build a 2nd server and seamlessly vMotion/migrate the pfSense instance to the other host if the original host requires maintenance. That and you get simple backups, snapshot capability, etc. Still the option is yours.

    My setup is as follows:

    WAN connection VLAN2 on physical switch, trunked to ESXi.
    ESXi host with 1 NIC (in reality there are more, but you only NEED one for this particular config)
    vSwitch with portgroup WAN on VLAN 2 & regular LAN portgroup on native VLAN (0)/None
    pfSense receives WAN signal on the VLAN 2 port, routes it through the LAN connection (OPT1, etc)

    This is commonly known as a router-on-a-stick configuration, using a single NIC.

    If you don't want to mess with VLANs or don't have a managed switch, then two NICs will be required on the host. Create 1 vSwitch with dedicated NIC for WAN, to be used exclusively for pfSense, and plug the WAN connection into that .
    Create one or more vSwitches the LAN/OPT1/OPT2 connections, with the desired VMs also plugged into that switch for internet access. The LAN vSwitch NIC will provide internet access for the rest. You can create a vSwitch without a physical NIC attached to it if you only want to provide Internet access to to the VMs connected to it, and not the network at large.

    Those CPUs are fine for pfSense, through running hot and power-hungryy for 24/7 use, but if you are going to run other VMs on it, it's probably OK :)

    Now, the coolest thing you can do with this setup if you have another ESXI host with proper licensing (or VMUG learning license, $200 a year):

    1. Have 2 hosts running in vCenter (the enterprise mgmt server for ESXI), identical vSwitch configurations, and be able to do a live migration of your router from one physical host to another without dropping a single packet.

    2. Implement HA (high availability) monitoring so if one host or your pfSense VM goes down, it is restarted automatically on the other host.

    Anyway, I'm a fan of virtualizing it, but be sure to know what you are doing, and understand the caveats of hosting your router on a VM sharing resources with other VMs, on a physical host that MAY need maintenance at times.


Log in to reply