Virtualize PfSense or old Laptop for Basic Home

skalyx

Hello,

I currently have a Synology DS916+ with an Intel Pentium N3710, 8GB ram, SSD cache, SHR (RAID), and two LACP gigabit ethernet ports to my central switch. I also have an "old" laptop as my current central PfSense router which is an HP 840 G1 i5-4300U with 8GB ram and 20GB SSD SATA 3 (only one ethernet ports with Vlans and a USB NIC for failover). I have a Dual WAN (4G, LTE) configuration. The first WAN connection gives about 70-130 Mbps download and 30 Mbps upload. The second one gives about 50-110 Mbps download and 25 Mbps upload.

My family and I are heavy users but with basic needs. I only set some firewall rules, dual WAN, and maybe in the future Snort as an IDS. Thus, I just need a « basic » and stable PfSense gateway that can give us the best speed.

I am, hence, thinking what the best option might be. We hardly never use the 2000 Mbps LACP with the NAS but very often the full 1gbs bandwidth. The main question I have are: « Should I configure a virtualized PfSense central router on my NAS or keep my laptop?” “How much speed, performance should I expect to lose with a PfSense on a VM?”. One argument that must be considered is that the laptop takes place, power, and can be used for something else. Moreover, I heard a laptop is not meant to be 24/24/7. However, as said, I really need the best performance, speed with the network traffic, especially for my strict family. :p

I thank you in advance for your help and wish all of you all my wishes for the new year!

Happy new year,

tsmalmbe

Buy a fanless netgate appliance for performance speed and most importantly 24/7 reliability. You mention that only best performance and speed matters - sure, if you want to have maintenance added as a permanent hobby (and most usually you need to attend to that hobby when you are away and your family wants netflix) then playing around with laptops is good fun. Also, running a firewall on a NAS can work, but then make sure you are not using the NAS for anything else (you are saying again basic stable gateway, but no mention of it having to be secure). In this case the NAS would be like an appliance for your firewall.

If you really don't care about reliability - go with the laptop. If you really don't care about security, share resources between the NAS and pfsense.

Not sure if the ":p" at the end indicates this question was not really serious?

skalyx

@tsmalmbe

Thanks for the answer.

Could you please explain the security issues I may have if I share my Nas ressources to the Pfsense VM?
I thought of sharing one CPU core along with 3 GB ram and 64Gb. My Nas is often transcoding videos and photos. Thus, it hits 100% CPU usage and only 20% of ram maximum. However, if I allocate one CPU Core, then the NAS won't use it, right? I am not sure.
We, in addition, use a lot of Plex and access the Nas 24/24/7 for file storing, transfering, copying, and so on.

I, obviously, want to have reliability and the best speed possible along with security. I nevertheless don't want to pay a lot of money. Will my laptop with his single Ethernet port with Vlans and a USB nic with vlans for failover be enough for reliability?

Overall, what is the best for me as a home user?

PS: The two WAN connections come from two 4g Huawei routers with built in firewall (even though they can be considered meaningless).

Thanks,

tsmalmbe

The best option for a home user is to use appliances that are physically small, silent, use just a little power, are built for purpose and are maintained by pressing a single "update" button every now and then.

As far as security goes, this is not a platform one would like to run a security device on:
https://www.cvedetails.com/vulnerability-list/vendor_id-11138/Synology.html

Once the device is pwned, your screwed. All users that can access the device are potential threats. How long and how quickly is Synology dedicated to maintain and patch that device? A NAS is purpose built for ... surprise, easy storage. Not for security.

skalyx

@tsmalmbe

Thanks,

I see. I think I will stick with the laptop with its single ethernet coupled with Vlans and add two usb NICs for failover. I will, moreover, restart my laptop every 3 days.
The tdp of the laptop is about 15watts which isn't a lot.

If you have any recommendations on how to add functionality on pfsense, use my hardware better, add stability, add speed, add security, or anything else, please suggest and advice me. Thanks again.

tsmalmbe

If you like to both have a hobby and add some seriousness to this: Install proxmox on the laptop and virtualize pfsense on top of that. Why? You can then easily backup the firewall on a USB-stick and in the case when (not if) the laptop will fail, or any other issues, you can easily install proxmox on any other laptop (or similar hardware) and just continue with your latest (daily) backup of your firewall.

Also a lifesaver when the occasional update decides to fail.

skalyx

@tsmalmbe I actually have the same laptop with the same hardware in spare (with the display broken). I made a sector-by-sector backup of my ssd and, in case of any failure, can just install the old SSD or new SSD with 1:1. Isn't it great? It will work, right ?

Do you have any other great suggestions?

Thanks,

tsmalmbe

It will work. Just remember to do that often enough (enough = the amount of days of configuration changes you are willing to loose - and whenever you update).

skalyx

@tsmalmbe Great thanks. Just let me know if you have any other security tips or any other advice. I love to learn.

Thanks,

stephenw10

Enable auto config backup and you will always have access to a recent config. As long as you have noted the key somewhere!

Keep a USB stick with the install image on it handy and you can restore pretty quickly if you ever needs to. In 2.4.4p1 you can even put a recent config file into the install stick to restore it directly making it even quicker.

Steve

Grimson

@skalyx said in Virtualize PfSense or old Laptop for Basic Home:

and add two usb NICs for failover.

Those will likely be the first things that fail under load. Unless the on-board NIC is Realtek, then all of them will fail sooner or later. Just don't come crying when this crappy setup causes problems.

bcruze

https://store.netgate.com/MBT-2220-system.aspx

this will do everything you need. i have one and want to order another one just to have a spare OR install linux on it for a remote box

skalyx

@stephenw10 thanks for your suggestions. I will activate that. I have a second laptop with the exact same hardware. I will in case of any problem easily switch.

skalyx

@grimson Hi,
Please do not be aggressive. Stability is not a major issue and we do not have massive traffic like a production network. I, in case of any problem, can easily failover to my second exact same laptop hardware. Moreover, the USB nic is only there for Failover and not load balancing. If the single ethernet fails, It will switch and I will easily notice it. Thus, it just gives me option without spending a buck.

It just is temporary. I will in the next house (soon) buy a real router.

Thanks,

stephenw10

Really what you have to consider here is what are the consequences of a failure? How quickly can you get back up and running?

This is a home setup so it's not like you would be losing thousands of dollars an hour if it goes down. More likely you will just get grief from your family which is probably manageable.

If you have a second laptop as a cold spare and install media and config available you will always be able to recover it's just the downtime that varies.

In all probability you won't have any trouble but if you do I'd put money on it being with those USB NICs.

Steve

skalyx

@stephenw10
Happy new year!

Yes, the risks are negligeable. I won't lose a penny if the network fails and I can easily make it up and running. I don't expect it to fail often nor fail for a long time thanks to the USB failover, back up, hardware failover (cold backup with exact same laptop and same configuration), etc.

In any case, I just easily can shut down my PFsense router or DHCP server and switch the VLANs to switch the DHCP server to the WAN1 or WAN2. It isn't difficult.
Furthermore, my family all has 4G and can use it as hotspot... Android smartphones, moreover, switch to 4g automatically when the connection isn't stable. Thus that is not at all big deal.

Thanks,