Can I run server applications and pfSense on the same computer? How is pfSense different from FreeBSD?

inf3rno

I have a home server (x64 multi core Xeon) with FreeBSD on it and I don't like the router my ISP gave. My server runs 24/7, so I thought maybe I could use it for routing too instead of buying a dedicated router. I am not sure if this is a good idea, or how your custom kernel is different from what I get with FreeBSD. Has anybody tried something similar, is there a best practice?

JKnott

@inf3rno

It's a bad idea. You don't want anything running on the firewall that's not firewall related. The more stuff you have running, the more you open up vulnerabilities.

inf3rno

I don't think this makes much sense. A running application does not increase the attack surface. Open ports on the firewall increase it as far as I understand the topic.

I worry a lot more about software compatibility, performance issues, etc. that's why I asked the question.

heper

Use a hypervisor (esxi or hyperv or whatever)
Run virtual machines

DaddyGo

I totaly agree with JKnott this is a particularly bad idea.
Even a virtual machine solution is not the best, but many people use this opportunity, I do not recommend for serious environments.
Where is the redundancy, if you have a hardware failure ???
Everything will stop ...

A firewall is a firewall, not to be confused with servers for other purposes....
(Of course, if you are using your server (Xeon multi-core) for serious purposes and it is not a homlab config)

inf3rno

@DaddyGo Well I can use the ISPs router in the case the home server fails. I don't think I need too much redundancy beyond that. I don't sell hosting with this server or anything like that, I just use it for development, testing and for storing the files we want to share on my home network between our personal computers. Using virtual machines is a good idea, so a failing application won't kill the pfSense too, just my server OS. Another robust solution would be using a microkernel, for example seL4 https://github.com/seL4/seL4 . Partially that's why I asked about the custom kernel pfSense uses. With a good microkernel a failing application or sometimes even a failing driver cannot bring down the system.

DaddyGo

Yeeeppp as I wrote, if this is a homelab you can experiment with it, but in case of a hardware failure only one ISP router remains :-).
You lose your goal described above to eliminate the your ISP router.

Keep in mind that there are significant vulnerabilities in intra-virtual machine transfers as well, since we simulate that they are separate units, they are identical as one hardware.

The promise of seL4 can be nice too, but it also runs everything on one hardware (Oh yes ultra safe), lately it has become a trend to save on iron. :-).
I'll tell you we experiment on virtual machines before we put anything into the system.
I think you can also set up a simple / separate (for example APU board base or Supermicro M11SDV series base) NGFW with pfSense for home (lab) use and separate virtual machines to serve the family (PC, MAC, etc.)

stephenw10

Yes, if you need to do this you should run pfSense and some other OS virtualised.

Steve

NollipfSense

@inf3rno You could use a great computer with 32GB RAM, install CentOS and OpenStack which need 16GB RAM. You can run pfSense instance with numerous servers. Bear in mind that virtualization is getting there; however, it's not there yet.

So that's why others had emphasised that running pfSense on a separate box at this stage is the best ... like most of us here with home/office/lab.

NollipfSense

@inf3rno OP just to check it out, I could install CentOS 7 minimal and OpenStack on VirtualBox and get it to run with six 6GB RAM; however, I had not added anything (other instances such as pfSense and other servers) because the device maxed out at 16GB RAM. So, I would say get busy as the possibility you're seeking can be achieved with your multi-core Xeon server with at least 32GB RAM ... more RAM would be even better.

DaddyGo

@NollipfSense
That's why we have the good friends to prevent us from realizing our own "stupid" or inadequate ideas or correct the misunderstandings and steer us in the right direction.
It’s just a monologue to my own ideas, every person is different, if there is no curiosity, the world will not move forward.

(but I pretty much agree with what you do....) / (somewhere, that’s how it works with someone)
OP is no longer interested in the topic, hihihi

NollipfSense

@DaddyGo said in Can I run server applications and pfSense on the same computer? How is pfSense different from FreeBSD?:

@NollipfSense
That's why we have the good friends to prevent us from realizing our own "stupid" or inadequate ideas or correct the misunderstandings and steer us in the right direction.
It’s just a monologue to my own ideas, every person is different, if there is no curiosity, the world will not move forward.

(but I pretty much agree with what you do....) / (somewhere, that’s how it works with someone)
OP is no longer interested in the topic, hihihi

If OP is no longer interested that would be sad; however, others may benefit. I am finding the network function virtualization and software designed networking fascinating however, it's highly sophisticated as well as complex. I have played with virtual Security Onion and now OpenStack ... very grateful to those that made the learning possible by sharing.

inf3rno

@DaddyGo I am, but I turned to read mode. :P I checked other threads. I found that most of the applications from ports should run fine with pfSense, there is just not support for them. I have no idea why the developers needed a separate "distro" instead of using FreeBSD with a few applications. So in theory I don't need virtualization, because I don't need very high availability. I am not entirely sure, but I expect less than one system collapse in 3 months, which is acceptable. My ISP fails me more. In theory my computer is enough for 5 Gbps, maybe even 10. I plan to use link aggregation to have 4 Gbps to my primary PC. In theory it is cheaper than a card that supports it on one port and I don't need more to copy between Sata3 SSD-s. So the minimum I'd need is a managed switch I think. I'll check what other options I have. Thanks for the input!

stephenw10

Most relatively simple ports will run fine. They will not survive a firmware update etc.

More complex things might pull in other dependencies and if that overwrites something in pfSense which is not standard it could break pfSense entirely. There is a lot of non-standard FreeBSD stuff in pfSense. Installing FreeBSD ports is a good way to break it!

Running virtual eliminates all those problems.

Steve

NollipfSense

@inf3rno said in Can I run server applications and pfSense on the same computer? How is pfSense different from FreeBSD?:

I have no idea why the developers needed a separate "distro" instead of using FreeBSD with a few applications.

Why try build a better mouse trap when you can use an existing great one and put a fine cage around it to lure, trap, and exterminate bad actors!

inf3rno

@stephenw10 Ohh ok, good to know.

DaddyGo

My opinion is that FreeBSD is one of the best choices for NGFWs, due to the distinctive behavior of the OP system itself.
However, you can't run it cleanly on FreeBSD, so like pfSense, sticking to the parent basics (FreeBSD), you need to implement a different philosophy = pfSense.

NollipfSense /
I agree with you that the future belongs to the VM, but we still have a lot to learn in this area.
What is currently worrying is that only mirror solutions can create large stability systems.
I currently work for a world-wide insurance company, in the current unfortunate situation (COVID), more than 8,000 employees work from home on a VM basis.
It works, but 25 extra mirror servers have been set up in 15 countries to eliminate the any possible problems.
Virtualization is a wonderful part of the IT world, flexible and I hope there will be more and more serious availability.
(I started with Windows NT servers and Win 3.1 has changed a lot since then :-))