Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    SOLVED: pfsense vm or physical?

    Scheduled Pinned Locked Moved General pfSense Questions
    12 Posts 4 Posters 1.7k Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L Offline
      lewis
      last edited by lewis

      I have an eight blade chassis and I need a firewall for all of the blades. The transfer speeds will be in the area of 500Mbps sustained up to around 5Gbps at times.

      Initially, my thought was to put another server in the rack to act as the firewall but I decided to use one of the blades. The blade has 2x E5-2660 CPU's and 32GB of memory.

      All of the other blades will be running ESX and this is the only blade that would be running pfsense alone.

      I'm having second thoughts, wondering if I should build this blade into an ESX host as well and have the firewall as a vm.

      I've done it before, it works perfectly fine but not at these data rates.
      Each blade has dual 1GB ports and dual 10GBe ports. I was planning on using the 10GBe ports for the WAN, LAN of pfsense but if I went with an ESX host, then those ports would be shared with low traffic vms on the same ESX host.

      I'm not sure what else to include. I just hate to waste a blade if using it all for pfsense is overkill.

      What would you do?

      johnpozJ 1 Reply Last reply Reply Quote 0
      • johnpozJ Online
        johnpoz LAYER 8 Global Moderator @lewis
        last edited by

        @lewis said in pfsense vm or physical?:

        What would you do?

        If you need/want the resources of the blade to do other things. And the VM can handle your needs/traffic - why would you not run it as VM? There for sure advantages to having its a VM, upgrades are less likely to be an issue because its easy to rollback..

        The drawbacks are complexity, and ability to reboot the blade without loss of access pfsense would control/allow for. Unless you can move your pfsense VM to a different host, or run multiple in a HA setup - which does increase complexity as well.

        Running the firewall router on its own hardware reduces complexity. The only one that can make the call if loss of cpu cycles by using a blade just for firewall is worth it would be you..

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        L 1 Reply Last reply Reply Quote 1
        • L Offline
          lewis @johnpoz
          last edited by

          @johnpoz said in pfsense vm or physical?:

          Running the firewall router on its own hardware reduces complexity. The >only one that can make the call if loss of cpu cycles by using a blade just for >firewall is worth it would be you..

          For sure. I just have reservations either way and thought maybe some other thoughts would come up but really, it's all as you said.

          The blade should never need rebooting or at least, very rarely and it's all in a data center so no power issues. I guess it really boils down to using up a 1U space for a dedicated firewall or one of the blade slots.

          Thanks for your input. It helped me to confirm there are no other things I'm not thinking about.

          GertjanG 1 Reply Last reply Reply Quote 0
          • GertjanG Offline
            Gertjan @lewis
            last edited by

            @lewis said in SOLVED: pfsense vm or physical?:

            Thanks for your input. It helped me to confirm there are no other things I'm not thinking about.

            Euuuuh, there are always things you didn't thought about ..... You can't enumerate them, as you didn't thought about them. Not knowing doesn't proof something doesn't exist ;)
            Just my 2 cents before Zzzzz.

            No "help me" PM's please. Use the forum, the community will thank you.
            Edit : and where are the logs ??

            1 Reply Last reply Reply Quote 0
            • L Offline
              lewis
              last edited by

              Yup, and that's why you post in forums sometimes, to see if others might have some thoughts that you've not reached. Worth doing.

              johnpozJ 1 Reply Last reply Reply Quote 0
              • johnpozJ Online
                johnpoz LAYER 8 Global Moderator @lewis
                last edited by

                @lewis I concur with @Gertjan there is prob always something you didn't take into consideration, and agree with you as to posting such questions on others using the product forum, etc.

                You could be deep into the weeds setting it up and say ahhh F! I didn't think about that - now shit what do I do ;)

                I ran pfsense as VM for many years on esxi, and was very happy with it. I just ran into a point where the new isp speed and my vm host couldn't handle it. So I either got a new vm host that could, or go with hardware. There are times I miss the ability to play with pfsense as VM, and just easy switch to a snapshot, etc. etc..

                But then again - I love my sg4860, and can play with my nas (new vm host) and not worry about looking internet. Not sure I would ever go back to running it on VM..

                Maybe vs using a blade just get something else suited to being your router/firewall and not better suited as vm host like your blade with 32GB of ram - seems a bit overkill for a firewall ;)

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • L Offline
                  lewis
                  last edited by

                  The blade just happens to have that hardware config. It's not worth pulling anything out of it, just slap a couple of small SSD's into it for the firewall.

                  I could throw 128GB into it and use it for low traffic vms along with the firewall instead of using the entire blade but I think I'll stick with using the entire blade for now. If I need it, I'll add another 1U server into the rack.

                  You know how it is, sometimes you know the answer but it's worth asking someone else just in case you're missing something obvious.

                  johnpozJ 1 Reply Last reply Reply Quote 0
                  • johnpozJ Online
                    johnpoz LAYER 8 Global Moderator @lewis
                    last edited by johnpoz

                    @lewis agree, and to be honest wish there were more topics like this here.. This forums seems always pfsense pfsense pfsense ;) And not just general IT questions.. There is a lot of knowledge and experience that frequent these boards.. And yeah sure this is about pfsense at its core.

                    But hey nothing wrong with exchanging thoughts on on stuff with like minded people that have lots of know how and experience in the field.

                    And this is "pfsense" related ;) so there is that..

                    But at the core of this question is do you run something on bare hardware or run it as vm.. This could relate to lots of stuff just not where you run pfsense.

                    I don't think you could go wrong running it either place, but what people don't always understand - especially if they are vm guys anyway. Is running it on vm is more complex, unless your a VM guy ;) But if you have run pfsense as vm before, and are in general good with vms - then yeah it would allow you to leverage more of the cpu cycles on that blade vs letting them sit idle.. And face it - most pfsense boxes sit idle most of the time. There are even instructions for running hypervisor on netgate hardware, so you could leverage some of those spare cycles.

                    example:
                    https://docs.netgate.com/platforms/rcc-ve-4860/esxi.html

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 0
                    • bingo600B Offline
                      bingo600
                      last edited by bingo600

                      Based on the VMware patch/update frequency vs pfSense patch/update frequency.

                      Then unless serious $$ or space constrained.
                      There is nowhere I would run a NON VM pfSense in a DataCenter environment, where it would affect multiple hosts, if taken down for maintenance.

                      The sheer "noise" of such a Change-request would make me run screaming away.
                      You get 10 min of "fame" for saving some $$ , and a life filled with agony.

                      Edit:
                      Not 100% related but ...
                      I remember a large setup , where all of a sudden they requested me to "emergency" prepare network for some physical MS Domain controllers, as all of their current DC's were Virtual , and apparently it created a serious Catch22 , if the whole system was taken down. Maybe as "simple" as vCenter using the DC for access control , and the DC was not started or the like...

                      Sometimes (often) simple is better,

                      /Bingo

                      If you find my answer useful - Please give the post a šŸ‘ - "thumbs up"

                      pfSense+ 23.05.1 (ZFS)

                      QOTOM-Q355G4 Quad Lan.
                      CPUĀ  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
                      LANĀ  : 4 x Intel 211, DiskĀ  : 240G SAMSUNG MZ7L3240HCHQ SSD

                      1 Reply Last reply Reply Quote 0
                      • L Offline
                        lewis
                        last edited by

                        An ESX going down is about as rare as a dedicated appliance in the DC but it does happen on both. I'm not sure that having the firewall as a vm would have any worse affect going down as a dedicated device would.

                        I've never done the HA thing but the setup could be interesting if it could be done. Maybe I should play with that next time I have a little time to do so.

                        bingo600B 1 Reply Last reply Reply Quote 0
                        • bingo600B Offline
                          bingo600 @lewis
                          last edited by bingo600

                          @lewis
                          I'm not talking about a VM going down unexpected.

                          I'm talking about the times. ie. my ESXi servers has been down this year due to critical patches, that had to be applied to ESXi or vCenter (well servers doesn't need to be taken down to patch vCenter).

                          /Bingo

                          If you find my answer useful - Please give the post a šŸ‘ - "thumbs up"

                          pfSense+ 23.05.1 (ZFS)

                          QOTOM-Q355G4 Quad Lan.
                          CPUĀ  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
                          LANĀ  : 4 x Intel 211, DiskĀ  : 240G SAMSUNG MZ7L3240HCHQ SSD

                          L 1 Reply Last reply Reply Quote 1
                          • L Offline
                            lewis @bingo600
                            last edited by

                            @bingo600 said in SOLVED: pfsense vm or physical?:

                            @lewis
                            I'm not talking about a VM going down unexpected.

                            I'm talking about the times. ie. my ESXi servers has been down this year due to critical patches, that had to be applied to ESXi or vCenter (well servers doesn't need to be taken down to patch vCenter).

                            /Bingo

                            Oh yes, very good point. In that respect, pfsense running on its own hardware is never an issue. I've never had an update cause down time. That alone seems to seal the deal.

                            I've also run pfsense as a vm using two of the blade nics. It works as expected, just a bit tricky to set up but you're right about the host.

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.