SOLVED: pfsense vm or physical?

lewis

I have an eight blade chassis and I need a firewall for all of the blades. The transfer speeds will be in the area of 500Mbps sustained up to around 5Gbps at times.

Initially, my thought was to put another server in the rack to act as the firewall but I decided to use one of the blades. The blade has 2x E5-2660 CPU's and 32GB of memory.

All of the other blades will be running ESX and this is the only blade that would be running pfsense alone.

I'm having second thoughts, wondering if I should build this blade into an ESX host as well and have the firewall as a vm.

I've done it before, it works perfectly fine but not at these data rates.
Each blade has dual 1GB ports and dual 10GBe ports. I was planning on using the 10GBe ports for the WAN, LAN of pfsense but if I went with an ESX host, then those ports would be shared with low traffic vms on the same ESX host.

I'm not sure what else to include. I just hate to waste a blade if using it all for pfsense is overkill.

What would you do?

johnpoz

@lewis said in pfsense vm or physical?:

What would you do?

If you need/want the resources of the blade to do other things. And the VM can handle your needs/traffic - why would you not run it as VM? There for sure advantages to having its a VM, upgrades are less likely to be an issue because its easy to rollback..

The drawbacks are complexity, and ability to reboot the blade without loss of access pfsense would control/allow for. Unless you can move your pfsense VM to a different host, or run multiple in a HA setup - which does increase complexity as well.

Running the firewall router on its own hardware reduces complexity. The only one that can make the call if loss of cpu cycles by using a blade just for firewall is worth it would be you..

lewis

@johnpoz said in pfsense vm or physical?:

Running the firewall router on its own hardware reduces complexity. The >only one that can make the call if loss of cpu cycles by using a blade just for >firewall is worth it would be you..

For sure. I just have reservations either way and thought maybe some other thoughts would come up but really, it's all as you said.

The blade should never need rebooting or at least, very rarely and it's all in a data center so no power issues. I guess it really boils down to using up a 1U space for a dedicated firewall or one of the blade slots.

Thanks for your input. It helped me to confirm there are no other things I'm not thinking about.

Gertjan

@lewis said in SOLVED: pfsense vm or physical?:

Thanks for your input. It helped me to confirm there are no other things I'm not thinking about.

Euuuuh, there are always things you didn't thought about ..... You can't enumerate them, as you didn't thought about them. Not knowing doesn't proof something doesn't exist ;)
Just my 2 cents before Zzzzz.

lewis

Yup, and that's why you post in forums sometimes, to see if others might have some thoughts that you've not reached. Worth doing.

johnpoz

@lewis I concur with @Gertjan there is prob always something you didn't take into consideration, and agree with you as to posting such questions on others using the product forum, etc.

You could be deep into the weeds setting it up and say ahhh F! I didn't think about that - now shit what do I do ;)

I ran pfsense as VM for many years on esxi, and was very happy with it. I just ran into a point where the new isp speed and my vm host couldn't handle it. So I either got a new vm host that could, or go with hardware. There are times I miss the ability to play with pfsense as VM, and just easy switch to a snapshot, etc. etc..

But then again - I love my sg4860, and can play with my nas (new vm host) and not worry about looking internet. Not sure I would ever go back to running it on VM..

Maybe vs using a blade just get something else suited to being your router/firewall and not better suited as vm host like your blade with 32GB of ram - seems a bit overkill for a firewall ;)

lewis

The blade just happens to have that hardware config. It's not worth pulling anything out of it, just slap a couple of small SSD's into it for the firewall.

I could throw 128GB into it and use it for low traffic vms along with the firewall instead of using the entire blade but I think I'll stick with using the entire blade for now. If I need it, I'll add another 1U server into the rack.

You know how it is, sometimes you know the answer but it's worth asking someone else just in case you're missing something obvious.

johnpoz

@lewis agree, and to be honest wish there were more topics like this here.. This forums seems always pfsense pfsense pfsense ;) And not just general IT questions.. There is a lot of knowledge and experience that frequent these boards.. And yeah sure this is about pfsense at its core.

But hey nothing wrong with exchanging thoughts on on stuff with like minded people that have lots of know how and experience in the field.

And this is "pfsense" related ;) so there is that..

But at the core of this question is do you run something on bare hardware or run it as vm.. This could relate to lots of stuff just not where you run pfsense.

I don't think you could go wrong running it either place, but what people don't always understand - especially if they are vm guys anyway. Is running it on vm is more complex, unless your a VM guy ;) But if you have run pfsense as vm before, and are in general good with vms - then yeah it would allow you to leverage more of the cpu cycles on that blade vs letting them sit idle.. And face it - most pfsense boxes sit idle most of the time. There are even instructions for running hypervisor on netgate hardware, so you could leverage some of those spare cycles.

example:
https://docs.netgate.com/platforms/rcc-ve-4860/esxi.html

bingo600

Based on the VMware patch/update frequency vs pfSense patch/update frequency.

Then unless serious $$ or space constrained.
There is nowhere I would run a NON VM pfSense in a DataCenter environment, where it would affect multiple hosts, if taken down for maintenance.

The sheer "noise" of such a Change-request would make me run screaming away.
You get 10 min of "fame" for saving some $$ , and a life filled with agony.

Edit:
Not 100% related but ...
I remember a large setup , where all of a sudden they requested me to "emergency" prepare network for some physical MS Domain controllers, as all of their current DC's were Virtual , and apparently it created a serious Catch22 , if the whole system was taken down. Maybe as "simple" as vCenter using the DC for access control , and the DC was not started or the like...

Sometimes (often) simple is better,

/Bingo

lewis

An ESX going down is about as rare as a dedicated appliance in the DC but it does happen on both. I'm not sure that having the firewall as a vm would have any worse affect going down as a dedicated device would.

I've never done the HA thing but the setup could be interesting if it could be done. Maybe I should play with that next time I have a little time to do so.

bingo600

@lewis
I'm not talking about a VM going down unexpected.

I'm talking about the times. ie. my ESXi servers has been down this year due to critical patches, that had to be applied to ESXi or vCenter (well servers doesn't need to be taken down to patch vCenter).

/Bingo

lewis

@bingo600 said in SOLVED: pfsense vm or physical?:

@lewis
I'm not talking about a VM going down unexpected.

I'm talking about the times. ie. my ESXi servers has been down this year due to critical patches, that had to be applied to ESXi or vCenter (well servers doesn't need to be taken down to patch vCenter).

/Bingo

Oh yes, very good point. In that respect, pfsense running on its own hardware is never an issue. I've never had an update cause down time. That alone seems to seal the deal.

I've also run pfsense as a vm using two of the blade nics. It works as expected, just a bit tricky to set up but you're right about the host.