VM Firewall safe for a home network? help me understand..

  • I've just switched most of my home servers over to VMS…  My Nas, VM Server and pfSense box are the only servers left.

    I've read threads that say its ok to run pfsense in a VM but the idea of plugging the raw WAN line into my VM box scares me.... should it?  The box is running Ubuntu Server 8.10 w/VMWare.

    I would love to get rid of that pfSense server... i just need somebody to tell me its OK (or not  ;D)

  • I am running a complete virtual enviroment.  instead of VM-Ware, I am running XenServer 5.5.0.  I have PF-Sense 1.2.3 RC2 running, OpenFiler 2.3, SbS 2003,  and I have convert VM-Ware images to Xen-Server with there latest tool.

    I have had no security issues or beak-ends.  I have dedicated 2 of the 6 adapters that I have to the firewall.  I don't use them for anything else that protects the inside from the outside.

    If you have any questions please drop me a line.

  • With pfsense in a virtual environment, do you have to sacrifice throughput bandwidth?

    I have a beefy pfsense router made with supermicro hardware, can a vm replace or compete with this power?

  • My VM firewall get solid performance and I very rarely see the processor above 2 to 5%.  I havea beefy box running my XenServer with 4 other VM's runing and the processor on it never goes above 25%.

    It depends on hardware, internet connection, and what services that you plan to run on your box.  I find that I keep adding services with little to no additional load on the machine.

    Best thing I can recommend is try it.  Everybody's network is different.


  • Short answer I have is example of way I set mine up.

    I have a Windows XP box with VMware Server running on it. It has 3 Network Interfaces on it.
    1 interface is set up as the XP network interface for LAN
    other 2 interfaces have all protocols and features turned off in windows except for VMware bonding.

    Inside a vm image i have pfSense installed utilizing the 2 VMnat interfaces, one for WAN and other for LAN.

    the 3 interfaces is a bit overkill, could merge host NIC and virtual LAN to same device.
    I am not sure how to set up a network interface in Linux that is enabled with no protocols attached.

  • With Citrix XenServer(Essentials) you get alot of increased performance of course that depends on your hardware.  When you assign seperate interface or dedicate interface to a individual device.  That's why I use a dual intel 10/100 adapter strictly for the firewall.

    With snapshots and the other items that virtualization brings to the table it's great.  reduction in utilities is also helpful.  I went from 9 servers and workstations to 1 machine and I consolidated everything down to 4 vm's.  That's a huge reduction.

    I really think that virtualization is the way to go and it will only get better.

  • I'm running pfsense 1.2.3RC1 in my proxmox machine.. CPU usage 1 %, Memory usage 18 % ( I allocated 1052 MB), SWAP usage 0 %, Diks Usage is 7 % (of 10 GB). I'm using proxy in transparent mode with squidguard with 30 users.

    Mine has 3 NICs.. The other one as the WAN for other VMs, 1 for WAN port for pfsense while the other one as LAN port for pfsense. BTW, I set it up this way so that pfsense traffic won'tbe congesting if it is placed in the same NIC with the WAN of the other VMs (I'm not sure if this is correct  ::).

  • I am running my PF-Sense with 2 processors and 768 meg of ram.  I have 1 connection for the WAN and 2 for the internal networks.  My processors rarely spikes to 25% when I am doing uploads from remote sites.  Normal processor utilization is 1 to 2 , may be 3%.

    My VM's and my normal Network share the same wan port, I see no issues.

    Memory utilization is 20%
    Disk utilization is 4%
    Swap file is 0%

    Have a seperate interface for VM verse normal traffic is is overkill.  There should be no issues sharing one interface.

    I manage 35 VM 's on XenCenter over two XenServer getting ready to open to 4 different servers expanding to 100 VM's.

Log in to reply