Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pfSense+ licensing on Proxmox HA cluster

    Scheduled Pinned Locked Moved Virtualization
    12 Posts 3 Posters 3.9k Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G Offline
      griffincash @Gblenn
      last edited by griffincash

      @Gblenn
      Cable WAN has 5 IPs, 1 for each pfSense, 1 for CARP, 2 extras. LTE modem acts as a router, for fail over internet only

      Cable modem<->small switch<-lacp/mlag-> 2 mikrotik switches. LTE modem <->small switch<-lacp/mlag-> same 2 mikrotik switches.

      Proxmox servers connected with lacp to mlag on the mikrotik switches.

      Proxmox will be running two pfSense instances in HA mode. One instance on Proxmox1 another on Proxmox2. If either server dies, the pfsense VMs will automatically migrate to another host, thus changing the hardware.

      G S 2 Replies Last reply Reply Quote 0
      • G Offline
        Gblenn @griffincash
        last edited by

        @griffincash Yes well, running pfsense on two or three different proxmox machines does not necessarily mean different "hardware". At least as long as they are all copies of the same VM, running entirely virtualized (no pass thru of NIC's).
        IF on the other hand, you do in fact pass thru the NIC's, then yes, they are truly different.

        So, it depends, virtualized you don't need more licenses than you do running 6100s...

        G 1 Reply Last reply Reply Quote 1
        • G Offline
          griffincash @Gblenn
          last edited by

          @Gblenn thanks for the help. Yes, it would be completely virtualized unless the performance wasn't there(which I can test with CE first). If performance with virtualized nics isn't where I want it to be I'll be going with the 6100s anyway

          G 1 Reply Last reply Reply Quote 0
          • G Offline
            Gblenn @griffincash
            last edited by

            @griffincash It will of course depend on what HW you have in your Proxmox machines.
            And on top of that, what packages you run, like Ntop or Suricata/Snort. But I don't think should have any trouble exceeding 1Gig at least.

            I run Ntop in a separate VM on the same machine, and Suricata in Legacy mode, and I have pass thru of my NIC's (x520s). The best result I have seen from speedtest is 8.5G.

            But I am also playing around with some other firewalls (Sophos XG) which I have running both with passthru and virtualized NIC's.

            I just ran a quick test from behind one of my test FW's, which is NATed behind my pfsense+... So, speedtest through two firewalls, with Sophos XG having virtualized NIC's (Listed as VirtIO paravirtualized) I got this:

            f5231eaa-9c27-488e-af27-e37a901e09b0-image.png

            G 1 Reply Last reply Reply Quote 0
            • G Offline
              griffincash @Gblenn
              last edited by

              @Gblenn I'm from Alabama, if you can find internet faster than 1gbps that isn't dedicated, I'd be willing to move and find a new job. Jk. But seriously I'm looking at 200mbps down and 50 up on coax and 50/25 on LTE. Traffic between LANs shouldn't need to exceed a gig either, as all the servers with 10g nics are physically connected to each other. Those are just for fast data syncing.

              G 1 Reply Last reply Reply Quote 0
              • G Offline
                Gblenn @griffincash
                last edited by

                @griffincash Well, then you should have no trouble whatsoever...

                Actually the 6100s you were looking to match would be quite a bit of overkill and even the 1100 could do the job. Even if you are running VPN's. But given your serious setup with cluster, failover and HA... I'm thinking your proxmox machines definitely have the HW for it.

                1 Reply Last reply Reply Quote 0
                • S Offline
                  SteveITS Galactic Empire @griffincash
                  last edited by

                  @griffincash Note adding/removing NICs in the VM will result in a new hardware ID and invalidate the license.

                  Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                  When upgrading, allow 10-15 minutes to reboot, or more depending on packages, CPU, and/or disk speed.
                  Upvote 👍 helpful posts!

                  G 1 Reply Last reply Reply Quote 1
                  • G Offline
                    Gblenn @SteveITS
                    last edited by

                    @SteveITS said in pfSense+ licensing on Proxmox HA cluster:

                    @griffincash Note adding/removing NICs in the VM will result in a new hardware ID and invalidate the license.

                    Ok, so adding a NIC to be used for a failover connection would mean the ID is different. Even if the first two NIC's are the same?
                    Best then to add the NIC's you need from the start I suppose. No harm having them if they are virtualized...

                    S 1 Reply Last reply Reply Quote 0
                    • S Offline
                      SteveITS Galactic Empire @Gblenn
                      last edited by

                      @Gblenn Yes it calculates the NDI based on detected hardware.

                      I haven’t tried but you might add a few extra NICs just in case for future use.

                      Also you’ll need two Plus licenses for two routers.

                      Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                      When upgrading, allow 10-15 minutes to reboot, or more depending on packages, CPU, and/or disk speed.
                      Upvote 👍 helpful posts!

                      G 1 Reply Last reply Reply Quote 0
                      • G Offline
                        Gblenn @SteveITS
                        last edited by

                        @SteveITS said in pfSense+ licensing on Proxmox HA cluster:

                        @Gblenn Yes it calculates the NDI based on detected hardware.

                        I haven’t tried but you might add a few extra NICs just in case for future use.

                        I guess the way @griffincash should do it is to wait with registration until decided on a good config.

                        Also you’ll need two Plus licenses for two routers.

                        Agree, since they are both active in a HA config. But I don't see that he should need more licenses when virtualizing vs the alternative of running two 6100s...?

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.