pfSense+ licensing on Proxmox HA cluster
-
I'm at a crossroad and my options are buy two 6100s or use virtual pfSense+ on my Proxmox cluster.
If space was no concern, I'd just pick the 6100s, but I'm trying to build the smallest fully redundant rack for my test lab.
I have 3 nodes in my cluster and will run 2 pfSense instances. I know that the licensing "can't' be transferred between servers so will I need to license pfSense+ for each node? 3 nodes x 2 instances = 6 licenses?
-
@griffincash Hmm, what is the setup here in terms of incoming connection (fiber/cable) into what? Do you have two separate WAN IP's? Or was the plan perhaps to run a HA/failover setup two instances of pfsense?
The license is anyway tied to the HW, and the ID used for licencing is calculated during setup. It will change if you change the HW. So in case of upgrading from e.g. 1G NIC's to 10G NIC's you would need to update your license. A simple thing really, and supported by Netgate.
So when you virutalize, you create the VM, configure it, and once it's up and running and you have everything as you want it, then you register the license. If you destroy that VM and create a new one, you would need a new license though... But you can create backups and, for example, have an active VM running and a copy (with that same license) on standby to spin up if something goes wrong with the other... Essentially no need for more licences than you would need if you went with the 6100s...
-
@Gblenn
Cable WAN has 5 IPs, 1 for each pfSense, 1 for CARP, 2 extras. LTE modem acts as a router, for fail over internet onlyCable modem<->small switch<-lacp/mlag-> 2 mikrotik switches. LTE modem <->small switch<-lacp/mlag-> same 2 mikrotik switches.
Proxmox servers connected with lacp to mlag on the mikrotik switches.
Proxmox will be running two pfSense instances in HA mode. One instance on Proxmox1 another on Proxmox2. If either server dies, the pfsense VMs will automatically migrate to another host, thus changing the hardware.
-
@griffincash Yes well, running pfsense on two or three different proxmox machines does not necessarily mean different "hardware". At least as long as they are all copies of the same VM, running entirely virtualized (no pass thru of NIC's).
IF on the other hand, you do in fact pass thru the NIC's, then yes, they are truly different.So, it depends, virtualized you don't need more licenses than you do running 6100s...
-
@Gblenn thanks for the help. Yes, it would be completely virtualized unless the performance wasn't there(which I can test with CE first). If performance with virtualized nics isn't where I want it to be I'll be going with the 6100s anyway
-
@griffincash It will of course depend on what HW you have in your Proxmox machines.
And on top of that, what packages you run, like Ntop or Suricata/Snort. But I don't think should have any trouble exceeding 1Gig at least.I run Ntop in a separate VM on the same machine, and Suricata in Legacy mode, and I have pass thru of my NIC's (x520s). The best result I have seen from speedtest is 8.5G.
But I am also playing around with some other firewalls (Sophos XG) which I have running both with passthru and virtualized NIC's.
I just ran a quick test from behind one of my test FW's, which is NATed behind my pfsense+... So, speedtest through two firewalls, with Sophos XG having virtualized NIC's (Listed as VirtIO paravirtualized) I got this:
-
@Gblenn I'm from Alabama, if you can find internet faster than 1gbps that isn't dedicated, I'd be willing to move and find a new job. Jk. But seriously I'm looking at 200mbps down and 50 up on coax and 50/25 on LTE. Traffic between LANs shouldn't need to exceed a gig either, as all the servers with 10g nics are physically connected to each other. Those are just for fast data syncing.
-
@griffincash Well, then you should have no trouble whatsoever...
Actually the 6100s you were looking to match would be quite a bit of overkill and even the 1100 could do the job. Even if you are running VPN's. But given your serious setup with cluster, failover and HA... I'm thinking your proxmox machines definitely have the HW for it.
-
@griffincash Note adding/removing NICs in the VM will result in a new hardware ID and invalidate the license.
-
@SteveITS said in pfSense+ licensing on Proxmox HA cluster:
@griffincash Note adding/removing NICs in the VM will result in a new hardware ID and invalidate the license.
Ok, so adding a NIC to be used for a failover connection would mean the ID is different. Even if the first two NIC's are the same?
Best then to add the NIC's you need from the start I suppose. No harm having them if they are virtualized... -
@Gblenn Yes it calculates the NDI based on detected hardware.
I haven’t tried but you might add a few extra NICs just in case for future use.
Also you’ll need two Plus licenses for two routers.
-
@SteveITS said in pfSense+ licensing on Proxmox HA cluster:
@Gblenn Yes it calculates the NDI based on detected hardware.
I haven’t tried but you might add a few extra NICs just in case for future use.
I guess the way @griffincash should do it is to wait with registration until decided on a good config.
Also you’ll need two Plus licenses for two routers.
Agree, since they are both active in a HA config. But I don't see that he should need more licenses when virtualizing vs the alternative of running two 6100s...?