Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Virtualizing pfSense on a production server

    Scheduled Pinned Locked Moved Virtualization
    19 Posts 10 Posters 16.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      TLP
      last edited by

      Hello, I have some question about virtualizing pfSense

      1. Is this really viable to virtualize a firewall on a production server???

      2. Is there any security flaw on doing this???

      3. What is the best (free) virtualization solution for this?? ESXi as this is a bare-metal hypervisor (which sounds more secure to me)???

      4. Is it possible to dinamically use the physical server hardware toward the various virtual machine??? something like who needs more get more (automatically)

      edit:I have been reading, Citrix XenServer sounds a lot more better or I am wrong???

      1 Reply Last reply Reply Quote 0
      • T
        TLP
        last edited by

        Hello?? Does any professional can help me?

        1 Reply Last reply Reply Quote 0
        • marcellocM
          marcelloc
          last edited by

          I prefer using firewall on a dedicated hardware, but you can use it on vm too.

          The virtualization engine is up to you. vmware will be easier but both will work.

          Just keep in mind that wan interface must be securely visible just to firewall.

          Treinamentos de Elite: http://sys-squad.com

          Help a community developer! ;D

          1 Reply Last reply Reply Quote 0
          • T
            TLP
            last edited by

            ok thanks for your reply, but is it secure to use a virtual machine??? (yes i will use an exclusive nic port to firewall, just for the firewall)

            and is there any virtual appliance that uses dynamic hardware allocation???

            1 Reply Last reply Reply Quote 0
            • marcellocM
              marcelloc
              last edited by

              Same secure level if you secure wan cable and vm console.

              I don't know if pfsense supports dynamic allocation.

              Treinamentos de Elite: http://sys-squad.com

              Help a community developer! ;D

              1 Reply Last reply Reply Quote 0
              • C
                cougarmaster
                last edited by

                What do you mean by dynamic hardware allocation? If you need a front end gui you can choose vmware or Citrix XENServer. I mainly use xen 4.0.1 from cli and have a dedicated nic for wan. Security wise is if any part of the xen server is exposed outside it will be vulnerable, so you'll need to access thru vpn or internally from a specific ip with keys.

                1 Reply Last reply Reply Quote 0
                • T
                  TLP
                  last edited by

                  what do you mean by xen exposed???
                  I need to plug a wan on the xen server, it will be connected directly, but only the pfsense will use the wan interface
                  Its right… right????

                  1 Reply Last reply Reply Quote 0
                  • C
                    cougarmaster
                    last edited by

                    Yes but do not configure the nic to be active on the xen server and pci pass thru to pfsense.

                    1 Reply Last reply Reply Quote 0
                    • P
                      photonman
                      last edited by

                      I would say VMware ESX would be more secure then Xenserver for the simple reason that Xenserver relies on an linux operating system whereas ESX is a hypervisor.

                      1 Reply Last reply Reply Quote 0
                      • D
                        dave99
                        last edited by

                        Xenserver is also a bare metal hypervisor like esxi, the service console is linux based.

                        1 Reply Last reply Reply Quote 0
                        • C
                          cougarmaster
                          last edited by

                          I think all hypervisors are secured only if you make it secure. I chose xen (with Desbian Squeeze AMD64) is mainly because of pci pass thru (which vmare also has but limited to nic and some scsi adapters). It only takes me about 30mins to get a brand new server up and running with pfsense also, after which I have pptp vpn running so I can remotely do other configurations.

                          1 Reply Last reply Reply Quote 0
                          • M
                            mervincm
                            last edited by

                            I use ESXi Hypervisor 5.0 Free in a similar way.  The ESXI host has three physical NICs.  The first is for raw Internet, I call the Red network, and I plug this NIC into the cable modem.  This Red Network is setup as a virtual switch in ESXi that has ONLY 2 connections.  The physical NIC I already mentioned, plus a VNIC on my PFSense Virtual machine.  Within the PFSense VM, this VNIC is the WAN port from PFSense perspective.  The Second Physical NIC in my ESXI host is what I call the green network, and it is my internal secure network.  This Green NIC Is also a virtual ESXI switch, plus it connects to a 16 port physical Gbit switch, and I plug my PC's, internal WAP, DVD, TV, Xbox etc.  There are many VNIC's on the green network including the LAN NIC on my PFsense virtual machine as well as serveral other virtual machines running on my ESXi Host.  The third physical NIC in my ESXi Host is designated as the VM management network within ESXi.

                            This setup provides reasonable security to my internal green Network.  There is a disadvantage in that I do not have physical separation, and I would not do it if I had highly secure data to protect, but as a small scale solution, I find it to be a good compromise.

                            1 Reply Last reply Reply Quote 0
                            • J
                              joako
                              last edited by

                              Always when you use software based things there's a slightly higher chances of security issues. VLAN, virtualization, etc. Assuming you understand all the concepts at play it's rather simple to configure a "secure" environment. However there could be an exploit that compromises the system itself or the networking components. I think this risk is very targeted and rather low. Of course there are cases where the potential costs of the "what if" scenario greatly outweigh any possible savings (be it money, manageability, etc) in any areas.

                              1 Reply Last reply Reply Quote 0
                              • J
                                jms703
                                last edited by

                                @TLP:

                                ok thanks for your reply, but is it secure to use a virtual machine???

                                Virtualization is essentially placing a buggy, but tried and tested kernel (*bsd, linux, etc) on top of a new kernel (esx, xen, kvm), with it's own set of new bugs. Since "new" doesn't mean bug-free, you have two very different kernels to worry about, instead of just one. So my answer to your question is that it would be 'less secure' to use a virtual machine simply because you've added increased complexity and increased the number of things you want to be secure. How much security do you need/want is the question you should consider. For some, it is an acceptable risk, for others, it is not.

                                For me, running PFSense in a virtual machine is an acceptable risk. The systems behind it are mine.

                                1 Reply Last reply Reply Quote 0
                                • Z
                                  Zeon
                                  last edited by

                                  I'm using PFsense 2.0 on many virtualized instances including a core router in our datacenter rack where it routes upwards of 4TB per month and requires literally 99.995% uptime. I use ESXi 4.1/5.0 and it works a treat. Yes there could be security issues but little different to any others you would otherwise face. Those virtualizaiton platforms have massive teams working on making sure they are secure.

                                  Just be careful with Hyper-V - it has no good FreeBSD network drivers so you won't get good throughput. I'd stick with ESXi

                                  1 Reply Last reply Reply Quote 0
                                  • T
                                    tritron
                                    last edited by

                                    It seems that all virtualization software is based on linux except for hyper-v. xen and xenserver will be faster than esxi. Esxi shares memory so more memory can be assigned  to each server. Esxi has great firewall but on xen you can add your own. I am using esxi for server 2008s and arch linux. I just build arch linux based xen and it is much faster that esxi.

                                    1 Reply Last reply Reply Quote 0
                                    • marcellocM
                                      marcelloc
                                      last edited by

                                      @tritron:

                                      It seems that all virtualization software is based on linux except for hyper-v. xen and xenserver will be faster than esxi. Esxi shares memory so more memory can be assigned  to each server. Esxi has great firewall but on xen you can add your own. I am using esxi for server 2008s and arch linux. I just build arch linux based xen and it is much faster that esxi.

                                      This is not that true, both can reach same performance. It will all depends on configuration.

                                      Default esxi vms use only shared resources, but you can reserve memory and/or processor to improve performance.

                                      Without vmware tools it will have poor performance too.

                                      Treinamentos de Elite: http://sys-squad.com

                                      Help a community developer! ;D

                                      1 Reply Last reply Reply Quote 0
                                      • T
                                        tritron
                                        last edited by

                                        I have six core amd server (amd implementation is better) I had installed xen on arch linux on dell 860 and I assigned 1 gb to server 2008R2 as domain controler with web server and etc and same system on amd with 4gb memory assigned and xen works much faster than esxi. Network performance seem much faster. Esxi performance cost money. I would say that 0 dollars xenserver will be much faster.

                                        1 Reply Last reply Reply Quote 0
                                        • marcellocM
                                          marcelloc
                                          last edited by

                                          @tritron:

                                          Esxi performance cost money. I would say that 0 dollars xenserver will be much faster.

                                          Are we talking about money or performance?

                                          I've tested both with redhat support and vmware support.
                                          Both had same performance.

                                          Vmware has good points and xen others.

                                          Vmware is much more compatible then xen with those specific clients kernel versions requirements.

                                          Btw. I do not like flames

                                          Congratulations on you xen virtual server.

                                          Treinamentos de Elite: http://sys-squad.com

                                          Help a community developer! ;D

                                          1 Reply Last reply Reply Quote 0
                                          • First post
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.