Virtualizing pfSense on a production server



  • Hello, I have some question about virtualizing pfSense

    1. Is this really viable to virtualize a firewall on a production server???

    2. Is there any security flaw on doing this???

    3. What is the best (free) virtualization solution for this?? ESXi as this is a bare-metal hypervisor (which sounds more secure to me)???

    4. Is it possible to dinamically use the physical server hardware toward the various virtual machine??? something like who needs more get more (automatically)

    edit:I have been reading, Citrix XenServer sounds a lot more better or I am wrong???



  • Hello?? Does any professional can help me?



  • I prefer using firewall on a dedicated hardware, but you can use it on vm too.

    The virtualization engine is up to you. vmware will be easier but both will work.

    Just keep in mind that wan interface must be securely visible just to firewall.



  • ok thanks for your reply, but is it secure to use a virtual machine??? (yes i will use an exclusive nic port to firewall, just for the firewall)

    and is there any virtual appliance that uses dynamic hardware allocation???



  • Same secure level if you secure wan cable and vm console.

    I don't know if pfsense supports dynamic allocation.



  • What do you mean by dynamic hardware allocation? If you need a front end gui you can choose vmware or Citrix XENServer. I mainly use xen 4.0.1 from cli and have a dedicated nic for wan. Security wise is if any part of the xen server is exposed outside it will be vulnerable, so you'll need to access thru vpn or internally from a specific ip with keys.



  • what do you mean by xen exposed???
    I need to plug a wan on the xen server, it will be connected directly, but only the pfsense will use the wan interface
    Its right… right????



  • Yes but do not configure the nic to be active on the xen server and pci pass thru to pfsense.



  • I would say VMware ESX would be more secure then Xenserver for the simple reason that Xenserver relies on an linux operating system whereas ESX is a hypervisor.



  • Xenserver is also a bare metal hypervisor like esxi, the service console is linux based.



  • I think all hypervisors are secured only if you make it secure. I chose xen (with Desbian Squeeze AMD64) is mainly because of pci pass thru (which vmare also has but limited to nic and some scsi adapters). It only takes me about 30mins to get a brand new server up and running with pfsense also, after which I have pptp vpn running so I can remotely do other configurations.



  • I use ESXi Hypervisor 5.0 Free in a similar way.  The ESXI host has three physical NICs.  The first is for raw Internet, I call the Red network, and I plug this NIC into the cable modem.  This Red Network is setup as a virtual switch in ESXi that has ONLY 2 connections.  The physical NIC I already mentioned, plus a VNIC on my PFSense Virtual machine.  Within the PFSense VM, this VNIC is the WAN port from PFSense perspective.  The Second Physical NIC in my ESXI host is what I call the green network, and it is my internal secure network.  This Green NIC Is also a virtual ESXI switch, plus it connects to a 16 port physical Gbit switch, and I plug my PC's, internal WAP, DVD, TV, Xbox etc.  There are many VNIC's on the green network including the LAN NIC on my PFsense virtual machine as well as serveral other virtual machines running on my ESXi Host.  The third physical NIC in my ESXi Host is designated as the VM management network within ESXi.

    This setup provides reasonable security to my internal green Network.  There is a disadvantage in that I do not have physical separation, and I would not do it if I had highly secure data to protect, but as a small scale solution, I find it to be a good compromise.



  • Always when you use software based things there's a slightly higher chances of security issues. VLAN, virtualization, etc. Assuming you understand all the concepts at play it's rather simple to configure a "secure" environment. However there could be an exploit that compromises the system itself or the networking components. I think this risk is very targeted and rather low. Of course there are cases where the potential costs of the "what if" scenario greatly outweigh any possible savings (be it money, manageability, etc) in any areas.



  • @TLP:

    ok thanks for your reply, but is it secure to use a virtual machine???

    Virtualization is essentially placing a buggy, but tried and tested kernel (*bsd, linux, etc) on top of a new kernel (esx, xen, kvm), with it's own set of new bugs. Since "new" doesn't mean bug-free, you have two very different kernels to worry about, instead of just one. So my answer to your question is that it would be 'less secure' to use a virtual machine simply because you've added increased complexity and increased the number of things you want to be secure. How much security do you need/want is the question you should consider. For some, it is an acceptable risk, for others, it is not.

    For me, running PFSense in a virtual machine is an acceptable risk. The systems behind it are mine.



  • I'm using PFsense 2.0 on many virtualized instances including a core router in our datacenter rack where it routes upwards of 4TB per month and requires literally 99.995% uptime. I use ESXi 4.1/5.0 and it works a treat. Yes there could be security issues but little different to any others you would otherwise face. Those virtualizaiton platforms have massive teams working on making sure they are secure.

    Just be careful with Hyper-V - it has no good FreeBSD network drivers so you won't get good throughput. I'd stick with ESXi



  • It seems that all virtualization software is based on linux except for hyper-v. xen and xenserver will be faster than esxi. Esxi shares memory so more memory can be assigned  to each server. Esxi has great firewall but on xen you can add your own. I am using esxi for server 2008s and arch linux. I just build arch linux based xen and it is much faster that esxi.



  • @tritron:

    It seems that all virtualization software is based on linux except for hyper-v. xen and xenserver will be faster than esxi. Esxi shares memory so more memory can be assigned  to each server. Esxi has great firewall but on xen you can add your own. I am using esxi for server 2008s and arch linux. I just build arch linux based xen and it is much faster that esxi.

    This is not that true, both can reach same performance. It will all depends on configuration.

    Default esxi vms use only shared resources, but you can reserve memory and/or processor to improve performance.

    Without vmware tools it will have poor performance too.



  • I have six core amd server (amd implementation is better) I had installed xen on arch linux on dell 860 and I assigned 1 gb to server 2008R2 as domain controler with web server and etc and same system on amd with 4gb memory assigned and xen works much faster than esxi. Network performance seem much faster. Esxi performance cost money. I would say that 0 dollars xenserver will be much faster.



  • @tritron:

    Esxi performance cost money. I would say that 0 dollars xenserver will be much faster.

    Are we talking about money or performance?

    I've tested both with redhat support and vmware support.
    Both had same performance.

    Vmware has good points and xen others.

    Vmware is much more compatible then xen with those specific clients kernel versions requirements.

    Btw. I do not like flames

    Congratulations on you xen virtual server.


Locked