Difference between Virtual pfSense on VMWare and Hacom Appliance

  • Hello,

    I have a simple question, is there any difference between virtual pfSense running on VMWare and pfSense running on Hacom Appliance:


    Same web GUI configuration or ??

    Thank You

  • Netgate Administrator

    Well… um... yes.  ::)

    pfSense runs natively on the Hacom appliances so you don't have the virtualisation layer.
    The setup and webgui are the same, different interfaces obviously.


  • Hello Steve,

    thank you for reply, so pfSense as a firewall either running virtual on VMWare or Appliance from for example Hacom is the same, the only
    difference is the interfaces … ?


  • Banned

    The only difference is that one runs virtual and the other one runs bare metal…

    Both can run virtual and bare metal!

  • Netgate Administrator

    Hard to answer this. Why are you asking?

    There are advantages and disadvantages to running bare metal or virtualised.
    From a configuration point of view bare metal presents 'real' interfaces which are then assigned by their FreeBSD driver name. Virtualised installs present only virtual interfaces (usually Intel Gigabit).
    If, for example, you have been testing pfSense virtualised and are now transferring that to real hardware you will have to reassign the interfaces after importing the config file (or edit the file manually).


  • Hi again Steve,

    well there is 2 main reasons I am asking about it.

    1. Performance, is it a huge difference running pfSense on VMWare as Virtual Machine or running it on the Appliance such as Hacom,
    because I think that I can have a lot of more power running pfSense as Virtual Machine than running it on the Appliance which is limited
    when we are talking about RAM and CPU… as we have a server with 32 CPU`s and each CPU is 8 cores, and 4 x 10 GIG NIC (optical fiber for LC connector)

    2. when we are talking about Interface differences, than we do not have any issues with this because we need only 2 interfaces
    em0 WAN and em1 LAN, as we are running everything on VLANS on our network, so there is just trunking between Switches and pfSense, so
    interfaces are not the problem in our case...

    And perhaps third explanation,

    personally I think the BEST performance would be to install pfSense on the Server bare metal with no virtualization, and use dual 10 GB NIC which is conencted
    to external Switch (managed) and run a trunk on the link between the server and pfSense ....

    In this case we will have a very robust Firewall platform which have a lot of more power than Hacom or other Appliances can make...

    PS: the reason I was thinking to run pfSense on VMWare is that we have a 2 very rich options, SNAPSHOT and V-MOTION ....
    for example, if we will upgrade the pfSense firmware than You never know what can happen, so we can take a SNAPSHOT of pfSense Virtual Machine
    and just run the upgrade so if anything goes wrong, just restore the SNAPSHOT and You`re up and running in no time ...

    At the end, my point was also to know if there is "configuration" differences on WebGui when running pfSense on
    VMWARE as a virtual machine and running it on the Appliance such as Hacom... except the Interfaces which You already mentioned... as this makes a sense...


  • Netgate Administrator

    Well if you already have a very powerful VMWare server then why not use that?
    There are some advantages to running bare metal in terms of absolute performance (no virtualisation overhead) but you are unlikely to see better performance from an appliance when your server is that spec.

    Running pfSense natively on that machine would likely be a massive waste of hardware! The limited hardware support in FreeBSD, especially in current pfSense, may not support your 10G cards at all and the pf process does not span CPUs well. You would likely have 31 cpus doing nothing and one cpu with half it's cores idle!  ;)

    Though I should say I've never tried doing anything like that so I welcome other thoughts.


  • thanks for supporting my minds :)

    the only issue here is that FreeBSD does not support 10 GiG NIC`s, otherwise this would not be waste of hardware as this server will run
    15 other Virtual Servers too, so pfSense would not be the only Virtual Machine here…

    I will do anything I can to not use the Cisco, because I am sick of their license terms,
    they are selling the VLANS as it was a cup of milk, and everything is limited so therefore I will try to make a more robust firewall out of pfSense....


  • @Tom.C:

    FreeBSD does not support 10 GiG NIC`s,

    The FreeBSD hardware support list for FreeBSD 8.1 (version used in pfSense 2.0 and 2.0.1) at http://www.freebsd.org/releases/8.1R/hardware.html lists a number of supported drivers for 10Gigabit Ethernet adapters including cxgb, ixgb, ixgbe, mxge and nxge.

  • wallabybob, what a surprise !!!!!!!!!!!!! :):) You just did my day BETTER !!!!!

    Thank You for information !! I just read trough the post on the link You sent us…
    just going to set up a monster firewall out of pfSense !

    Best regards

  • Netgate Administrator

    I'll be interested in your results.
    I can't find in now but there was a post somewhere detailing the maximum theoretical throughput for a pfSense system being somewhere around 4Gbps. The limitation being the single giant locked process running on the fastest single core you can get.


  • well when I chatted with Chris, he told me that throughput limit depends in the most cases of the hardware in use..
    But we need of course run some tests and see the results …


  • Netgate Administrator

    Clearly you have access to some pretty high end hardware. I await your results.  :)


    Edit: Here's is the thread I referenced earlier out of interest:

  • With that kind of spec of hardware, you're going to be better off virtualized on that than with most any appliance by sheer power of that system. You'd have to get somewhere near the same spec of hardware running on bare metal to be comparable.

  • we will run the tests soon, the reason we are doing this is to get rid of the Cisco and their licensing terms.

    Cisco is in the most cases waste of the money when we are talking about Firewall, its cheaper to invest in "monster" server one time fee and run a monster firewall with no such a limitation as VLANS, VPNs etc… as the Cisco is selling a VLANS as it where a
    "milk" for example IPSEC plus license for Cisco ASA 5505 20 vlans limit ? what a f***** the VLAN is nothing new and there is
    absolute no reason to make the licenses on vlans which is the primary factor in the networking, this is just as example, but there is
    another "licenses" features that should be included in the firewall when we purchase it but no, they sell the hardware, features just everything is limited,
    so not any more...


Log in to reply