PfSense on VirtualBox: Networking Best Practice?



  • Hello all!
    What would be a "Best Practice" deployment of pfSense using VBox, for "a home network"?

    It's understood that bare metal is the optimal way to run pfSense, closely followed by a Type 1 hypervisor like ESXi. But let's just assume pfSense in VirtualBox on a Host with 2 physical NICs is all we have to use. Furthermore, out network infrastructure consists of a cable modem and a dumb switch. Also, the VBox Host has 2 more Guest OSs I'd like to run, and I'd like to connect a couple laptops to the network too.

    I think the plumbing goals should be:
    1. Run pfSense as the primary network firewall/router/dhcp for the host, other VMs, and other hosts on the LAN
    2. Expose as little of the VBox host OS as possible to the ravages of the wide-open internet
    3. Inasmuch as possible, allow the VBox Guest OSs to network as physical machines

    Is there a way to accomplish all these goals? What combination of VBox adapters would be best? How would you do it?

    Thanks!!



  • If virtualbox support VT-d feature, and your physical machine has more than 1 NIC, and your physical machine has proper VT-d support (CPU, mobo, BIOS), you can dedicate (using VT-d) a single NIC to the pfSense virtual machine. Then the host has no exposure to the outside internet at all

    N.B VT-d is an Intel specific technology, there is an AMD analogue, the name of which I am unfamiliar, but the principle is exactly the same.


  • Rebel Alliance Global Moderator

    I use to run pfsense on vbox and vmware server running on top of host OS before moved to esxi.

    All I use to do it is just bridge the interface on the host that your connecting to the pfsense vm wan.  And on the host remove all tcp/ip configuration, ie in windows uncheck windows file sharing, client for window networks, tcp/ip so only thing checked in the windows binding for that interface was the bridge to virtualbox.  This physical nic was connected to cable modem.

    Then on the lan interface for pfsense you are bridged to the physical interface that is connected to your normal lan network.  And the host os had normal configuration to this, ie tcp/ip, client for windows network, file and print sharing all bound to the interface on the host os.  This is vm network you would connect the rest of your VMs interfaces to - so they would all get IPs that are on your physical network.



  • Hi,

    I do this.

    Host has a LAN and WAN interface.
    WAN interface on host is not accessible via IP protocols.
    LAN interface on host has a static IP address and can be accessed from there.

    Bridge LAN and WAN to pfSense.

    All other VMs bridge to LAN.

    Works exactly like with separate physical machines then.

    I am using linux for the host. You can bring up an interface with 0.0.0.0 IP address so it is active, but not accessible on the host.



  • Note:

    When using virtualbox I get issues if pausing the guest VM too long. Basically it crashes with filesystem errors when you resume it. Then it requires rebooting.

    Maybe installing guest additions would help, but they are so far out of date for the bsd port :)



  • What i did notice with pfsense running inside a VirtualBox is that if you keep the host cache enabled for the virtual ide/sata interface it will crash pfsense quite often, and even more often if you have some caching squid package installed like lusca or squid.

    It looks like there is a write/read and i/o error that crashes everything when the box is very busy (lots of users connected at the same time) and squid writing and reading many web cached files at the same time.

    Just disable the host cache from the hardware settings of the pfsense box and everything becomes much more stable. ;D

    That issue was there for sure until pfsense 2.0.1 release. I don't know if the fixed it in newer snapshots. i hope they did.

    Also if you assing more than 4 cores to the pfsense box, weird things start happening ???

    I used to assign also 25 GB to pfsense of which about 15 GB are assigned for squid caching. It always worked great but these days i'm seeing some problems with https not working with squid which is insane and really bad :'(

    If you want to provide the fastest speed you should have no less than 16 gigabytes of ram and assign at least 10 GB for pfsense and 5 gb for squid RAM cache within pfsense.

    Also make sure that you have at least 2 hard drives. One for the host OS and a secondary one dedicated to the pfsense box virtual hard drive file.

    That way the squid cache will not slow down if the main hard drive is busy with some other tasks.



  • I think that running a caching proxy like Squid for many users inside a VirtualBox pfSense VM isn't a good idea.

    At least until there's full and optimized virtio support in FreeBSD (which seems to be coming for FreeBSD 9.x and 10.x only).



  • For sure it is not the best way to go with virtualization buth there are some advantages.

    Flexibility of virtual machine and backups to help you restore virtual machines and backup VMs very quickly.

    You can parallel testing de deploy new virtual machines while production VM is working.

    And all this with the same server without having to spend more money in a secondary backup server.

    I have to say that pfSense works really good as a ISP in a virtual machine and the only performance and stability limits appear when you push limits with too many cores or lots of RAM but that kind of incompatibility probably happens even if a non virtualized host.

    Also the new pfSense 2.1 is getting very stable even in virtual machines. In fact version 2.0.1 release had some small bugs when virtualized that i don't see anymore with 2.1 snapshots.

    So if pfsense will get even more compatible and stable with newer freebsd OS editions, it will become something serious.

    I have a small ISP and i virtualize pfSense to allow me use my pfsense server as a massive squid caching server with 20 Gigabytes of dedicated ram to squid only and at the same time it works as an internal web server and file server and all those 3 features are possible with the same computer thanks to virtualization.



  • Just to clarify my previous comment, I agree that it's very convenient (I do most of my pfsense testing in VM also).

    I wrote "running a caching proxy like Squid for many users inside a VirtualBox pfSense VM isn't a good idea" One could run Squid as a non-caching proxy (e.g. for web filtering) in a VM.

    Btw, could you please elaborate on your previous comment?

    It looks like there is a write/read and i/o error that crashes everything when the box is very busy (lots of users connected at the same time) and squid writing and reading many web cached files at the same time.

    Just disable the host cache from the hardware settings of the pfsense box and everything becomes much more stable.



  • dhatz.

    I tested pfsense in virtualbox for over an year and i got always the sam kind of crashes.
    Since the main reason i use pfsense is for squid, i always used squid and i believed those crashes every couple of hours were happening because of squid.
    Then i installed pfsense without the squid package and pfsense was not crashing any more…...until it crashed but 2 days later.
    For a couple of days i believed that squid was the reason but i was wrong.

    Having squid installed just makes more frequent reads and writes than not having squid at all.

    Since i believed also that it was virtualbox, i tested pfsense with vmware but the very same crashes happened every couple of hours forcing me to reset the VM

    So to fix this:
    Open your VM VirtualBox Manager
    Click on your pfSense VM
    Click on settings
    Click on Storage
    Click on your IDE or SATA controller
    Uncheck the Use host I/O cache

    Also I don't thing there is any difference between IDE or SATA controller.

    I noticed that some snapshots didn't work with SATA controllers but now they do.

    But as long as you have that host I/O cache in your virtual storage controller, pfsense works just fine.

    There is a little overhead an waste because of virtualization so if you virtualize, make sure you get a powerful computer.

    Anyways the more power the better it is with or without virtualization.


Locked