PfSense: Virtualized or Dedicated hardware??
-
So…I am looking to upgrade my current firewall configuration (since it is starting to run extremely slow). I am running a soekris 5501-70 with a 500GB hard drive with a full install. I am running squid, snort, lightsquid, havp, and nmap.
What I am wondering is if I should stay the dedicated hardware route (possibly a configuration like http://forum.pfsense.org/index.php/topic,49109.0/topicseen.html) or virtualize it on my VM server? -
If you already have a VM server running then why not try it first?
Starting to run slow is something I usually associate with old windows machines. Has the performance actually dropped?Steve
-
I'd say it's pretty common to say something is running slow when your needs actually simply outgrow what it's capable of.
If that's the case, just about anything you're likely to run virtual machines on is likely to be faster than the 500Mhz "586" class hardware in your Soekris, as long as you're not shorting it on the RAM allocation. Of course, all virtual machines share the hardware, so if you're hammering the CPU with other VMs, it'll slow down your pfSense throughput. In most virtualization platforms you can assign resource limits, shares, reservations, etc, so that can help.
I don't know what you have access to, such as old/unused machines you might have laying around, but I'd say to give it a try and see what happens. Anything P4 and up with a few GB of ram is enough to test with, assuming you're comfortable with trying VMware ESXi or similar lightweight hypervisor (remember, HyperV still needs a full Windows OS running underneath it.) A couple standard PCI Gigabit network cards can saturate a PCI bus, remember, so keep that in mind with your testing.
But, if your device seems to actually be slowing down, maybe something else is wrong that can be fixed?
-
Matguy, you're correct in the fact that I have outgrown my hardware.
I currently have esxi 5.0 u1 running on a server (about 5 vm's running on dual proc/48GB ram). I would need to add a dual network card to the server though to work with the two internet connections I currently have. If I were though to eventually go with a dedicated machine for it, I would have to pick up a VLAN capable 5 or 8 port switch to work with the two connections (since I would be going with one of the intel boards described in the above post). I am mainly worried about having slow points with my internet when I bog down one of the VM's with compiling/backup.
I guess I have only one other question. If I want to just see how well it would run on a VM, has anyone ever ran their direct internet connection to their internal lan switch, vlan'd the traffic and then just ran like that. I am kinda paranoid and have always been told a dedicated nic to the VM is better for security.
-
Matguy, you're correct in the fact that I have outgrown my hardware.
I currently have esxi 5.0 u1 running on a server (about 5 vm's running on dual proc/48GB ram). I would need to add a dual network card to the server though to work with the two internet connections I currently have. If I were though to eventually go with a dedicated machine for it, I would have to pick up a VLAN capable 5 or 8 port switch to work with the two connections (since I would be going with one of the intel boards described in the above post). I am mainly worried about having slow points with my internet when I bog down one of the VM's with compiling/backup.
I guess I have only one other question. If I want to just see how well it would run on a VM, has anyone ever ran their direct internet connection to their internal lan switch, vlan'd the traffic and then just ran like that. I am kinda paranoid and have always been told a dedicated nic to the VM is better for security.
Yes, "people" have and are running exactly like that in the real world. VLAN security is actually pretty good. There have been some vulnerabilities and DOS issues with early implementations, but you shouldn't see that these days (maybe on some super cheap no-name switch, but even then, I doubt it.)
I once heard some guy at an old job going on and on about how we can't have outside internet or even the DMZ on a VLAN because of a vulnerability that never got corrected, although it turned out that the vulnerability he was talking about required physical access to the switch and only a couple particular models of switches that we didn't even have.
Security is in the eye of the beholder under his tin-foil hat. Lots of people will hold on to fairly non-exploitive security principles, but ignore things that should actually be a concern. So, sure, having it on a dedicated port is theoretically "better" security, but so is having a man-trap on each entrance to your building with armed guards aiming at the people inside while they're strip searched. To each their own.
Like I was mentioning earlier, even on your big ESXi host, you can still reserve a certain amount of guaranteed processor resources for a particular VM, such as your pfSense environment. You can also give higher disk priority, but not so much a guarantee like CPU, but that might be less of a concern anyway. You could also do the VLAN capable switch(es) with your ESXi install, both pfSense and ESXi support VLANs, personally I'd probably specify them in ESXi, but mostly because I know it better / experience.
-
Oh, also, for the dedicated hardware, if you went with a different case and you only need 100Mb for your WAN you could put in a dual (or quad) port 10/100 PCI card. Many 1U cases will come equipped with an angled riser and mounting point for a card. I wouldn't put multiple port Gb cards on a PCI slot if you think you're actually going to saturate either or both connections, as that can saturate the PCI bus (especially if something else on the motherboard "lives" on the PCI bus; I didn't look at those boards specifically, although I would expect most data intensive on-board devices to be on a PCI-Express bus on modern motherboards/chipsets even if there's no exposed PCI-Express slots.)
-
In ESX you create Virtual switches and assign NIC's to this you can then connect your Internet connection to this NIC connection straight from the internet router. Pref if you have another connection on your router you would connect it to another ESX server for resilence or you have another router in HSRP even better if not pretty much any small switch will create additional connections
You can then create a Virtual Port Group (Give it a label) to which you can assign the Firewall (RED) Internet side. If you use any sort of VLAN tagging you can also assign it at this stage (Not usual on small internet setups).
When you create your virtual machine you will add an extra (Virtual) Network adapter then pick the lable you used earlier. No other virtual machines should be using this label otherwise you are bypassing your Firewall
One thing to consider that I suggested above is having more than one ESX Server as if one goes everything goes with more you can just run up your virtual machine on the other use HA. Everything stays the same down to the MAC Address of the virtual cards
I will not go into reasons for security harding but simply give the VMWare ESX PDF details on the subject such as disabling promis mode
http://www.vmware.com/pdf/vi3_security_hardening_wp.pdf
http://www.vmware.com/files/pdf/dmz_virtualization_vmware_infra_wp.pdf
In our servers we have two Quad card nics plus the onboards most of the servers bundle together 6 x 1Gb connection with little problems. Mostly problems are due to ESX not supporting LACP Dynamic that allows for multiple connections if one goes down (Other than unplugging) ESX dosn't tell the switch or rather its not saying I'm still here sort of thing
-
Thank you everyone for your responses. I am more informed, but it looks like I have some reading to do on the ESXi practices. I am looking at virtualizing it, and if I don't like it, then physical.
-
I prefer virtual! Best setup in my opinion!
