Hardware vs Virtual: best choice?
-
Honestly I don't think my Xen server has crashed once in the last year and a half.
Quick one for you guys…. Im seriously considering getting rid of my current hardware platform for pfSense and virtualize it with XenServer (better choice for free home usage out there?) onto my new server (Supermicro with Opteron CPUs and hardware RAID1 hardware )...
I however read on thread http://forum.pfsense.org/index.php?topic=62034.0 that:
pfsense runs on FreeBSD… XenServer does not support FreeBSD at this time, therefore XenTools will not work.
I highly recommend against virtualizing pfsense in a XenServer environment as you will encounter performance degradation from the kernel running in an emulated state.
Is virtualizing pfsense with Xenserver going to cause me troubles or severe drawbacks? Whats the current state of support between pfsense and xenserver ???
PLease excuse with me… Im totally new to virtualization and I am trying to grasp the concepts. As a matter of fact, I haven't even decided which virtualization platform I will use (must be free and significantly feature rich, and have free management tools) but I am leaning toward xenserver as of now..
Thanks!
-
I am working through the same issue – whether to virtualize pfSense, or run it on dedicated hardware -- and I agree with the concern b0rman raised:
I plan to perform remote support through the internet connection. If pfSense is down, I can't connect. And if there is any kind of problem with the virtualization host - hardware, hypervisor, the pfSense VM -- or with pfSense itself, I will not be able to connect to resolve problems.
If I move pfSense to a dedicated computer some (roughly half) of those problems disappear.
The hardware becomes simpler, too, and for that reason, perhaps less likely to fail. (OTOH a lot of effort is put into the virtualization platform to ensure it is reliable.)
My current thinking is, I don't want to virtualize pfSense until I have more confidence in my virtualization setup. After it runs trouble-free for six months I will consider virtualizing pfSense.
Unless I learn something new here.
-
I am working through the same issue – whether to virtualize pfSense, or run it on dedicated hardware -- and I agree with the concern b0rman raised:
I plan to perform remote support through the internet connection. If pfSense is down, I can't connect. And if there is any kind of problem with the virtualization host - hardware, hypervisor, the pfSense VM -- or with pfSense itself, I will not be able to connect to resolve problems.
If I move pfSense to a dedicated computer some (roughly half) of those problems disappear.
The hardware becomes simpler, too, and for that reason, perhaps less likely to fail. (OTOH a lot of effort is put into the virtualization platform to ensure it is reliable.)
My current thinking is, I don't want to virtualize pfSense until I have more confidence in my virtualization setup. After it runs trouble-free for six months I will consider virtualizing pfSense.
Unless I learn something new here.
All depends, IMO what you are doing with pfsense. I do not run a business with it, so if it goes down, its a bummer but not catastrophic..
The way I see it, if I virtualize it, it should run smoothly since I have a server grade machine with server grade components. Also, if it cease to work properly, I can always get an old used machine (P4 or so) and get back in business pretty quickly.
To me, the benefit of electricity savings and less heat output is primordial over "reliability". If reliability was VERY critical, I'd virtualize 2 machines and setup a failover between them.
Other thing to consider, if you dont run a server 100% of the time, why let a big hungry computer run 24/7 if you can build/buy a small machine to run pfsense. After all, you dont need a dual socket Xeon or Opteron server with 128GB RAM to run pfsense….
I recommend you factor in all of your expectations and requirements and take a decision based on that.
-
@lpallard:
Honestly I don't think my Xen server has crashed once in the last year and a half.
Quick one for you guys…. Im seriously considering getting rid of my current hardware platform for pfSense and virtualize it with XenServer (better choice for free home usage out there?) onto my new server (Supermicro with Opteron CPUs and hardware RAID1 hardware )...
I however read on thread http://forum.pfsense.org/index.php?topic=62034.0 that:
pfsense runs on FreeBSD… XenServer does not support FreeBSD at this time, therefore XenTools will not work.
I highly recommend against virtualizing pfsense in a XenServer environment as you will encounter performance degradation from the kernel running in an emulated state.
Is virtualizing pfsense with Xenserver going to cause me troubles or severe drawbacks? Whats the current state of support between pfsense and xenserver ???
PLease excuse with me… Im totally new to virtualization and I am trying to grasp the concepts. As a matter of fact, I haven't even decided which virtualization platform I will use (must be free and significantly feature rich, and have free management tools) but I am leaning toward xenserver as of now..
Thanks!
Personally, I use ESXi (the free edition). Make sure to download 5.1 and not 5.5 since 5.5 requires VCenter for a lot of stuff and VCenter isn't free. I've been running a virtualized pfSense instance for a long time with no issues.
Here's my setup:
[Internet]<===>[pfSense VM]<===>[LAN]
||
====>[DMZ]I have two NICs in the physical machine, one connects to the WAN port and the other is the LAN port (which connects to my wireless router). pfSense is in charge of DHCP, DNS, IPS/IDS, OpenVPN, etc. The installation is the same as you would install on a physical hardware, you just need to remember to install the vm-tools package and to give your ESXi host a static IP (if you set the host for DHCP, it might not get an IP when you reboot it since the pfSense VM will come up after the ESXi networking).
I am working through the same issue – whether to virtualize pfSense, or run it on dedicated hardware -- and I agree with the concern b0rman raised:
I plan to perform remote support through the internet connection. If pfSense is down, I can't connect. And if there is any kind of problem with the virtualization host - hardware, hypervisor, the pfSense VM -- or with pfSense itself, I will not be able to connect to resolve problems.
If I move pfSense to a dedicated computer some (roughly half) of those problems disappear.
The hardware becomes simpler, too, and for that reason, perhaps less likely to fail. (OTOH a lot of effort is put into the virtualization platform to ensure it is reliable.)
My current thinking is, I don't want to virtualize pfSense until I have more confidence in my virtualization setup. After it runs trouble-free for six months I will consider virtualizing pfSense.
Unless I learn something new here.
There are a lot of pros and cons to running a virtualized pfSense system (the same way that there are a lot of pros and cons to running a hardware system). Personally, after a LOT of research and personal experience, I found that the pros of virtualization outweigh the cons. ESXi makes VM management a breeze and the ability to create snapshots means that if you mess something up, you can quickly revert everything to a previous known state.
-
Here's my setup:
[Internet]<===>[pfSense VM]<===>[LAN]
||
====>[DMZ]This is pretty much what I want to do! I now need to purchase a second hand PCIE quad port adapter on fleabay.. I suppose a Intel PRO/1000 PT is ok??? What are you using? You said you only had 2 NICs on that machine so I suppose you are not using afdditional NICs?
Regarding ESXi, have you tried the other big ones? Proxmox, Xenserver?
Some say ESXi is "gimped" to the maximum possible extent. Again if true, I dont like that. I want a full featured virtualization platform. Thats why after ESXi I was going toward Proxmox or Xenserver.
I know ESXi is very popular and must (or maybe not?) get the most driver development, etc… If its locked somehow or limited in any way, I may opt for another platform..
Please share your thoughts!
Thanks a lot my friend!
-
This is pretty much what I want to do! I now need to purchase a second hand PCIE quad port adapter on fleabay.. I suppose a Intel PRO/1000 PT is ok??? What are you using? You said you only had 2 NICs on that machine so I suppose you are not using afdditional NICs?
I would highly recommend an Intel card. They are considered the most stable ones for virtualization. People that use other cards are usually the ones that you see in the forums asking for help due to network issues.
The machine that I'm using is a re-purposed desktop that I had. I use the built-in NIC for the WAN port and I installed an additional NIC for the LAN port (which connects to my switch/wireless router). The computer came with only one NIC. You probably won't need a quad-card. Since everything is virtualized, you can just add virtual switches and bind them to the virtual NICs on your pfSense VM. That's what I did with my DMZ. I've added a vSwitch that's not connected to any NIC and added another virtual NIC to the pfSense machine. I let pfSense do all the routing.
Here's a good guide that will get you started: https://doc.pfsense.org/index.php/PfSense_2_on_VMware_ESXi_5
Regarding ESXi, have you tried the other big ones? Proxmox, Xenserver?
Some say ESXi is "gimped" to the maximum possible extent. Again if true, I dont like that. I want a full featured virtualization platform. Thats why after ESXi I was going toward Proxmox or Xenserver.
I know ESXi is very popular and must (or maybe not?) get the most driver development, etc… If its locked somehow or limited in any way, I may opt for another platform..
I used ESXi because that's the thing I was familiar with. There are a lot of other alternatives, but I found more people familiar with VMWare products so it's much easier to find help. I would recommend getting ESXi 5.1 instead of 5.5 since 5.5 has a lot of features that require VCenter (which isn't a free product). From my experience, ESXi gives you everything you need, but it will also give you a lot of stuff that you don't so don't get carried away before you have a basic system up and running. Get the basics running and go from there.
When in doubt, ask for help! People on this forum are very helpful and if you can't find the answer here, from my experience, after some Googling, you'll find a web/blog post with the answer.
Please share your thoughts!
Thanks a lot my friend!
-
With the free version of ESXi if you lose power, when power is restored and your Hyper Visor is rebooted your VMs won't start automatically. This could potentially be a problem (What if you are not home) unless someone has figured something out here. I am running Cisco Call Manager in a VM and this is a problem that I have. My Fix was to put my ESXi server on an UPs to tolerate temporary power outages.
-
With the free version of ESXi if you lose power, when power is restored and your Hyper Visor is rebooted your VMs won't start automatically. This could potentially be a problem (What if you are not home) unless someone has figured something out here.
I'm running the free version of ESXi 5.1 and the VM's start automatically. See the attached image for auto start up….
-
With the router, virtual is better for reliability, but physical is better for security.
There are no known security issues in the vlan implementation in either linux kernel or the openvswitch add-on (which I use for my virtual routers), however, despite the fact that there are no known security issues, there are inarguably more devices connected to the same physical ports. This is a moot point most of the time, but if a compromise is ever found and the vlan and bridging stack you're using is ever compromised, you may have problems.
Conversely, with a Virtual router, you can easily migrate your router away from faulty hardware, or add an additional node to compensate for growth. You can easily add an additional failover peer for each physical host you have hosting VMs and connected to your core switches. Migration and management are much easier when nearly everything is virtual. virtual pfsensei allows you to run multiple identical systems for failover, load balancing, etc. on heterogenous underlying hardware.
-
With the free version of ESXi if you lose power, when power is restored and your Hyper Visor is rebooted your VMs won't start automatically. This could potentially be a problem (What if you are not home) unless someone has figured something out here.
I'm running the free version of ESXi 5.1 and the VM's start automatically. See the attached image for auto start up….
Thanks for the tip Priller! I don't know how I missed that one. It's my understanding that if you wanted to import/export a copy of your virtual machine you need the paid version of ESXi is this correct? With Hyper-V this is included albeit Hyper-V is not free. When I was using Citrix Xen Server all the features were free, I would have stuck with it if I didn't have stability issues. I haven't played with Xen Server for a minute now.
-
It's my understanding that if you wanted to import/export a copy of your virtual machine you need the paid version of ESXi is this correct?
With the free version (using 5.1) you can import/export the OVA or OVF of any virtual machine … from the "File" drop-down menu in the vSphere client. No restrictions that I'm aware of.
I periodically export my VM's to have a backup. Likewise, I have created new VM's from a OVA.
-
Excellent thread I was debating about how much better it is and more reliable for using a hardware pfsense solution over Vmware, however listening to the pros….. why not make full use of the hardware its more green and easier and saves leccy.
I Have a question since I have not tried ESXi 5 before, ill get 5.1 as per the advise before. I have managed to get my pfsense on my hardware configured and working 100% and it took 2 months to get it done !
Is it possible to make a snapshot or image of it and then simply import the image once ESXi is installed?
I do not want to install pfsense and go through the settings all over again, or can I just restore the hardware pfsense settings onto the ESXi>pfsense virtual instance ?
-
It's my understanding that if you wanted to import/export a copy of your virtual machine you need the paid version of ESXi is this correct?
With the free version (using 5.1) you can import/export the OVA or OVF of any virtual machine … from the "File" drop-down menu in the vSphere client. No restrictions that I'm aware of.
I periodically export my VM's to have a backup. Likewise, I have created new VM's from a OVA.
You can use the VMWARE Converter tool. It can clone a physical to Virtual. Clone from ESXI to VMWare Workstation or vice versa.
https://my.vmware.com/web/vmware/info/slug/infrastructure_operations_management/vmware_vcenter_converter_standalone/5_5 or
https://my.vmware.com/web/vmware/info/slug/infrastructure_operations_management/vmware_vcenter_converter_standalone/5_1