What is the better virtualization hypervisor to virtualize PFSense?

  • Hello,
    I need to virtualize the PFSense. What is the better virtualization hypervisor to virtualize PFSense, thinking in compatibility and stability?
    It will be a big firewall with 4 WAN links, PPTP VPN, IPSec to site-to-site, High Avalilability using CARP (with the other PFSense in another machine) and link Load Balance.

    The answers can be founded in your experience…


    Alan Nikitiuk Milani

  • Hyper-V might be out of the running because CARP is non functional at the moment - To achieve the same level of fault tolerance, you'd have to configure it as a Windows Cluster and have the pfSense VM move from one server to the other (the cluster would either need to have shared storage, or use something like StarWind Native SAN for Hyper-V - the free edition might be enough if you only plan to run pfSense in this way, but the cluster replication restrictions might be an issue if you plan to use Hyper-V replication to a second site and if you're low on resources).

    It depends on your environment, and your requirements for other VMs. I'm partial to Hyper-V (specially when using the synthetic drivers) because my environment works better with Hyper-V because most of my VMs are Windows (or have enlightened drivers). In my experience, Hyper-V takes less resources when most of the VMs are Windows thanks to the paravirtualized drivers. I haven't tested with VMWare Workstation or ESX in a while, but for the sites sizes I'm working with, Hyper-V is more than enough. Xen is also very popular.

    If you have such a big setup, you should really consider other characteristics. For example, will there be a separate DR site at some point? With Hyper-V, you can use replication so VMs are copied over to the secondary site. Assuming you have the resources, you'd be setting up replicas between 2 clusters. I imagine other hypervisors might have similar solutions.

    Also, for large deployments, ESX has been around longer and it has extensive third party support. I don't like the free edition because it has too many restrictions that you can quickly outgrow.

  • VMware is the only officially supported solution today.
    There is a VMware certified pfSense solution here: http://store.netgate.com/mobile/pfSense-Certifiedreg-Virtual-Firewall-Appliance-for-vmWare-P1955.aspx

    You don't have to use it, but it is supported.

  • You can use Hyper-V cluster without shared storage (Server 2012 R2)
    And for fileover you can use replication with 5 sec hartbeat

    You don't need cluster in Hyper-V with replication! Very simple and easy to implement!

    And it's FREE

  • The answer should depend on the visualization method you are familiar with.

    If you have experience in Linux XEN or KVM would be a good choice.

    I think CARP has some advantages over a hypervisor cluster. I have described it here: https://forum.pfsense.org/index.php?topic=74123.0

    I have driven a pfSense installation on KVM for some days to provide an openVPN service. This worked without troubles.
    However today I have made a CARP cluster of 2 pfSense VMs on KVM. That worked fundamentally, though at once one VM have run into a kernel panic after I had temporarily interrupt the VM. I didn't research. Maybe some adaptions are necessary or it was caused by time offset.

  • viragomann,

    Indeed, it depends on what you're comfortable using and your environment. It is the old question of dedicated HW vs virtualizing, just applied to the firewall.

    While it is nice to have dedicated routers, it can get expensive to deploy server class HW for them. While using CARP might  forgo needing to implement some redundant HW (maybe no HW RAID, no teams), setup and ongoing maintenance might be simpler when virtualizing them.

    If you have HA requirements for your other VMs (ie, you likely implement a cluster with a SAN), moving the firewall into the cluster is a way to better allocate your resources. Instead of having to purchase separate and dedicated HW for the firewall that might be underutilized (or become obsolete over time while the rest of your network is being upgraded), you can just virtualize it and use the same HA infrastructure you are using for the rest of your network (with the same procedures for monitoring and maintenance, rather than an exception that might break or require tweaks when there are HW changes).

    If using a cluster (specially with a HW SAN), IMO a hypervisor solution is far simpler and as powerful as CARP. For planned failovers, live migration solutions don't miss a beat (CARP might), and in the case of an unexpected failover, the underlying OS logic should be sufficient - and while it might take longer to spin up the replacement VM, it also has to start your other VMs (ie, the cost of a nearly instant firewall failover might be too high considering the rest of the environment is down anyway).

Log in to reply