New to pfsense, I have a few questions
-
I've been looking around for a good, free router OS that I can use on a VM, and a coworker turned me on to this. However, I don't see much of a description of features of this. Could you guys please answer a few questions for me?
1. I've been using CentOS 7 and OpenSUSE 13.1 so far, and they've worked fairly well, but neither support routing IPv6. Does pfsense support IPv6 with DHCP6-PD, or is some other method used?
2. I want to use it as a VM under ESXi 5.5 (the free Hypervisor version) on a system based on a Xeon E3-1220v2 with 16GB of memory. Is this capable of working from a VM? What virtual NIC is supported? What resources (CPU cores, memory, disk space) should I allocate?
3. How's the latency with this? Is it the same or better than a commercial small business router?
-
-
Yes pfsense supports ipv6, in many different configurations.
-
I run it currently under 5.5 esxi without any issues, using the native tools from vmware give support for vmxnet3 - the new beta 2.2 has native support for vmxnet3. As to resources you need to give it - would depend on what your going to do with it, running packages like squid or snort, ntopng, etc.. would require more resources.
-
I have not seen any sort of added latency with running it in a vm.
-
-
Thanks. I'll give it a try when I get home.
As far as the latency, I was asking if pfsense is any better or worse than a commercial router, not comparing running pfsense on a VM to running on bare hardware. Right now, I get 45-60ms latency in World of Warcraft over an OpenSUSE router, whereas a consumer level router was giving me 100-110ms latency. (I use a WD consumer router as a wireless AP, and will switch it to router mode while I'm rebuilding my routing server to try something different.) I'm hoping it doesn't add much to that latency because my games take a performance hit from latency.
-
Then it really depends on your NIC, CPU and installed packages. For example, if you have a packet analyzer like Snort installed in conjunction with a weak CPU and a budget NIC, you can probably expect higher latency. I use pfSense 2.1.5 in production on ESXi 5.5, and it works well for us.
You would be better off trying one of the 2.2 snapshots. A release candidate will be out very shortly, and you will benefit from the virtualization support in FreeBSD 10.1.
-
I don't think you understand what causes latency to be honest.. You router is not going to add 50ms of latency.. You had something really wrong if it was.. And to where?? There is a big difference to your isp gateway or some server on the other side of the planet ;) Your router is not going t be – or at least shouldn't even a measurable part to that number.
So I normally show 8 to 11ms to my isp gateway, and even my ipv6 tunnel is low..
So you can see what the time is reported by pfsense.. Which is directly connect, and then my client behind pfsense -- notice the number is the same..
-
Well, I've tried it, and the latency is nice, as low or lower than OpenSUSE or CentOS. It's easier to set up IPv4.
However, I am not exactly getting the IPv6 service I wanted. It's only going through Teredo tunneling, which increases latency, doesn't work with certain apps (World of Warcraft, for instance), and doesn't give the added security of basic IPv6 encryption. I can't find anything to configure DHCPv6-PD. Oddly, it does show the LAN interface of the router as using a PD (2001: address on the WAN side and 2601: on the LAN side) address, but is not relaying any of the PD info to the client systems. Any advice?
-
why would you have teredo even enabled on your clients if you want to use native ipv6? What does your ISP provide you for ipv6 - normally you would just dhcp on your wan, track on your lan and then setup your dhcpv6 if you want, use auto configuration on your clients, etc.
Ipv6 encryption?
PD stands for prefix delegation – so your isp would hand you a /64 to use on your lan. You router pfsense would get this, and then either through RA and your client looking for it, etc. you would get a ipv6 on your client. I would suggest you turn off all the ipv4 to ipv6 stuff like teredo and isatap and 6to4, etc.
If your getting your delegated prefix on your lan - then what are you settings on your dhcpv6 on pfsense, which is where you would find the RA tab as well.
I personally just use a HE tunnel, since have an issue maintaining the same prefixes from comcast, they keep changing which I don't want.. A tunnel from HE makes it much easier to use the prefixes I want on my different lan segments. And my latency to them is very good..
-
Some time between last night and this morning, IPv6 started working. I have a 2601: IPv6 address as of this morning. It's working well. I don't know why it took so long for IPv6 to begin working. It must be something with Comcast's config.
So, I'm good now. Thanks for everything you contributed.
-
My experience with comcast ipv6 and pfsense has been less than perfect that is for sure - but my tunnel with HE is stable, never any issues and never have to worry about it changing, etc.
You can get a /48 from them if you need more than one /64 on your local stuff. You can even setup PTR for your ipv6 you get from HE - comcast doesn't provide that, etc. ;)