Physical or ESXI/vSphere?

  • Just wondering if which is better. Pfsense on ESXI/Virtual Machine or on a physical machine. I'm using pfsense now that is installed on vSphere.

  • I have been using pfsense under ESXi for the last 4 years and I have been very happy with it.
    I am using vmxnet3 (10GB) adapters within my install, so the interrupt load is low.

    Let's wait for the crowd that will tell you otherwise. Those have neither tried it or the brains or perseverance to get it to work flawlessly.

  • For single pfsense i would use vmware but for carp i use physical servers.

    CARP with vmware is a big problem but as i know this depends on esx version.

  • LAYER 8 Global Moderator

    Not sure why carp would be a big problem with esxi?  As long as you had multiple hosts to put the vms on, not sure what the point would be of a carp setup if on 1 esxi host.  But if you wanted them on 1 host, not sure what the version would matter, or for that matter if you had 2 hosts why the version would matter?

    I have been running pfsense on esxi for quite some time, and has worked flawlessly the whole time.. The new vmx3 net native drivers in freebsd 10.1 has made deployment even easier since you don't have to install the tools to use vmx3, etc.

    Unless you had need to pump huge amounts of traffic that your esxi host could not handle or didn't want it to handle, I see no issues with running it in esxi at all. There are clearly lots of advantages to this.  Snapshots before any sort of upgrade or play, makes for easy rollback.  Makes it easy to play with other versions of pfsense or even other distros like sophos utm, ipcop, etc really easy with very little down time on the switch.. I setup the other vms when I want to play with them with the same mac on the interface connected to my cable modem and get to keep the same public IP this way and don't have to reboot modem, etc.

    having pfsense on vm with a ssd datastore makes for very quick reboot time as well, etc.

    To me running virtual is a win win.

  • Virtual is a win win in my case. A vswitch can be configured as a span port/tap to run snort in a distributed environment rather than using the inline pfsense package.

  • Last time i tried carp with vmware we had a lot of packetloss and a the vips did not work.

    I will try it another time lets see.

  • @hec:

    Last time i tried carp with vmware we had a lot of packetloss and a the vips did not work.

    You have a config issue at the ESX level somewhere in that case. Those possibilities are all outlined here:

Log in to reply