Here is why NAS functionality on pfsense can make a hell lot of sense.



  • I think I've got some very good arguments for why it would actually make a lot of sense to have a router/firewall and a NAS on the same machine.

    Let me make some things clear before I start:
    Who would actually benefit from this?
    Big companies with a lot of sensitive data? NO. They could EASILY effort running separate devices.
    It's private home users that would benefit from this. I would legitimately save more than a 100 bucks and don't get me started on how much I would reduce power consumption and the related costs. 
    As a private user I don't store extremely sensitive data at all. More importantly my data is of almost no interest for a random hacker.

    And now let me eliminate the the common arguments against merging NAS with firewalls/routers:

    It's a security risk to store your files on the same machine as the firewall. If your firewall machine gets hacked the hacker could gain access to your data.

    • Let's be honest, how likely do you think it is that someone actually finds a vulnerability that serious in time before it gets fixed?

    • If someone actually manages to take over your router/firewall machine.. then how likely would it be that he couldn't just access your NAS through your LAN to which he should have full access by then?

    • So honestly, if you personally think that there is a realistic risk that your pfsense machine is going to be hacked in such a serious way, then why are you even using it at all? It's not like an optional package per se would change anything.

    As soon as this gets implemented everyone will use it. But everyone is stupid and we know better. So to protect them, this feature won't get implemented.

    When I posts like that I was shocked. I personally live in a thing called democracy. If I want to buy and eat something that makes me fat, then I can do so. Imagine that wasn't possible anymore. If I don't care about security or informing myself about it, then this is my own business. Instead of forcing everyone to do the thing that one person thinks is right, it would be way smarter to simply warn everyone and then let them decide for themselves what they want.

    And honestly, it's not like we don't have encryption in 2015.

    Now let me give you some good arguments for implementing that feature:

    • We can save a whole computer worth of a cpu, mobo, psu, ram, case and cabling. That is a significant amount of money for a private person.

    • Power consumption: Only having to power one kernel/OS and only having to run one set of hardware components is a significant power saver. (In a lot of countries power is getting soo crazy expensive atm. This would allow saving a lot of money over time.)

    • Speed! You could easily serve all clients with full gigabit speeds at the same time. That is straight up not possible with a normal perfectly configured NAS that has a gigabit Ethernet port.

    And here are some more (minor ones):

    • Noise. One big machine usually makes less noise than two small machines. (It's the fan size.)

    • Portability. Say you want to take your router and NAS with you to a LAN party. Carrying 3 machines (router, NAS and PC) is a lot of stuff.

    • Cable clutter. You can save at least 2 cables.

    • Space. One machine will take less physical room.

    And before I forget: Running either pfsense or FreeNAS in a vm isn't really an option because it would increase CPU usage and thus power consumption significantly and don't get me started on the limitations…

    This is obviously not really a question. It's more of a discussion. And I'd like to find out if there is any way we could make this happen.


  • LAYER 8 Netgate

    You concentrate on the "if someone compromises your firewall, they can get your data." Which is likely true whether they are one node or separate nodes.

    How about "if someone compromises one of the 1001 things running on your NAS, they can make changes to your firewall." ???

    FreeNAS and pfSense are both available to fork.  Have at it.



  • Virtualization is the answer to this, not trying to jam a billion services onto a single OS. Beyond the security considerations, there are tons of potential functionality complications as you increase the number of services you're trying to run.



  • @cmb
    I already mentioned it in the first post. Virtualization is not the solution. Virtualization would waste a huge amount of resources, way more than a few extra services. It is also problematic because you have to statically assign the computer resources such as CPU cores and RAM. Now if multiple clients would move files through the network with full speed, the router may not have enough resources to do it. So you basically have to buy a much more expensive CPU.

    I really don't see how the services for NAS functionality would be problematic. 
    Almost every consumer grade router has built-in NAS functionality nowadays and it works just fine (besides the fact that it always runs over usb and is terribly slow).
    But if you really think that there are realistic problems, please be more specific, I'd like to hear it.

    @Derelict
    I'm not exactly sure what you are implying. Sounds like you are on my side?
    But anyway, if someone has access to my NAS he is in my LAN and thus a trusted person. But I would encrypt the files on my NAS anyway, so there is that…

    I would love to do this on my own, but I don't have the time. I'm also unsure if I could still get the official security updates if I did that.
    So I'd like to convince an official pfsense developer of this being not a bad idea and then find some people who also wanted this feature and pay the developer to do it.



  • @NopIt:

    Almost every consumer grade router has built-in NAS functionality nowadays

    Examples please.

    I did a cursory checked on SonicWall, Cisco, NetGear, Linksys, and I could find none that offered NAS as part of a total package.  These were of their consumer grade or SOHO grade offerings.  If I stand corrected my apologies in advance.

    @NopIt:

    I would love to do this on my own, but I don't have the time.

    Ahh yes, but everyone else does have the time to accomplish something for my needs (for free).  Sorry if a bit harsh but… to me your wanting to eat your cake too.  It's my belief your requirements are to tight.  I believe CMB to be correct in offering virtualization.  Granted the more you request of VM, the more you make demands of it, the more power, will be needed etc.  You show/offer me where that's not the case.  VM definitely uses less resources than two (or more) separate boxes, so I believe your request is doomed from the onset as nothing fits any of the criteria you outlined.  That's just my opinion, but I'm open to you providing suggestions which fit your criteria, power demands, equipment, etc.  Remember any additional workload put on the system CPU, memory, etc. (even on one box) raises power demands, lessens idle time, etc. cost more in power, cost more in equipment (going to need a better CPU, more memory, etc.) to make it be able to handle ALL request.

    Just my opinion.



  • Just search for routers with usb ports. Every router that I owned that had USB allowed me to share usb storage and usb printers through it. "Almost every consumer grade router" may not be true, I honestly don't really know, but there are definitely a lot of routers that that already do it and this is my point.

    And about your second comment. Are you kidding me? I legitimately do not have the time to do it! Just like you don't have the time to build a car and your house. And you know what? That is completely normal and there is a simple solution: You pay someone who does it for you. And that is exactly what I meant, when I said "I don't have the time to do it […] So I would like to […] pay the developer to do it.". I NEVER said I would want it for free!

    And sure let's say a vm uses less power than a complete additional computer; it definitely still consumes way more power and resources than running both in the same "environment". And thus you would need more expensive hardware. Seriously, read my whole last post again please!


  • Banned

    @NopIt:

    Virtualization would waste a huge amount of resources, way more than a few extra services. It is also problematic because you have to statically assign the computer resources such as CPU cores and RAM.

    Not with any decent virtualization solution.

    Overall summary = this thread is a waste of DB space.


  • LAYER 8 Global Moderator

    This horse has been beat to freaking death already..

    VM is the best answer if you ask me.. I have 1 box, it provides lots of different services and OSes for my home.  One of them is NAS/File server functionality.  It was NOT expense at all, $400 total that was with extra ram, extra nic and extra disk..  HP N40L microserver.

    If you want to run it on your firewall OS, and you don't have time - where is your bounty post, all the people that agree with wanting this feature I am sure will chime in.. Once it gets high enough someone will do it I am sure..

    As to the soho routers having ability to share usb stick/disk. Yeah many of them do - lets keep in mind who these are geared for.. People that have graduated to running something like pfsense vs some linksys/netgear/asus $20-$200 all in one soho router more than likely understand that not really a good idea to run services other than network requirements, dhcp, dns, auth on your firewall/router device.

    To be honest I sure and the hell wouldn't call those a power user level NAS..  The performance on them all pretty much suck, have very limited auth methods and or feature sets in general.  If that is the sort of sharing you want - pick up a pogoplug or raspberry pi and connect your usb disk/stick and there you go NAS for $25 price range.  Which is going to give you way more power than the sharing of a usb port on a soho router.  Shoot my $25 pogoplug I can connect a 2.5" sata disk if I want.

    People that want a real nas or going to buy the appropriate hardware..  People that want nas on pfsense don't seem to understand the goal of psfsense if you ask me..  But since pfsense is opensource, if you want it - do it, if you don't have time pay someone to do it for you if you want it so bad..  Your points have all been gone over, and over and over multiple times before..



  • @NopIt:

    Just search for routers with usb ports. Every router that I owned that had USB allowed me to share usb storage and usb printers through it.

    Just because it has a USB doesn't make it a NAS.  Plus you're limited to the speed of the USB port, vs. a true NAS limited to speed of the network.

    @NopIt:

    And about your second comment. Are you kidding me? I legitimately do not have the time to do it! Just like you don't have the time to build a car and your house. And you know what? That is completely normal and there is a simple solution: You pay someone who does it for you. And that is exactly what I meant, when I said "I don't have the time to do it […] So I would like to […] pay the developer to do it.". I NEVER said I would want it for free!

    Yeah, I'm serious.  If you want it so bad, you'll make the time.  We're not talking about making a car or building a house.  You're talking about a router with NAS.  There are open source projects that accomplish this individually and with ALL the time that has gone by, surely someone would have combined the two.  As such I believe your expectations are unrealistic, if they weren't, it would have been done by now.  Sometime it's best to keep things apart (or just go VM).

    @NopIt:

    I NEVER said I would want it for free!

    Never said you wanted to pay for it either!

    @NopIt:

    And sure let's say a vm uses less power than a complete additional computer; it definitely still consumes way more power and resources than running both in the same "environment". And thus you would need more expensive hardware. Seriously, read my whole last post again please!

    And this is where you and I disagree.  It's my belief you will need more powerful CPU, memory, bigger power supply, redundancy etc. on this wonder box you speak of and that in and of itself defeats your premise.  Because overall costs are going up it's just better to go VM or get lesser separate units so overall efficiency vs. cost are held at minimums.

    Look, I don't want aflame war.  You indicated you wanted a discussion, I'm discussing.


  • LAYER 8 Netgate

    @Derelict
    I'm not exactly sure what you are implying. Sounds like you are on my side?

    Not in the slightest. I think the "pfSense should do everything on one node" perspective is a mental disorder.

    But anyway, if someone has access to my NAS he is in my LAN and thus a trusted person.

    Or someone who shouldn't be there.

    But I would encrypt the files on my NAS anyway, so there is that…

    Usually mounted with the key when the NAS is running and doesn't do a damn bit of good when someone is in your network.


  • LAYER 8 Global Moderator

    @Derelict:

    I think the "pfSense should do everything on one node" perspective is a mental disorder.

    hehehe - oh that is fantastic…  Completely agree, prob in the same family of disorders as WRS (Windows Reinstall Syndrome)



  • @johnpoz
    I can only repeat myself, if you run a vm, you have to physically assign CPU cores and RAM to it, even if the vm doesn't utilize it at all times, meaning that you potentially lose multiple CPU cores and gigs of RAM on your host machine. That is significant! You lose a lot of potential computing power on both the host and the guest OS. And to compensate for that you would have to buy additional or more expensive parts.

    I don't think starting a bounty would be smart before I have convinced some people that it is a good idea. So I will wait with that.

    And I'm not looking for this standard consumer stuff. I actually want a really fast router/switch and a really fast NAS and want to save as much money and power as possible.

    It is really not nice of you to say that "This horse has been beat to freaking death already". I brought up some really good points that haven't been discussed yet.

    @pfSense4ME
    Calm down already! What the hell is wrong with you?
    NAS = Network attached storage
    There is no such thing as "True NAS". You are just arguing because you want to argue. My point was that the implementation of NAS capability is ubiquitous in consumer grade stuff.
    And just so you know: Affordable consumer grade NAS does not reach full gigabit speeds.

    How is building your car and house any different from writing/merging such an OS?
    Have you ever thought about that fact that it would take me years to even learn the programming languages and understand the projects? I have a full time job, a family and a whole lot of other things to do.
    Your argument is basically "If you want something, do it yourself and don't pay others to do it.". This is insane, ridiculous and pathetic.

    Never said you wanted to pay for it either!

    Wow, are you THAT blind? Really? Sorry, but I'm not gonna quote myself again here.

    And this is where you and I disagree.

    And this is where I tell you, that you straight up don't know enough about all this.

    Sorry pfSense4ME, don't take this personally, but I would really like to just end the discussion with You now. If you really insist on wasting more of our time, at least be more calm, please.

    @Derelict
    If someone is in my LAN that shouldn't be there he would have hacked me. So it's back to square one. (He took over my router, so he has access to my LAN and thus my NAS.)
    Btw I'm encrypting my files in a way that they can only be decrypted and encrypted on a client PC that has the required keys.

    And here is one more thing:
    Not every CPU supports virtualization. Especially on levels that would allow direct access to the hdd etc.


  • LAYER 8 Global Moderator

    you have to physically assign CPU cores and RAM to it, even if the vm doesn't utilize it at all times, meaning that you potentially lose multiple CPU cores and gigs of RAM on your host machine

    Clearly you don't have a clue how VM hypervisors work…

    "Not every CPU supports virtualization"

    WTF does that have to do with anything??  Why would you buy a rig for your vm host that does not support virtualization techs.. And what your using a CPU from 10 years ago?  I would highly suggest you read up on current VM tech..  Esxi which FREE runs on pretty much any old PC, there also multiple other type 1 and type 2 hypervisors for FREE

    Yeah as you can see my file server (nas vm) is just sucking up all kinds of resources on my esxi host...  122MB of the boxes 8GB, I don't know maybe my pfsense vm won't have enough left over to function correctly  ;)  Before you go saying VM is not a valid option you might want to actually understand how it works..

    Here is the power consumption..  This is the ups my esxi host is on, it also has 1 of my POE access points connected to it, my raspberry pi, my pogoplug, esxi host monitor (currently off) and a laptop currently charging.  The esxi host draws about 50-55w on its own total.  And that is with 4 hdd in it... So go saying running a vm host has to suck a lot of juice either..








  • Well, maybe I'm gonna use older hardware that I already have lying around? I don't know, maybe I won't have to buy anything.

    I'd be interested in seeing how much power the vm will draw when 3 clients copy files from it at the same time with full gbit speeds each. And I'd also like to see how much CPU power that would require.


  • LAYER 8 Global Moderator

    why would the power draw go up???  Because the cpu works a bit more???  Not going to do anything significant..  I would have to put my killawatt meter on it if you want to see if it changed by a watt or so..

    Here I just moved 10GB..  You can see the cpu of the vm spike up a bit.. still not sucking up what its been given even..  Here is my power graph from yesterday…  Was watching quite a few videos in the evening.. Don't see any spike in the power draw..






  • The other way to look at this "problem" is that it has been already solved by others.

    Look at other open source alternatives, DD-WRT, OpenWRT, etc.
    They have Samba built-in for those who desire to go down that path.

    pfSense has built itself on a different philosophy and IMHO has been very successful because of it.

    As mentioned, in this and many other threads on this site, the consensus of opinion is:

    The potential risks don't justify the possible rewards.

    As also said, (I paraphrase)  "The horse is dead Jim…."



  • @johnpoz
    I find it very hard to believe that there wouldn't be a significant difference in CPU usage and power consumption when transfering data to clients with a total of 3Gbit/s.
    After all 10GbE requires "i7 or Xeon CPUs", according to the forums.

    I mean I don't know what kind of a CPU would be required for 3Gbit/s, but let's stay at 10GbE for a second.
    Say I'd like to put a 10GbE card in that router. Now wouldn't both, the host machine and the vm need an "i7 or Xeon CPU"? (That's a serious question because I really don't know.)
    I mean I would guess that the data would have to be moved from the vm to the host and then from the host to the client. And that first transfer from the vm to the host would waste a lot of resources. (As I said correct me if I'm wrong.)

    But okay sure I won't need 10GbE. So let's say the router would need at least the power of an "i3 CPU" for my 3Gbit/s. According to my theory the NAS would need it roughly two times the power then. So an i3 wouldn't be enough anymore and i5s or i7s are significantly more expensive.

    @divsys
    Well, I was told by multiple people that pfsense is basically by far the "best" router OS.
    And about the potential risks, I already made my comments in the first post. 
    Besides the fact that there would be no changes in security for people not using the feature, I doubt that there is a realistic chance of something like this creating new vulnerabilities; unless you were to implement it very poorly.
    And as a consumer, with no valuable data, it wouldn't even really care if my data got into the hands of a random hacker.



  • @johnpoz
    I find it very hard to believe that there wouldn't be a significant difference in CPU usage and power consumption when transfering data to clients with a total of 3Gbit/s.
    After all 10GbE requires "i7 or Xeon CPUs", according to the forums.

    I grabbed this piece of your answer because I believe it underlies a little bit of spec's "cherry-picking" to prove your case (it was probably unintentional on your part).

    When you/I/others 'see' a comment like "you need i7 for 10GbE" in a pfSense thread, remember what pfSense is about - routing packets (or more precisely "filtering" them the pf in pfSense).
    That implies that pfSense is going to examine,analyze,and direct ALL the traffic it sees on any of it's interfaces.  Everyone of those operations takes CPU horsepower the faster the packets the more horsepower you need, that's the way pfSense was designed.

    When you talk about a Samba/NAS/File share device, it's job is much simpler from a "packets" POV - respond to the packets that have already been cleared for it (by pfSense and others).
    There's all sorts of stuff it may do about rights/permissions/etc, but as far as CPU Power required to move data across a NIC, it's pretty minimal compared to what you're asking pfSense to do.  The actual transfer of data is a matter of making sure (broadly speaking) the NIC buffers don't get empty. That takes some more HP as speeds increase, but no where near as much as for examining every packet you see.

    The net result is that I'm not surprised at all by johnpoz's results, they match every VM setup I've worked with.  They also explain why VM installations are becoming the norm more than less so.  Most modern hardware has tons of excess capacity and VM makes it easy to leverage that into more capabilities.

    …Well, I was told by multiple people that pfsense is basically by far the "best" router OS.
    And about the potential risks, I already made my comments in the first post.

    I would argue that the very reason it's by far the "best" router OS (I do agree largely BTW) is that they recognized very early on that being the "best" doesn't mean being "everything"

    Sorry, it's still dead Jim  :)



  • @NopIt
    I'm at a loss at to your responses.  I don't want a flame war but I won't run away from one as well.

    The way I see it you want it both ways and will jump to either side when it's convenient for you.  You want a system that gives the ability to run multiple OS but want to save on equipment cost and power cost.  What modern day equipment offers a single core CPU or SCO?  None come to my mind.  Even today's current Raspberry Pi 2 has multiple cores.  You want a system that has decent response time AND while answering ALL the demands of a router and a NAS.  Yes I know what a NAS is as well as a SAN, DASD, etc. further, I dare say most commercial NAS systems don't reach true gigabit speeds.  So shut off that smoke and mirrors.

    You then jump to the fact you'll just use one of your older equipment.  Great!  Exactly how is that going to save $?  I mean let's talk about energy efficiency. Today's equipment is way better than something of 5-10 years ago.  Also, don't forget to get that 486 or single core Pentium fully stocked on RAM so it can do all that you ask of it with decent response times.  And, don't forget to code tightly for CPU optimization, you don't want ANY memory leaks that will shut down/crash the ENTIRE system!

    Prior to me bringing up the software for free you NEVER mentioned paying for it.  Show where you did prior to my mention.  Again, both ways.

    You make mention you have a family, work, and a life and you don't have time to learn, etc.  Oh please get over yourself.  How does that make you any different from someone else with their lives?  You think someone else does? Rhetorical questions.  If you want it you'll invest the BST (Blood, Sweat, Trauma) to coding what you desire and you can offer it for free or charge for your efforts.  But remember, as of this post date no one has done it, and if they did you wouldn't be asking for it!

    CMB, responded with VM is best so that all the services of each OS really doesn't work well when combined together, doktornotor is right this is a complete was of DB space, johnpoz gave great examples of why this horse has been beaten to death along with you really not knowing about VM and how his VM is doing all that it does with modest power usage (IMO). (BTW your cheap shot of "that you straight up don't know enough about all this." Opinions vary, but run on with your bad self to johnpoz - Good luck.), and Jailer great pic of advise.

    Bottom line - there are some REALLY REALY smart people here giving their true opinion(s) and the reasons why, but you just keep your head in the sand.

    Stay there, but for me I'm moving on to things that make more sense than your flip flopping, or ignoring solid advice.



  • @pfSense4ME
    I said I might use some older hardware that I already have.
    There are a few calculations to do before I can say what would be the smartest move for me.
    I mean let's say my older hardware would cost me 150€/year and the newer hardware would only cost me 100€/year, but 400€ to buy it.
    Now if I would wait a years and the hardware would then only cost 300€, I could upgrade my system then and save 50 bucks withing the first year.
    I'm just saying it's not that easy.

    Yes, I DO think that someone else will have the time. It would cost me month, if not years of work to do something like this. 
    I will definitely try to find a developer who actually knows what he is doing and pay him to get it done.

    @divsys
    Thanks for shining some light on all this.
    That may change everything for me.

    Okay, I've got a Intel Pentium G3258 lying around that I bought form a fried for very cheap a while ago. I just looked it up and it lacks VT-d (Intel Virtualization Technology for Directed I/O). And that even though it is from 2013 or so..

    That's kind of what I meant earlier. Now how would that affect my FreeNAS-in-a-vm-experience? What are my disadvantages of not having VT-d?
    And in general what happens if I want to swap a hard drive in my NAS? Would I have to reconfigure the whole vm for that? Or could it just handle it automatically?

    And would such a CPU be enough? After all it's just a dual core part and I'm not sure if I'd want to overclock it (fan noise).



  • It's a security risk to store your files on the same machine as the firewall. If your firewall machine gets hacked the hacker could gain access to your data.

    When I posts like that I was shocked. I personally live in a thing called democracy. If I want to buy and eat something that makes me fat, then I can do so.

    You're free to make your own crappy Firewall+NAS, but most people here won't help you harm yourself.

    I've wanted a NAS for over 15 years, but I refuse to make one until I can make it correctly. I'd rather do without than half-ass it. Do it correctly or don't do it at all.



  • I've wanted a NAS for over 15 years, but I refuse to make one until I can make it correctly. I'd rather do without than half-ass it. Do it correctly or don't do it at all.

    For some of the current definitions of "correct" you can look at http://www.freenas.org/ or http://www.nas4free.org/.


  • LAYER 8 Global Moderator

    It clearly supports vt-x, why do you need directed i/o  vt-d –Unless you need to give 1 vm specific access to some hardware, it is not needed.. Sure an the hell not need to run a nas and your router on the same host that is for sure..

    Talk about cherry picking info..  Vt-d is going to be included in their HIGH END cpus.. Not some msrp $72 cheap budget cpu..  It supports most none of the advanced features
    http://ark.intel.com/products/82723/Intel-Pentium-Processor-G3258-3M-Cache-3_20-GHz

    That chip released Q2 2014, not 2013 btw..

    Vt-d didn't even come on the table until end of 2008..  Pick any HIGH END cpu after that period and it will most likely support Vt-d..  My ford focus doesn't have a turbo charger either, so what I can not drive it?

    VT-x has been around atleast 10 years.. And is included in almost all current cpus, yes even that budget chip you pointed out..

    My system doesn't support aes-ni either, but guess what it still does openvpn just fine..  You don't always need a freaking Ferrari to drive to and from work..



  • @divsys:

    I've wanted a NAS for over 15 years, but I refuse to make one until I can make it correctly. I'd rather do without than half-ass it. Do it correctly or don't do it at all.

    For some of the current definitions of "correct" you can look at http://www.freenas.org/ or http://www.nas4free.org/.

    My definition of "correct" is the physical hardware. I figure I need at least $2k to get started. I won't go for anything less than 1TiB of logical, back by all SSDs of several different brands, Xeon, 10Gb NIC+switch, and 64GiB of DDR4. The bigger issue is finding some good hot-swap hardware(bays). Most stuff that I can find on NewEgg has people complaining about cheap parts and the plugs not aligning, plugs breaking, general connection issues resulting in a drive suddenly disconnecting.

    My alternative is to just get something from iXSystems.


  • LAYER 8 Global Moderator

    "10Gb NIC+switch"

    There you just blew your 2k$ budget ;)  10Gb switches are not really home/lab budgeted yet.. Atleast not that I have seen.

    I was looking at the new supermicro http://www.wiredzone.com/supermicro-servers-compact-embedded-processor-sys-5028d-tn4t-10024470 that you can get for $1200 without anything, but does have dual 10G nic via soc and 2 more gig nics..  The problem is the switch to connect it at 10Gb ;)  Will do up to 128GB ddr4, would be a screaming vm host..  Once you put some memory in it and some disks your pushing the 2k budget..  But those 10G nics would be nice future proofing for when the 10Ge switches get to be more reasonable.



  • @Harvy66
    "You're free to make your own crappy Firewall+NAS, but most people here won't help you harm yourself."
    Can you even read? HOW WOULD I POSSIBLY HARM MYSELF?
    I said it a million times now. I'm a private user, no one would benefit from explicitly hacking me. The data on the NAS will be stored encrypted just because I can. I wouldn't even really care if a hacker would get my data. 
    But all that doesn't even matter because running a NAS (in a vm) on pfsense does not create vulnerabilities in pfsense, unless pfsense by itself is a poorly written piece of crap, which I highly doubt. 
    But if you are so certain that security would be affected that drastically, proof it.

    @johnpoz
    Calm down, please.
    I'mwell aware that it supports vt-x and I never said I need vt-d. I was just asking nicely what the disadvantages of not having it would be in my case. 
    "Q2 2014" - I don't want to impute nitpicking to you, but that's really not relevant. Besides I said "2013 or so"; I was just estimating.
    "Unless you need to give 1 vm specific access to some hardware"
    Well yeah, how about the hard drives that go into the NAS? Will I have access to S.M.A.R.T and could I create a file system on the drives from the NAS OS without vt-d? And what about pcie raid controllers?


  • LAYER 8 Global Moderator

    "I was just asking nicely what the disadvantages of not having it would be in my case."

    None - unless you wanted to directly connect some hardware to a vm..

    Well it would depend on how you connect them, I don't have vt-d and I have access to the smart info because I raw map them to the vm.. Would also depend on your hypervisor I would also assume on if it allow for such raw mapping.

    Are you talking to the vm OS itself, like esxi?  Or the VM?  Both can do it - esxi added function in like 5.1 I think, and the disks I raw map to my nas os vm, can see it as well.

    In my nas vm (2k12r2) I run some software from stablebit that does my pooling for me, not really a fan of drive spaces for simple home use pooling of disks, and also user their scanner software that watches smart, keeps an eye on the filesystem and disk and sends me an alert if something seems odd, out of wack, etc..




  • Personal opinion, but I really like my firewall to do one thing, one thing only.  Much easier to verify correctness, less to loose if something goes bad.



  • My definition of "correct" is the physical hardware. I figure I need at least $2k to get started. I won't go for anything less than 1TiB of logical, back by all SSDs of several different brands, Xeon, 10Gb NIC+switch, and 64GiB of DDR4. The bigger issue is finding some good hot-swap hardware(bays)

    From my POV you've stepped from the "Build my own NAS" to the "Build my own Server" maybe a change of perspective is in order…...



  • Many consumer routers come with a USB port to simulate a NAS type of storage, but many consumer routers also have security problems related to this sort of technology. I believe the developers of PFSense could do it correctly, but it really feels like the wrong type of feature to implement on the PFSense platform.

    PFSense is designed to be an expandable/modular driven firewall solution for protecting 1 or many networks. Developing "frills" isn't a way forward for a product with a strong focus on security and stability.

    If an "All in one" solution is something you would prefer, then I would suggest a typical off the shelf product and flash it with dd-wrt/tomato or a variant if you feel the need.

    I think it's noteworthy that you hold PFSense in such high regard and wish to use it as your "All in one" platform, but demanding that a product team implement a feature that hasn't gained traction for obvious reasons is the wrong way to solve your problem.



  • I don't know who or what to believe anymore. 
    I just read this forum post on the FreeNAS forums:

    FreeNAS is awesome. FreeNAS can and will run as a VM. That does not make it a good idea.

    • FreeNAS is designed to run on bare metal, without any clever storage systems (UNIX/VMFS filesystem layers, RAID card caches, etc!) getting in the way. Think about this: ZFS is designed to implement the functionality of a RAID controller. However, its cache is your system's RAM, and its processor is your system's CPU, both of which are probably a lot larger and faster than your hardware RAID controller's cache!

    • Without direct access to the hard drives, FreeNAS lacks the ability to read SMART data and identify other developing problems or storage failures.

    • A lot of the power of FreeNAS comes from ZFS. Passing a single virtual disk to ZFS to be shared out via FreeNAS is relatively safe, except that ZFS will only be able to detect and not actually correct any errors that are found, even if there is redundancy in the underlying storage.

    • There is a great temptation to create multiple virtual disks on top of nonredundant datastores in order to gain "MOAR SPACE!!!". This is dangerous. Some specific issues to concern yourself with: The data is unretrievable without the hypervisor software, the hypervisor might be reordering data on the way out (which makes the pool at least temporarily inconsistent), and the hypervisor almost certainly handles device failures non-gracefully, resulting in problems from locked up VM to unbootable VM, plus interesting challenges once you've replaced the failed device.

    • Passing your hard disks to ZFS as RDM to gain the benefits of ZFS and virtualization seems like it would make sense, except that the actual experiences of FreeNAS users is that this works great, right up until something bad happens, at which point usually more wrong things happen, and it becomes a nightmare scenario to work out what has happened with RDM, and in many instances, users have lost their pool. VMware does not support using RDM in this manner, and relying on hacking up your VM config file to force it to happen is dangerous and risky.

    • FreeNAS with hardware PCI passthrough of the storage controller (Intel VT-d) is a smart idea, as it actually addresses the three points above. However, PCI passthrough on most consumer and prosumer grade motherboards is unlikely to work reliably. VT-d for your storage controller is dangerous and risky to your pool. A few server manufacturers seem to have a handle on making this work correctly, but do NOT assume that your non-server-grade board will reliably support this (even if it appears to).

    • Virtualization tempts people to under-resource a FreeNAS instance. FreeNAS can, and will, use as much RAM as you throw at it, for example. Making a 4GB FreeNAS VM may leave you 12GB for other VM's, but is placing your FreeNAS at a dangerously low amount of RAM. 8GB is the floor, the minimum.

    • The vast majority of wannabe-virtualizers seem to want to run FreeNAS in order to provide additional reliable VM storage. Great idea, except that virtualization software typically wants its datastores to all be available prior to powering on VM's, which creates a bootstrap paradox. Put simply, this doesn't work, at least not without lots of manual intervention, timeouts during rebooting, and other headaches. (2013 note, ESXi 5.5 may offer a way around this.)

      I'm pretty sure I'm forgetting a few. But the conclusion is this: it's perfectly fine to experiment with FreeNAS in a VM. However, if you run it in production, put your valuable data on it, and then something bad happens, and you absolutely positively must get your data back, there probably won't be a lot of help available from the forum. We've seen it happen again, and again, and again. Sigh.

      So is it a bad idea or not? I mean that post does clearly imply that it is. Now the question is how biased each party is..


  • LAYER 8 Netgate

    More a subject to be hashed out on the freenas forums. Why are you here looking for FreeNAS expertise?

    In case you haven't figured it out, it doesn't appear that anybody here is interested.

    If you want pfSense and FreeNAS on the same hardware, virtualize (at your own risk.)

    Your aforementioned old hardware will almost certainly lack VT-d support.



  • I've not delved too deeply into the current state of the art of FreeNAS so you may take my next comments with some grain of salt.

    That said, I have noted there seems to be a current "battle" between FreeNAS and Nas4Free (a recent fork of FreeNAS) on a whole range of issues, some of which you've touched upon.

    As far as the include a "NAS in pfSense" debate, everything you've touched on is evidence in my mind NOT to include a NAS in pfSense.
    Perhaps VM is the way to go, perhaps not, but it's pretty obvious to me from your quote that a NAS has really different issues of concern than a firewall.
    No point in trying to shoehorn them together.

    As Derelict mentioned, I think you've moved off of this being a pfSense issue.
    I'd suggest a little research into the current NAS distro issues and where you want to go from here.



  • @NopIt:

    I don't know who or what to believe anymore. 
    I just read this forum post on the FreeNAS forums:

    ~snip~

    So is it a bad idea or not? I mean that post does clearly imply that it is. Now the question is how biased each party is..

    Keep it in context. That post is directed, as clearly stated if you would read it further, to individuals who don't know what they are doing with virtualization. That post was authored to clearly state that if you virtualize FreeNAS and bad things happen you are on your own and will get no support from the forums fixing it. It does not say that you can't or shouldn't, it says you shouldn't unless you know what you are doing. And if you have to ask then you don't know what you are doing.

    But don't take my word for it, go over there and pitch your proposed idea of a combined router/firewall and NAS and see the type of response you get.



  • @Jailer
    Well, as far as I understood the post, it pretty much says, "if something goes bad, you lose your data, unless you had vt-d".

    @divsys
    I think the argument that the "solution" would be to run FreeNAS in a vm on pfsense is pretty much eliminated now. (please correct me if I'm wrong)
    And I had a gazillion points for why it would make a lot of sense in certain cases to not run the firewall/router and the NAS on separate devices. (see first post if you don't remember) 
    This whole discussion until this point was all about people telling me that virtualization is the solution.
    So as far as I see it, the discussion I was looking for in the first place may start now ("NAS service on pfsense" vs "separate devices").

    And I can only repeat myself over and over again. An optional service that you don't chose to use doesn't bare any risks for you.
    And users like me (who don't even have sensitive data) who would want to use such a service (to save a significant amount of money) wouldn't even care about the risks (if they even existed).


  • LAYER 8 Global Moderator

    "unless you had vt-d""

    You do NOT need vt-d to pass your hdd to your VM natively…  Atleast not in in esxi its a simple raw map..
    http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1017530



  • So correct me if I'm wrong (I'm very much a noob here), but pfsense already combines two very different but common sense functions - routing and firewalls. Why is it such a stretch to think that NAS is so far removed from these two worlds? We're talking about network management, which includes storage.

    Also, why doesn't anyone seem to recognize that the Apple Time Capsule is basically exactly what the user is describing? Sure, the target demographic for Apple is set-it-and-forget-it consumers who aren't as security savvy, but Apple is pretty invested in building a secure product. A pfsense router/firewall seems like a much better partner for an NAS backup solution than an out of the box Apple product. I for one would love a single solution for all my network related needs.



  • Why is it such a stretch to think that NAS is so far removed from these two worlds?

    ???  One involves handling of network traffic, the other concerns itself with data on hard disks.  Same reason your basic fridge doesn't have a wine chiller, a Frappuccino maker and a toaster oven all built-in, even though it sounds amazing.

    We're talking about network management, which includes storage.

    Well, not really, other than your NAS is just another device on the network.  My TV is on my network at home, but I wouldn't consider television to be a part of network management.

    I've been in IT for almost 30 years now, and I've learned the hard way that one service per device is usually best.  Building a monolithic server stack is great until it falls over and takes everything out.



  • @laynerd:

    So correct me if I'm wrong (I'm very much a noob here), but pfsense already combines two very different but common sense functions - routing and firewalls.

    There is no firewall that separates routing functions, they're inherently required in combination and aren't very different at all. Where you leap from firewall to file server, that's a very different function.

    Those who think this is a good idea aren't really our target market. Do you get a NAS built into your Cisco ASA or Sonicwall or Checkpoint or Watchguard or any other similar class product? No.

    All the solutions that try to be everything to everyone end up doing everything poorly.

    Moot point, as we now have bhyve. Run your NAS in bhyve.

    @NopIt:

    So is it a bad idea or not? I mean that post does clearly imply that it is. Now the question is how biased each party is..

    Some of those points are valid, some are FUD, but it's largely just that people get themselves into a situation that's more complex than they know how to handle. Granted, if you want to run ZFS, you're either going to want to run on bare metal or with a controller you can passthrough to the NAS VM.


Log in to reply