Virtualized pfSense on QNAP NAS



  • Hi everyone,
                    I am currently running pfsense on an old core 2 duo box and it's working great but it's showing its age.

    I recently bought a QNAP TS-563 NAS with 8GB of RAM.  In any event, this QNAP can run virtual machines. I am really considering running pfSense from this QNAP and I would also install a second dual PCI-E NIC just for PFSense.

    Anyone have any thoughts on this because from what I've read, this seems like a good fit for my storage needs etc.

    -Virtualization Specs
    https://www.qnap.com/event/station/en/virtualization.php

    T.I.A.



  • Can't offer any guidance, but that's really interesting that it supports VMs and FreeBSD in particular.  I assume it's an x86 based system?  Curious to hear how it turns out.  Can't hurt to try!

    Matt



  • Bad idea. You want a firewall at the edge of your connection, not running in a VM on your LAN.



  • Anyone have any thoughts on this because from what I've read, this seems like a good fit for my storage needs etc.

    In normal you will only run a firewall in a vm if you are not able to realize it with any other hardware
    or if the company and the number of employees is really fast growing up so that you are able to give
    each month or half year more CPU cores and RAM to make is flawless, smooth an liquid running without
    any kind of problems, or if you will be able to offer a HA setup likes 2 VMs working as a cluster. But then
    often or mostly this device holding the VMs is only made or taken for this action to hold the firewall(s) and
    not a NAS inside of the LAN but more likes as right reported before at the edge pr border of your network.

    And there is then often nothing else on this device, only the one or both VMs holding the firewall(s).
    Also for a home setup I would more to love to take a dedicated hardware device for the firewall.



  • @Jailer:

    Bad idea. You want a firewall at the edge of your connection, not running in a VM on your LAN.

    Not at all.  We run pfsense in production in VMs all the time.  There's two ways to segregate it from your LAN.  One is to use VLANs and virtual networking, the other is to dedicate NICs to the pfsense instance(s).  Nothing wrong or inappropriate about that.



  • Thanks everyone. Looks like it's pretty much 50/50 on which way to go.  I'll definitely give it a go and let you all know how it works out.



  • Did you ever got it working?





  • hi all,

    is the good news… and if there are a expert here... i'm have question...
    i have a ISP connection at 1Gb/s (optical fiber)
    i have a QNAP TVS-663 (AMD 64Bit quad core 2,4Ghz) - 2 gigabit nic (agregate with Trunk 4 VLAN)
    i installed into the VM one pfsense with 2 core, 4 gigabit VNIC, 512Mo of RAM.
    i use virtualization station for tag my VLAN (my switch support 802.1q)

    when i generate hight traffic... my pfsense's cpu override at 100% and my bandwitch does not exceed 130Mb/s ... when i connect my laptop direct with my ISP modem (in the WAN side) my bandwitch is 600-700mb/s ....

    i think the default config of psense are not correct for this usage (QNAP virtualisation). someone would have an idea  of tuning/custom for this issue ?

    thank, and have a good day.



  • You are probably emulating a whole bunch of things in software. First, stop using VLANs for now, and don't do any special networking on the QNAP side. Also see if AES-NI works and if you have checksum offloading disabled. Also check if you are using PPPoE.



  • @johnkeates:

    You are probably emulating a whole bunch of things in software. First, stop using VLANs for now, and don't do any special networking on the QNAP side. Also see if AES-NI works and if you have checksum offloading disabled. Also check if you are using PPPoE.

    thank for your answer…

    first for AES-NI ... the crypto hardware as set to none.... but, i not use vpn for the moment... why this feature can help me for my issue... normally for the normal traffic (routing and firewalling) there is not use ? right ?

    for the VLAN config....i m not sure i can set my virtual nic to passtrought (if my pfsense manage the VLAN that instead QNAP).... in my nas i am only 2 NIC... if i m not use VLAN.... is difficult for me... my network topology does not allow to do that (is not for the works, is my home installation :P )... but for example, when my PC use the LUN ISCSI to my nas, my network use my nas physical nic with VLAN ID, and my bandwitch is good ( 90Mo/s),soo i suppose the issu is not the networking in QNAP side...

    and for the last point.. my ISP give me a internet box (a router) my fiber is connect into the little box (convert optic to RJ45), this little box are connect to WAN port in my ISP box, and ma pf sense is connect in the LAN port of my ISP box (i m set the DMZ to IP adresse of pfsense (all request in all TCP/UDP port automatic sent to pfsense), Therefore i m not use PPPoE.

    for example actuality my NAS download many file from amazon drive...

    last pid: 14113;  load averages:  9.83,  8.31,  8.00  up 2+00:08:27    21:30:30
    134 processes: 7 running, 112 sleeping, 15 waiting

    Mem: 12M Active, 129M Inact, 94M Wired, 67M Buf, 229M Free
    Swap: 1024M Total, 1024M Free

    PID USERNAME PRI NICE  SIZE    RES STATE  C  TIME    WCPU COMMAND
        0 root    -92    -    0K  256K CPU0    0 441:25 100.00% [kernel{em0 taskq}]
        0 root    -92    -    0K  256K -      1 300:08  71.39% [kernel{em1 taskq}]
      12 root    -92    -    0K  256K RUN    1  90:49  17.38% [intr{irq11: em0 em1++}]
    20828 root      38    0  247M 40468K piperd  1  0:39  9.77% php-fpm: pool nginx (php-fpm)
      12 root    -60    -    0K  256K WAIT    1  8:17  0.20% [intr{swi4: clock}]
    14056 root      20    0 16676K  2284K bpf    0  5:24  0.10% /usr/local/sbin/filterlog -i pflog0 -p /va
      11 root    155 ki31    0K    32K RUN    1  35.2H  0.00% [idle{idle: cpu1}]
      11 root    155 ki31    0K    32K RUN    0  34.4H  0.00% [idle{idle: cpu0}]
        0 root    -92    -    0K  256K RUN    1  9:23  0.00% [kernel{dummynet}]
    36938 root      20    0 21632K  6080K select  1  7:48  0.00% /usr/local/sbin/openvpn –config /var/etc/
    21384 root      47    0  255M 52412K accept  1  5:28  0.00% php-fpm: pool nginx (php-fpm)
    93326 root      52    0  255M 50572K accept  0  4:40  0.00% php-fpm: pool nginx (php-fpm)
    55210 root      20    0 14512K  2312K vmpfw  0  1:53  0.00% /usr/sbin/syslogd -s -c -c -l /var/dhcpd/v
      12 root    -72    -    0K  256K WAIT    1  1:38  0.00% [intr{swi1: netisr 1}]
        4 root    -16    -    0K    32K -      1  1:27  0.00% [cam{doneq0}]
        0 root    -92    -    0K  256K -      1  1:14  0.00% [kernel{em2 taskq}]
      12 root    -88    -    0K  256K WAIT    1  0:55  0.00% [intr{irq14: ata0}]
        0 root    -16    -    0K  256K swapin  1  0:41  0.00% [kernel{swapper}]

    in my NAS the used bandwitch is 13Mo/s.

    in my virtualisation station, the CPU usage showing 46% … (in he pfsense the CPU is 100% ... )

    ps : sorry for english... is difficult for me, explain correctly my issu.








  • Alright, it looks like the biggest problem is the fake intel emulated card:

    0 root    -92    -    0K  256K CPU0    0 441:25 100.00% [kernel{em0 taskq}]

    For starters, give the VM more memory, like, 2GB. Then, see if you can use a virtio/virtual network card instead of emulated Intel.



  • Wow.. I hope solve my issue,

    Fine tonight, I will stop my vm, add the new interfaces with device type virtIO and force same mac Adress than old nic..

    If everything work fine, my pfsense assign the new interface at the right vlan (mac is the same) right?



  • @killpilot:

    Wow.. I hope solve my issue,

    Fine tonight, I will stop my vm, add the new interfaces with device type virtIO and force same mac Adress than old nic..

    If everything work fine, my pfsense assign the new interface at the right vlan (mac is the same) right?

    yes



  • fine…

    there two news, one good, one bad :P

    the good is, the cpu consumption is now normal.... when i launch a transfert the cpu up at 3 or 5% ....
    the bad is the bandwitch is worse for than before..... (mi ISP connexion is up 250Mbps / down 1Gbps) the bandwitch test down 15Mbps / up 1Mbps) .....

    any ideas ?






  • @killpilot:

    fine…

    there two news, one good, one bad :P

    the good is, the cpu consumption is now normal.... when i launch a transfert the cpu up at 3 or 5% ....
    the bad is the bandwitch is worse for than before..... (mi ISP connexion is up 250Mbps / down 1Gbps) the bandwitch test down 15Mbps / up 1Mbps) .....

    any ideas ?

    That is because of this: https://forum.pfsense.org/index.php?topic=88467.0

    Disable checksums! On both sides (host and vm)



  • OK, I'm check this tonight, have a good day



  • hi….

    good news, the network speed is good :D

    i am install pfsense from scratch with 2.3.5. (i don't know if virtualization station support freebsd 11), i restore my conf, reassign the interface, reboot, disable checksum offloading, reboot, and after... everythink works fine, except the openvpn layer... the daemon don't start....



  • so….

    after troubleshooting, the issu was the loose of auth digest algo config and encryption algo.. i remake it, reload conf and everything works fine...

    thank you very much for your precious help, and time :D



  • Excellent work! good to know that you can use virtio and disable checksum offloading without any extra hacking. Should keep the CPU usage low, but the performance high.



  • @killpilot , as I'm sure you know, Netgate just released pfSense as a Virtualization Station app for QNAP devices. I know your TVS-663 supports VS. I'm just curious if you have tried running this app, and if so, any issues? Also, if you don't mind me asking, are you running pfSense with any of the security packages (like Snort, pfBlocker, OpenVPN, LightSquid)? If so, are you able to maintain bandwidth with all of these running?

    I ask because I am in need of a new firewall/UTM (to replace an ageing Zyxel device) as well as a new NAS. So I'm thinking of buying a supported QNAP device and running pfSense (kill two birds with one stone). My main concern, aside from stability (which seems good from what I've read) is not throttling my bandwidth when running pfSense with the various packages. Any thoughts on this?

    Hopefully you're still following this thread.☺ Thanks!

    .


 

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy