Virtualized pfSense on QNAP NAS

nappy_d

Hi everyone,
                I am currently running pfsense on an old core 2 duo box and it's working great but it's showing its age.

I recently bought a QNAP TS-563 NAS with 8GB of RAM.  In any event, this QNAP can run virtual machines. I am really considering running pfSense from this QNAP and I would also install a second dual PCI-E NIC just for PFSense.

Anyone have any thoughts on this because from what I've read, this seems like a good fit for my storage needs etc.

• Hardware Specs
  https://www.qnap.com/i/en/product/model.php?II=194&event=2

-Virtualization Specs
https://www.qnap.com/event/station/en/virtualization.php

T.I.A.

whosmatt

Can't offer any guidance, but that's really interesting that it supports VMs and FreeBSD in particular.  I assume it's an x86 based system?  Curious to hear how it turns out.  Can't hurt to try!

Matt

Jailer

Bad idea. You want a firewall at the edge of your connection, not running in a VM on your LAN.

Guest

Anyone have any thoughts on this because from what I've read, this seems like a good fit for my storage needs etc.

In normal you will only run a firewall in a vm if you are not able to realize it with any other hardware
or if the company and the number of employees is really fast growing up so that you are able to give
each month or half year more CPU cores and RAM to make is flawless, smooth an liquid running without
any kind of problems, or if you will be able to offer a HA setup likes 2 VMs working as a cluster. But then
often or mostly this device holding the VMs is only made or taken for this action to hold the firewall(s) and
not a NAS inside of the LAN but more likes as right reported before at the edge pr border of your network.

And there is then often nothing else on this device, only the one or both VMs holding the firewall(s).
Also for a home setup I would more to love to take a dedicated hardware device for the firewall.

whosmatt

@Jailer:

Bad idea. You want a firewall at the edge of your connection, not running in a VM on your LAN.

Not at all.  We run pfsense in production in VMs all the time.  There's two ways to segregate it from your LAN.  One is to use VLANs and virtual networking, the other is to dedicate NICs to the pfsense instance(s).  Nothing wrong or inappropriate about that.

nappy_d

Thanks everyone. Looks like it's pretty much 50/50 on which way to go.  I'll definitely give it a go and let you all know how it works out.

murzik

Did you ever got it working?

jahonix

QNAP now supports pfSense officially
https://www.netgate.com/blog/qnap-to-add-pfsense-to-its-products.html

killpilot

hi all,

is the good news… and if there are a expert here... i'm have question...
i have a ISP connection at 1Gb/s (optical fiber)
i have a QNAP TVS-663 (AMD 64Bit quad core 2,4Ghz) - 2 gigabit nic (agregate with Trunk 4 VLAN)
i installed into the VM one pfsense with 2 core, 4 gigabit VNIC, 512Mo of RAM.
i use virtualization station for tag my VLAN (my switch support 802.1q)

when i generate hight traffic... my pfsense's cpu override at 100% and my bandwitch does not exceed 130Mb/s ... when i connect my laptop direct with my ISP modem (in the WAN side) my bandwitch is 600-700mb/s ....

i think the default config of psense are not correct for this usage (QNAP virtualisation). someone would have an idea  of tuning/custom for this issue ?

thank, and have a good day.

Guest

You are probably emulating a whole bunch of things in software. First, stop using VLANs for now, and don't do any special networking on the QNAP side. Also see if AES-NI works and if you have checksum offloading disabled. Also check if you are using PPPoE.

killpilot

@johnkeates:

You are probably emulating a whole bunch of things in software. First, stop using VLANs for now, and don't do any special networking on the QNAP side. Also see if AES-NI works and if you have checksum offloading disabled. Also check if you are using PPPoE.

thank for your answer…

first for AES-NI ... the crypto hardware as set to none.... but, i not use vpn for the moment... why this feature can help me for my issue... normally for the normal traffic (routing and firewalling) there is not use ? right ?

for the VLAN config....i m not sure i can set my virtual nic to passtrought (if my pfsense manage the VLAN that instead QNAP).... in my nas i am only 2 NIC... if i m not use VLAN.... is difficult for me... my network topology does not allow to do that (is not for the works, is my home installation :P )... but for example, when my PC use the LUN ISCSI to my nas, my network use my nas physical nic with VLAN ID, and my bandwitch is good ( 90Mo/s),soo i suppose the issu is not the networking in QNAP side...

and for the last point.. my ISP give me a internet box (a router) my fiber is connect into the little box (convert optic to RJ45), this little box are connect to WAN port in my ISP box, and ma pf sense is connect in the LAN port of my ISP box (i m set the DMZ to IP adresse of pfsense (all request in all TCP/UDP port automatic sent to pfsense), Therefore i m not use PPPoE.

for example actuality my NAS download many file from amazon drive...

last pid: 14113;  load averages:  9.83,  8.31,  8.00  up 2+00:08:27    21:30:30
134 processes: 7 running, 112 sleeping, 15 waiting

Mem: 12M Active, 129M Inact, 94M Wired, 67M Buf, 229M Free
Swap: 1024M Total, 1024M Free

PID USERNAME PRI NICE  SIZE    RES STATE  C  TIME    WCPU COMMAND
    0 root    -92    -    0K  256K CPU0    0 441:25 100.00% [kernel{em0 taskq}]
    0 root    -92    -    0K  256K -      1 300:08  71.39% [kernel{em1 taskq}]
  12 root    -92    -    0K  256K RUN    1  90:49  17.38% [intr{irq11: em0 em1++}]
20828 root      38    0  247M 40468K piperd  1  0:39  9.77% php-fpm: pool nginx (php-fpm)
  12 root    -60    -    0K  256K WAIT    1  8:17  0.20% [intr{swi4: clock}]
14056 root      20    0 16676K  2284K bpf    0  5:24  0.10% /usr/local/sbin/filterlog -i pflog0 -p /va
  11 root    155 ki31    0K    32K RUN    1  35.2H  0.00% [idle{idle: cpu1}]
  11 root    155 ki31    0K    32K RUN    0  34.4H  0.00% [idle{idle: cpu0}]
    0 root    -92    -    0K  256K RUN    1  9:23  0.00% [kernel{dummynet}]
36938 root      20    0 21632K  6080K select  1  7:48  0.00% /usr/local/sbin/openvpn –config /var/etc/
21384 root      47    0  255M 52412K accept  1  5:28  0.00% php-fpm: pool nginx (php-fpm)
93326 root      52    0  255M 50572K accept  0  4:40  0.00% php-fpm: pool nginx (php-fpm)
55210 root      20    0 14512K  2312K vmpfw  0  1:53  0.00% /usr/sbin/syslogd -s -c -c -l /var/dhcpd/v
  12 root    -72    -    0K  256K WAIT    1  1:38  0.00% [intr{swi1: netisr 1}]
    4 root    -16    -    0K    32K -      1  1:27  0.00% [cam{doneq0}]
    0 root    -92    -    0K  256K -      1  1:14  0.00% [kernel{em2 taskq}]
  12 root    -88    -    0K  256K WAIT    1  0:55  0.00% [intr{irq14: ata0}]
    0 root    -16    -    0K  256K swapin  1  0:41  0.00% [kernel{swapper}]

in my NAS the used bandwitch is 13Mo/s.

in my virtualisation station, the CPU usage showing 46% … (in he pfsense the CPU is 100% ... )

ps : sorry for english... is difficult for me, explain correctly my issu.

Guest

Alright, it looks like the biggest problem is the fake intel emulated card:

0 root    -92    -    0K  256K CPU0    0 441:25 100.00% [kernel{em0 taskq}]

For starters, give the VM more memory, like, 2GB. Then, see if you can use a virtio/virtual network card instead of emulated Intel.

killpilot

Wow.. I hope solve my issue,

Fine tonight, I will stop my vm, add the new interfaces with device type virtIO and force same mac Adress than old nic..

If everything work fine, my pfsense assign the new interface at the right vlan (mac is the same) right?

Guest

@killpilot:

Wow.. I hope solve my issue,

Fine tonight, I will stop my vm, add the new interfaces with device type virtIO and force same mac Adress than old nic..

If everything work fine, my pfsense assign the new interface at the right vlan (mac is the same) right?

yes

killpilot

fine…

there two news, one good, one bad :P

the good is, the cpu consumption is now normal.... when i launch a transfert the cpu up at 3 or 5% ....
the bad is the bandwitch is worse for than before..... (mi ISP connexion is up 250Mbps / down 1Gbps) the bandwitch test down 15Mbps / up 1Mbps) .....

any ideas ?

Guest

@killpilot:

fine…

there two news, one good, one bad :P

the good is, the cpu consumption is now normal.... when i launch a transfert the cpu up at 3 or 5% ....
the bad is the bandwitch is worse for than before..... (mi ISP connexion is up 250Mbps / down 1Gbps) the bandwitch test down 15Mbps / up 1Mbps) .....

any ideas ?

That is because of this: https://forum.pfsense.org/index.php?topic=88467.0

Disable checksums! On both sides (host and vm)

killpilot

OK, I'm check this tonight, have a good day

killpilot

hi….

good news, the network speed is good :D

i am install pfsense from scratch with 2.3.5. (i don't know if virtualization station support freebsd 11), i restore my conf, reassign the interface, reboot, disable checksum offloading, reboot, and after... everythink works fine, except the openvpn layer... the daemon don't start....

killpilot

so….

after troubleshooting, the issu was the loose of auth digest algo config and encryption algo.. i remake it, reload conf and everything works fine...

thank you very much for your precious help, and time :D

Guest

Excellent work! good to know that you can use virtio and disable checksum offloading without any extra hacking. Should keep the CPU usage low, but the performance high.