Looking for a free 10 Gb/s firewall, on VM Proxmox.

[dvb91]

Hi,

Currently running Proxmox V9 and pfSense in a VM, with no issues on a 2000 Mbps down / 800 Mbps up fiber connection.

After migrating to symmetrical 8 Gbps, the speeds are capped, regardless of the setup:
- pfSense : approximately 5.5 Gbps down and 2 Gbps up
- opnsense : 8 Gbps down perfect, but 2.3 Gbps up

Both firewalls are running on FreeBSD, which is known for poor communication with Proxmox's VirtIO network driver. (pfSense is even worse because it doesn't support network multiqueues).

I tried OpenWRT ( Linux) : even worse speeds, not convinced by the product in a virtualization environment.

I still need to test VyOS.

Have you managed to reach 10 Gbps with a VM firewall under Proxmox?
Do you know a free firewall, compatible 10 Gb/s on VMs, that you would recommend?

I'd appreciate your advice and experiences.
Regards.

 

[fba]

Hi,
I usually have IPFire in use, which has a quite current Linux Kernel as base: https://www.ipfire.org/
But I cant make any statements regarding your throughput requirements.

 

[Eduardo Taboada]

VyOS is a Debian based router, so you don't have limitations in VirtIO drivers, but I doesn't test performance of VyOS used for another use case than routing, and the performance in routing is not the same as use it as a firewall.

 

[dvb91]

Thanks for your feedback. To clarify my rather limited needs:

• Create interfaces -> VLANs + DHCP
• Configure the firewall
• All configurations via GUI (convenient)
• Services like RADIUS, OpenVPN, IPS, etc., are planned for separate VMs.

VyOS
Yes Debian based is +++
But I'm hesitant because the free version is a rolling subscription (not stable).
The stable version is too expensive !

IPFire
I've heard of it but never seen it.
I'll try it out and provide feedback on the throughput.

 

[dvb91]

For your information, the latest tests:

• IPFire
  I was able to achieve an excellent 8000 Mbps download speed. Unfortunately, upload speed is sticked to 4000 Mbps, even with a fine setup. The main reason I can't continue with IPFire is the limited number of zones/VLANs (4).
  
  
• Sophos firewall v21
  I couldn't get more than 5500 Mbps download, and 3300 Mbps upload.
  
  
• VyOS
  I am going to test it.

I'm still interested in your feedback or other products.

 

[UdoB]

poor communication with Proxmox's VirtIO network driver.

Well..., this is one rare opportunity where I would try to use PCI pass-through of the physical NIC. This eliminates the virtualization part and should get you the maximum possibly (nearly native) performance.

Disclaimer: not tested!

 

[dvb91]

Well..., this is one rare opportunity where I would try to use PCI pass-through of the physical NIC. This eliminates the virtualization part and should get you the maximum possibly (nearly native) performance.

Yes, this should resolve the bandwidth issues, but unfortunately, it prevents live migration, so I can't implement it.

Currently, my pve servers have two SFP+ NICs :
- One dedicated to Ceph
- One for LAN/WAN

Do you think adding a WAN-specific NIC could improve bandwidth ?

 

[UdoB]

Do you think adding a WAN-specific NIC could improve bandwidth ?

I can not prove/verify this, but I would expect it.

While Ethernet can operate bidirectional with full speed by definition, some operations may influence each other: received data must get pushed from the circuit board through PCIe into the system RAM and data-to-be-send travels the same physical way at the same time, in the other direction. There may be differences between cheap and expensive cards in this regard...

Again: not tested!