use case evaluation for pfSense on Proxmox setup

Discussion in 'Proxmox VE: Installation and configuration' started by skyheaven46, Nov 9, 2018.

  1. skyheaven46

    skyheaven46 New Member

    Nov 9, 2018
    Likes Received:
    Hello everyone,
    as the subj. says I am trying to get opinions and maybe some help setting up a router replacement box.

    I have a Lenovo ThinkCentre M58p Desktop - Intel Core 2 Duo E8400 3GHz
    which I got specifically to build a router/firewall for my home.
    have 3 1Gb NIC ports. on builtin and 2 on PCI-e card
    all ports are Intel.
    6GB RAM
    currently it has a 250GB HDD in it with a Sphos install. never used.
    depending on what my decision will be I might replace the HDD with SSD.
    biggest issue with this machine is that it only has 2 SATA ports. so I can either have 2 SSD/HHD or 1 drive and DVD. for most part I do not need DVD so I can put 2 drives in and use raid-1 for system setup.

    I have 2 options in front of me.
    option #1 : setup pfSense right on the hardware. and this is simplest as it can be

    option #2 : load Proxmox on the box and run firewall/router in VM.

    cons, pros please voice your opinion.

    if decided to go with option #2 will ask more specific questions on best posible config.

  2. WhiteStarEOF

    WhiteStarEOF Member

    Mar 6, 2012
    Likes Received:
    You may be out of luck entirely. IIRC, current versions of pfSense require AES-NI on the CPU. The E8400 doesn't have it. Virtual or physical, you may just want to junk that box.
  3. janssensm

    janssensm Member
    Proxmox VE Subscriber

    Dec 18, 2016
    Likes Received:
    Current pfSense version does not have this requirement, but future version 2.5 will. Not much news from Netgate since the announcement, so time will tell.
    OPNSense is an alternative without the aes-ni requirement. Sophos UTM is not bad either.
  4. tburger

    tburger Member

    Oct 13, 2017
    Likes Received:
    @WhiteStartEOF: Oh thanks for this headsup. I discovered that the announcement is quite old, but I did not know. However that means that PFsense kicks my back the second time in a row.
    I was replacing all 32bit systems with newer 64bit ones to move from the 2.3 to 2.4 version. Now I discover: AES-NI is the next HW-Requirement... That was it for me I guess - sad, used this since the 2.0 version.

    @skyheaven46: I am using the virtualized approach. Simply because I need (want) other services running and I moved everything to a virtualization host in my home infrastructure. I felt this is a reasonable trade-off between attack risk and one box less. Or the other way around: Flexibility to run more VMs / services.
    On my setup all runs through VLANs (including WAN), a VLAN capable physical switch, an Open-vSwitch on the PVE instance and mentioned PFsense virtual machine.
    Runs smooth, only had problems once when the NIC teaming decided to mess with me.

    Regarding your question for an opinion:
    - On your machine I dont see much benefit though in a virtualized setup. Reasons?
    - You dont have much ressources to spare. The Proxmox instance itself wants a few MB of RAM, so depending on what you are doing with the PFsense you wont be running additional services anyways
    - If you dont run additional services, why adding this layer of complexity?
    - An installation of PFsense on the physical hardware should just work fine (if the NICs are supported) and I can speak from my experience: the config backup and restore works very well! Even if you need to switch HW you can relatively easy get back your working setup.
    - Unsupported NICs on PFsense are however a potential reason to virtualize it - and run on top of the hypervisor to overcome this issue.

    Hope this helps
    With best regards
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice