use case evaluation for pfSense on Proxmox setup

skyheaven46

New Member
Nov 9, 2018
1
0
1
29
Hello everyone,
as the subj. says I am trying to get opinions and maybe some help setting up a router replacement box.

I have a Lenovo ThinkCentre M58p Desktop - Intel Core 2 Duo E8400 3GHz
which I got specifically to build a router/firewall for my home.
have 3 1Gb NIC ports. on builtin and 2 on PCI-e card
all ports are Intel.
6GB RAM
currently it has a 250GB HDD in it with a Sphos install. never used.
depending on what my decision will be I might replace the HDD with SSD.
biggest issue with this machine is that it only has 2 SATA ports. so I can either have 2 SSD/HHD or 1 drive and DVD. for most part I do not need DVD so I can put 2 drives in and use raid-1 for system setup.


I have 2 options in front of me.
option #1 : setup pfSense right on the hardware. and this is simplest as it can be

option #2 : load Proxmox on the box and run firewall/router in VM.

cons, pros please voice your opinion.

if decided to go with option #2 will ask more specific questions on best posible config.

thanks...
 
You may be out of luck entirely. IIRC, current versions of pfSense require AES-NI on the CPU. The E8400 doesn't have it. Virtual or physical, you may just want to junk that box.
 
Current pfSense version does not have this requirement, but future version 2.5 will. Not much news from Netgate since the announcement, so time will tell.
OPNSense is an alternative without the aes-ni requirement. Sophos UTM is not bad either.
 
You may be out of luck entirely. IIRC, current versions of pfSense require AES-NI on the CPU. The E8400 doesn't have it. Virtual or physical, you may just want to junk that box.
@WhiteStartEOF: Oh thanks for this headsup. I discovered that the announcement is quite old, but I did not know. However that means that PFsense kicks my back the second time in a row.
I was replacing all 32bit systems with newer 64bit ones to move from the 2.3 to 2.4 version. Now I discover: AES-NI is the next HW-Requirement... That was it for me I guess - sad, used this since the 2.0 version.

@skyheaven46: I am using the virtualized approach. Simply because I need (want) other services running and I moved everything to a virtualization host in my home infrastructure. I felt this is a reasonable trade-off between attack risk and one box less. Or the other way around: Flexibility to run more VMs / services.
On my setup all runs through VLANs (including WAN), a VLAN capable physical switch, an Open-vSwitch on the PVE instance and mentioned PFsense virtual machine.
Runs smooth, only had problems once when the NIC teaming decided to mess with me.

Regarding your question for an opinion:
- On your machine I dont see much benefit though in a virtualized setup. Reasons?
- You dont have much ressources to spare. The Proxmox instance itself wants a few MB of RAM, so depending on what you are doing with the PFsense you wont be running additional services anyways
- If you dont run additional services, why adding this layer of complexity?
- An installation of PFsense on the physical hardware should just work fine (if the NICs are supported) and I can speak from my experience: the config backup and restore works very well! Even if you need to switch HW you can relatively easy get back your working setup.
- Unsupported NICs on PFsense are however a potential reason to virtualize it - and run on top of the hypervisor to overcome this issue.

Hope this helps
With best regards
Thomas
 
About AES-NI issue on proxmox: Westmere CPU on proxmox support it .... i just tested in 5.2 and seens work.
Anyone have any info about performance issues or others problems using guest CPU Westmere (or anyother) ?
 
Intersting , I run exact same setup right now. Proxmox 5.1 and pfsense 2.4.1.xxx
Not 100% sure the versions but i have been running it wor the last year.
I got m58p machine running with 2 ssd zfa mirror.
6gb ram, that is all it supports.
Runs great.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!