Pfsense Home Router VM in ESXi

K

Killerxp100

Gawd
Joined
May 20, 2011
Messages
1,007
Over the last year I've been slowly condensing all my individual PC's into my ESXi box. Pretty much the last one I have left to do is my pfsense router. Setup seems straight forward, plenty of guides to follow but I do have one question. Originally I was planning to passthrough one NIC directly to the Pfsense VM to use as the WAN, then using a vswitch to do the LAN on a separate NIC. Seems to me this would be the most secure way to set it up, and less overhead, however all the material online I've seen says to set both the WAN & LAN on different vswitches using different physical adapters.

Is there any reason to do it one way over the other? I'm pretty new to all this so any knowledge you can share is greatly appreciated.

*Currently running ESXi 6.5 U1 Free Licence on a Haswell-EP 10 core.
 
I'm differently going to be using 2 separate NICs for wan & lan, basically I'm asking is it better to passthrough the wan NIC to the pfsense VM or to set it up as a vswitch only going to the pfsense vm for wan.
 
Killerxp100 said:
I'm differently going to be using 2 separate NICs for wan & lan, basically I'm asking is it better to passthrough the wan NIC to the pfsense VM or to set it up as a vswitch only going to the pfsense vm for wan.
Click to expand...
I think you can do it either way. I personally wouldn't do a passthrough though. Why do you think it would be more secure?

I currently am using 1 vswitch for LAN and 1 vswitch for WAN with separate adapters.
 
Separate WAN and LAN vSwitches are easier and better - if you are using NICs that support paravirtualization eg. Intel the performance is fairly close to bare-metal.

I'd only do passthrough if the WAN NIC was funky and ESXi didn't recognize it correctly eg. a USB NIC (which I wouldn't recommend for long-term use anyway, they tend to burn out quickly).

What NICs will you be using?
 
Yeah, I just do two vSwitches, each one bound to a different pNIC, and leave it at that. No need to make it more complicated by passing through hardware. There's no benefit to doing that.
 
|-Goku-| said:
I think you can do it either way. I personally wouldn't do a passthrough though. Why do you think it would be more secure?

I currently am using 1 vswitch for LAN and 1 vswitch for WAN with separate adapters.
Click to expand...

I have no reason to believe it is more secure to do passthrough, just my simple logic that passing the wan nic is somehow more secure in that it goes directly to the pfsense vm rather then going through esxi's network management. I'm probably incorrect in thinking this way.

rtangwai said:
Separate WAN and LAN vSwitches are easier and better - if you are using NICs that support paravirtualization eg. Intel the performance is fairly close to bare-metal.

I'd only do passthrough if the WAN NIC was funky and ESXi didn't recognize it correctly eg. a USB NIC (which I wouldn't recommend for long-term use anyway, they tend to burn out quickly).

What NICs will you be using?
Click to expand...

I was planning on using the nics that are on the board I'm using, a Asrock x99 ws. The two nics are intel I217LM & I210AT, which I'm assuming both support paravirtualization. I also have several single and dual port intel PT gigabit pci-e nics I can use as well, also assuming these support paravirtualization.



General consensus here and else where seem to be let ESXI do what it is designed to do and use its network management to set up your vswitches over passthrough of nics and such. I'm going to be testing both solutions but will most likely be using a vswitch to setup my wan port. Thanks for the help!
 
Killerxp100 said:
let ESXI do what it is designed to do and use its network management to set up your vswitches
Click to expand...

Throwing my weight behind this one.

Bonus point in favor of this option - if you ever want to test a new version of pfSense or some alternative router build or what have you, it's considerably easier to be able to build a secondary box with a NIC connected to the vSwitch and then just enable the adapter when the time is right than it is to move the passthrough from one VM to another. Plus, hardware passthrough can be buggy, though I doubt a NIC would have an issue.
 
One thing to take into consideration is that you can't take snapshots of active VMs if they are configured for PCI passthrough... if I remember correctly. You also can't vmotion of course, but with a single host that isn't an issue.
 
Killerxp100 said:
I have no reason to believe it is more secure to do passthrough, just my simple logic that passing the wan nic is somehow more secure in that it goes directly to the pfsense vm rather then going through esxi's network management. I'm probably incorrect in thinking this way.
Click to expand...

I would kind of think that pass through could be slightly more secure in some ways, and less in others. The firewall is one of the boxes that I've always just kept as a physical machine. I understand not wanting to have to power another server, but any time you do maintenance on your VM server you are killing your internet connection. If that doesn't come back up or something gets broken in the update process, you no longer have access to the internet to try to troubleshoot what's broken. But if you use pass through that would mean that ESXi isn't handling the traffic on that interface, so in that case it would be more secure. On the other hand, if something happens on your firewall, there would be physical access to the network interface in the system. The 2nd one I think would be harder to exploit, so I would have to agree that passthrough of the NIC does make sense. Otherwise your ESXi server is technically connected to the internet directly, and it's very possible to try to exploit a bug in the network driver of that system. (It IS connected directly to the internet in both cases, but the virtual is at the software level, the passthrough is at the hardware level)
 
Between the two choices, I would not use passthrough.

But given the choice, I would agree with bman and simply keep pfSense as a separate device. Personally, I use one of these for my pfSense router.
 
As an Amazon Associate, HardForum may earn from qualifying purchases.
sinisterDei said:
Throwing my weight behind this one.

Bonus point in favor of this option - if you ever want to test a new version of pfSense or some alternative router build or what have you, it's considerably easier to be able to build a secondary box with a NIC connected to the vSwitch and then just enable the adapter when the time is right than it is to move the passthrough from one VM to another. Plus, hardware passthrough can be buggy, though I doubt a NIC would have an issue.
Click to expand...

Not to mention that passthrough prevents you from taking snapshots. I've rescued a pfsense VM that got fucked up during an upgrade by being paranoid enough to snapshot it before the upgrade. The 'fix' was as simple as a revert snapshot command. Also being able to back up the VM....
 
You must log in or register to reply here.
Back
Top