Pfsense Home Router VM in ESXi

Joined
May 20, 2011
Messages
898
Over the last year I've been slowly condensing all my individual PC's into my ESXi box. Pretty much the last one I have left to do is my pfsense router. Setup seems straight forward, plenty of guides to follow but I do have one question. Originally I was planning to passthrough one NIC directly to the Pfsense VM to use as the WAN, then using a vswitch to do the LAN on a separate NIC. Seems to me this would be the most secure way to set it up, and less overhead, however all the material online I've seen says to set both the WAN & LAN on different vswitches using different physical adapters.

Is there any reason to do it one way over the other? I'm pretty new to all this so any knowledge you can share is greatly appreciated.

*Currently running ESXi 6.5 U1 Free Licence on a Haswell-EP 10 core.
 
Joined
May 20, 2011
Messages
898
I'm differently going to be using 2 separate NICs for wan & lan, basically I'm asking is it better to passthrough the wan NIC to the pfsense VM or to set it up as a vswitch only going to the pfsense vm for wan.
 

|-Goku-|

[H]ard|Gawd
Joined
Aug 24, 2003
Messages
1,755
I'm differently going to be using 2 separate NICs for wan & lan, basically I'm asking is it better to passthrough the wan NIC to the pfsense VM or to set it up as a vswitch only going to the pfsense vm for wan.
I think you can do it either way. I personally wouldn't do a passthrough though. Why do you think it would be more secure?

I currently am using 1 vswitch for LAN and 1 vswitch for WAN with separate adapters.
 

rtangwai

[H]ard|Gawd
Joined
Jul 26, 2007
Messages
1,369
Separate WAN and LAN vSwitches are easier and better - if you are using NICs that support paravirtualization eg. Intel the performance is fairly close to bare-metal.

I'd only do passthrough if the WAN NIC was funky and ESXi didn't recognize it correctly eg. a USB NIC (which I wouldn't recommend for long-term use anyway, they tend to burn out quickly).

What NICs will you be using?
 

Eulogy

2[H]4U
Joined
Nov 9, 2005
Messages
2,375
Yeah, I just do two vSwitches, each one bound to a different pNIC, and leave it at that. No need to make it more complicated by passing through hardware. There's no benefit to doing that.
 
Joined
May 20, 2011
Messages
898
I think you can do it either way. I personally wouldn't do a passthrough though. Why do you think it would be more secure?

I currently am using 1 vswitch for LAN and 1 vswitch for WAN with separate adapters.

I have no reason to believe it is more secure to do passthrough, just my simple logic that passing the wan nic is somehow more secure in that it goes directly to the pfsense vm rather then going through esxi's network management. I'm probably incorrect in thinking this way.

Separate WAN and LAN vSwitches are easier and better - if you are using NICs that support paravirtualization eg. Intel the performance is fairly close to bare-metal.

I'd only do passthrough if the WAN NIC was funky and ESXi didn't recognize it correctly eg. a USB NIC (which I wouldn't recommend for long-term use anyway, they tend to burn out quickly).

What NICs will you be using?

I was planning on using the nics that are on the board I'm using, a Asrock x99 ws. The two nics are intel I217LM & I210AT, which I'm assuming both support paravirtualization. I also have several single and dual port intel PT gigabit pci-e nics I can use as well, also assuming these support paravirtualization.



General consensus here and else where seem to be let ESXI do what it is designed to do and use its network management to set up your vswitches over passthrough of nics and such. I'm going to be testing both solutions but will most likely be using a vswitch to setup my wan port. Thanks for the help!
 

sinisterDei

[H]ard|Gawd
Joined
Dec 1, 2004
Messages
1,488
let ESXI do what it is designed to do and use its network management to set up your vswitches

Throwing my weight behind this one.

Bonus point in favor of this option - if you ever want to test a new version of pfSense or some alternative router build or what have you, it's considerably easier to be able to build a secondary box with a NIC connected to the vSwitch and then just enable the adapter when the time is right than it is to move the passthrough from one VM to another. Plus, hardware passthrough can be buggy, though I doubt a NIC would have an issue.
 

farscapesg1

2[H]4U
Joined
Aug 4, 2004
Messages
2,623
One thing to take into consideration is that you can't take snapshots of active VMs if they are configured for PCI passthrough... if I remember correctly. You also can't vmotion of course, but with a single host that isn't an issue.
 

bman212121

[H]ard|Gawd
Joined
Aug 18, 2011
Messages
1,815
I have no reason to believe it is more secure to do passthrough, just my simple logic that passing the wan nic is somehow more secure in that it goes directly to the pfsense vm rather then going through esxi's network management. I'm probably incorrect in thinking this way.

I would kind of think that pass through could be slightly more secure in some ways, and less in others. The firewall is one of the boxes that I've always just kept as a physical machine. I understand not wanting to have to power another server, but any time you do maintenance on your VM server you are killing your internet connection. If that doesn't come back up or something gets broken in the update process, you no longer have access to the internet to try to troubleshoot what's broken. But if you use pass through that would mean that ESXi isn't handling the traffic on that interface, so in that case it would be more secure. On the other hand, if something happens on your firewall, there would be physical access to the network interface in the system. The 2nd one I think would be harder to exploit, so I would have to agree that passthrough of the NIC does make sense. Otherwise your ESXi server is technically connected to the internet directly, and it's very possible to try to exploit a bug in the network driver of that system. (It IS connected directly to the internet in both cases, but the virtual is at the software level, the passthrough is at the hardware level)
 

sinisterDei

[H]ard|Gawd
Joined
Dec 1, 2004
Messages
1,488
Between the two choices, I would not use passthrough.

But given the choice, I would agree with bman and simply keep pfSense as a separate device. Personally, I use one of these for my pfSense router.
 

danswartz

2[H]4U
Joined
Feb 25, 2011
Messages
3,702
Throwing my weight behind this one.

Bonus point in favor of this option - if you ever want to test a new version of pfSense or some alternative router build or what have you, it's considerably easier to be able to build a secondary box with a NIC connected to the vSwitch and then just enable the adapter when the time is right than it is to move the passthrough from one VM to another. Plus, hardware passthrough can be buggy, though I doubt a NIC would have an issue.

Not to mention that passthrough prevents you from taking snapshots. I've rescued a pfsense VM that got fucked up during an upgrade by being paranoid enough to snapshot it before the upgrade. The 'fix' was as simple as a revert snapshot command. Also being able to back up the VM....
 
Top