Pfsense Home Router VM in ESXi

Discussion in 'Virtualized Computing' started by Killerxp100, Dec 5, 2017 at 6:31 PM.

  1. Killerxp100

    Killerxp100 Gawd

    Messages:
    698
    Joined:
    May 20, 2011
    Over the last year I've been slowly condensing all my individual PC's into my ESXi box. Pretty much the last one I have left to do is my pfsense router. Setup seems straight forward, plenty of guides to follow but I do have one question. Originally I was planning to passthrough one NIC directly to the Pfsense VM to use as the WAN, then using a vswitch to do the LAN on a separate NIC. Seems to me this would be the most secure way to set it up, and less overhead, however all the material online I've seen says to set both the WAN & LAN on different vswitches using different physical adapters.

    Is there any reason to do it one way over the other? I'm pretty new to all this so any knowledge you can share is greatly appreciated.

    *Currently running ESXi 6.5 U1 Free Licence on a Haswell-EP 10 core.
     
  2. Master_shake_

    Master_shake_ 2[H]4U

    Messages:
    3,737
    Joined:
    Apr 9, 2012
    I used 2 different nics when I vmed my pfsense box.
     
  3. Killerxp100

    Killerxp100 Gawd

    Messages:
    698
    Joined:
    May 20, 2011
    I'm differently going to be using 2 separate NICs for wan & lan, basically I'm asking is it better to passthrough the wan NIC to the pfsense VM or to set it up as a vswitch only going to the pfsense vm for wan.
     
  4. |-Goku-|

    |-Goku-| [H]ard|Gawd

    Messages:
    1,737
    Joined:
    Aug 24, 2003
    I think you can do it either way. I personally wouldn't do a passthrough though. Why do you think it would be more secure?

    I currently am using 1 vswitch for LAN and 1 vswitch for WAN with separate adapters.
     
  5. rtangwai

    rtangwai [H]ard|Gawd

    Messages:
    1,242
    Joined:
    Jul 26, 2007
    Separate WAN and LAN vSwitches are easier and better - if you are using NICs that support paravirtualization eg. Intel the performance is fairly close to bare-metal.

    I'd only do passthrough if the WAN NIC was funky and ESXi didn't recognize it correctly eg. a USB NIC (which I wouldn't recommend for long-term use anyway, they tend to burn out quickly).

    What NICs will you be using?
     
  6. Eulogy

    Eulogy 2[H]4U

    Messages:
    2,179
    Joined:
    Nov 9, 2005
    Yeah, I just do two vSwitches, each one bound to a different pNIC, and leave it at that. No need to make it more complicated by passing through hardware. There's no benefit to doing that.
     
  7. Killerxp100

    Killerxp100 Gawd

    Messages:
    698
    Joined:
    May 20, 2011
    I have no reason to believe it is more secure to do passthrough, just my simple logic that passing the wan nic is somehow more secure in that it goes directly to the pfsense vm rather then going through esxi's network management. I'm probably incorrect in thinking this way.

    I was planning on using the nics that are on the board I'm using, a Asrock x99 ws. The two nics are intel I217LM & I210AT, which I'm assuming both support paravirtualization. I also have several single and dual port intel PT gigabit pci-e nics I can use as well, also assuming these support paravirtualization.



    General consensus here and else where seem to be let ESXI do what it is designed to do and use its network management to set up your vswitches over passthrough of nics and such. I'm going to be testing both solutions but will most likely be using a vswitch to setup my wan port. Thanks for the help!
     
  8. sinisterDei

    sinisterDei Gawd

    Messages:
    513
    Joined:
    Dec 1, 2004
    Throwing my weight behind this one.

    Bonus point in favor of this option - if you ever want to test a new version of pfSense or some alternative router build or what have you, it's considerably easier to be able to build a secondary box with a NIC connected to the vSwitch and then just enable the adapter when the time is right than it is to move the passthrough from one VM to another. Plus, hardware passthrough can be buggy, though I doubt a NIC would have an issue.
     
  9. farscapesg1

    farscapesg1 2[H]4U

    Messages:
    2,371
    Joined:
    Aug 4, 2004
    One thing to take into consideration is that you can't take snapshots of active VMs if they are configured for PCI passthrough... if I remember correctly. You also can't vmotion of course, but with a single host that isn't an issue.
     
  10. bman212121

    bman212121 [H]ard|Gawd

    Messages:
    1,188
    Joined:
    Aug 18, 2011
    I would kind of think that pass through could be slightly more secure in some ways, and less in others. The firewall is one of the boxes that I've always just kept as a physical machine. I understand not wanting to have to power another server, but any time you do maintenance on your VM server you are killing your internet connection. If that doesn't come back up or something gets broken in the update process, you no longer have access to the internet to try to troubleshoot what's broken. But if you use pass through that would mean that ESXi isn't handling the traffic on that interface, so in that case it would be more secure. On the other hand, if something happens on your firewall, there would be physical access to the network interface in the system. The 2nd one I think would be harder to exploit, so I would have to agree that passthrough of the NIC does make sense. Otherwise your ESXi server is technically connected to the internet directly, and it's very possible to try to exploit a bug in the network driver of that system. (It IS connected directly to the internet in both cases, but the virtual is at the software level, the passthrough is at the hardware level)
     
  11. sinisterDei

    sinisterDei Gawd

    Messages:
    513
    Joined:
    Dec 1, 2004
    Between the two choices, I would not use passthrough.

    But given the choice, I would agree with bman and simply keep pfSense as a separate device. Personally, I use one of these for my pfSense router.
     
  12. danswartz

    danswartz 2[H]4U

    Messages:
    3,576
    Joined:
    Feb 25, 2011
    Not to mention that passthrough prevents you from taking snapshots. I've rescued a pfsense VM that got fucked up during an upgrade by being paranoid enough to snapshot it before the upgrade. The 'fix' was as simple as a revert snapshot command. Also being able to back up the VM....