Virtualized Router


Apr 13, 2006
I'm curious if anyone has or does run a virtualized router. What's your opinion on the idea? Security issues? Performance hit? Anything else to mention/take note of?

I currently have pfSense running on ESXi (it's free now for those that care) for my home network as a test/for fun thing right now but it's still behind my FIOS issued router. I am also aiming to have one-less-computer running 24/7 meaning not having a computer dedicated just for my router.
I dont really see much use for a virtualised router, except for lab environments.

Most linux/BSD firewall/routing distros will work in vmware without too much pain, i dont know about how good the performance would be, in theory it should be similiar to that of a equivalent physical system.
There is another use for virtualized routers, and that is in high end environments, especially where many divisions/branch offices are concerned. Cisco offers it using the VRF protocols

For example our organization has 27 divisions and we are consolidating all our data centers into two. On the routers that come out of the data center, there will be (at least) 27 VRFs all pointing traffic to the proper locations.
I still think hardware routers are going to be more reliable, especially in multi-site networks, but thats just my opinion.

I think virtualisation is a great idea (we use it at work for some services) but i think that virtualised routing is a bad idea no matter how many specialised protocols people develop.
I don't know if you were responding to me, but in our example, it would not be practical to piggyback 27 routers on top of each other just to send traffic from the consolidated data center back to the sites.

27 is the bare minimum really, as many of those 27 have multiple sites, so it could be 100 sites really. We would have to stack up 100 routers to do that. Not practical. With VRF we'll use 2 in a failover configuration. This configuration is fully supported by Cisco. We're not reinventing the wheel here.
i'm not that familiar with virtualisation in a production's used within the organisation that i work for but i do not believe the implementation is as optimised as it could be and as a result of which it's left a bit of a sour taste in my mouth. on the other side of the fence, in one of our 'partner' organisations, their implementation of virtualisation is i can also definately see the benefits! i should perhaps say that neither organisation is using virtualised routers...yet...

at a personal level i use the freely available virtualisation tools at home extensively and think it is the best thing since sliced bread. at this precise moment i have running (all inside a single black box workstation) an advanced linux router/utm vm, a basic linux nat router vm, 2003sbs vm, 2003std vm, and approx six 'client' workstation vms. this is the basis of a proof of concept environment that i use to demonstrate software to customers. it bogs down a tad if i have all the client vm's running together, but other than that it hums along without any issues whatsoever. it's quite possibly *the* most flexible learning environment / hack lab i've ever had my hands on - in terms of bang to space/power consumption ratio.

looking at virtualisation in another context...i manage a ha pair of netscreen isg2000 firewalls at my place of work. these support virtualisation of firewall systems. i haven't used the functionality myself but believe it is very popular with isp's and managed service providers. i think for firewalls/routers etc there is always going to be a need to do things 'in hardware' or on 'asic based' kit or at 'wire speed' whatever you want to call perhaps virtualisation of these types of systems is going to take off more in this direction rather than using virtualisation in the other sense?

certainly an interesting topic for discussion! :)
not for the edge but for one step back sure.
I do a lot of filtering VM based but would not put a VM based router directly on the net.

ie: similar to what you have, hardware router connected to the line doing nat only allowing connections from the VM router with a VM based router doing transparent proxy/filtering, dns filtering , email scanning, qos, and whatever before that set as the gateway for the network.
My first try of Untangle was in VMware..they have a special download for it, along with a Wiki on how to configure it.

Really have no interest in running a router within a VMware session. To me..I want that box totally separate. Dunno how realistic exploits are at the moment towards VMware..but I'm sure due to the rise in its popularity...the exploits will come. So I want nothing..nothing at all..except my firewalls pure clean WAN NIC on the wild side.
I've been running a Smoothwall box virtualized inside of a Virtual Iron setup for the last 7 months or so, no issues or performance problems that I've run into. I had the same idea as you, wanted to start combining machines and dropping the wattage/heat footprint, its worked well so far.