PFsense + Snort virtualisation

dfarrall

dfarrall

dfarrall

Permabanned
Joined
21 Nov 2010
Posts
2,315
Location
Newton Aycliffe
Is it possible to virtualise PFsense + Snort together?
I have an old PE2850 id like to put them on, and use for a project. Iv never really done much virtualisation to this level, only normal VM's for normal OS.

If so how would you go about it?
 
Virtualising pfsense is no different to any other OS.
Install - configure - add the snort package - configure.
There are one or 2 performance issues with NICs - but nothing problematic provided you are not expecting massive throughputs.

Snort can stress a VM box out if pushed too hard so either take it easy on the rules or throw us much RAM and CPU at the VM as you can get away with.
 
Yup, running it here. At ~105Mbps WAN-to-LAN I use ~40% of 4x 2.33GHz cores. It has 2GB of ram and generally uses around 30%.

And if you can connect your modem to a port on your switch with its own VLAN then you don't even need to use an extra NIC on your ESX host, provided your ports for VM traffic have enough bandwidth.
 
It was mainly the NIC side of it that i have never had much involvement in virtualising, but sounds to be fairly simple looking into it.

Excellent, i shall give this a go then thanks.
 
So iv given this a quick go now, but I'm struggling with the NIC virtualisation as I'm only using 1 NIC
Is there a guide somewhere i can use for reference?
 
You can run pfsense on 1 NIC with VLANs, but I can't get my head around the VLANs and virtualisation this late on a Friday

Would be much easier to pop a second NIC, and then in whatever your hypervisor is to associate a virtual NIC to a real NIC, but someone else may have a better idea.
 
Yeh thats what I'm trying to do, iv had a look over at the PFSense forums and taken some pointers, but still struggling to get my head around how it's working.

If the worst comes to the worst ill whack another NIC in, but for now i'd like to try it this way!
 
You can setup snort in virtual os just the same that you can on a physical box. Snort in pfsense is very easy to set up but the blocking functionality can be problematic if you don't know how to define the correct suppress and white list rules.

I do not think it is possible to run pfsense with 1 nic for use for snort or some other packages, they all require two interfaces to operate correctly and i don't think you can get a vlan interface to work as different interfaces in that regard very well. You can use vlans on pfsense to work with managed switch vlans. But they don't work as an interface like a physical port. I think you even assign the vlans to physical interfaces so i am not sure how you could get snort to work with 1 nic ?
 
Last edited:
If your host has a NIC which supports VLANS (.q) then you can setup the VLANS inside of ESXi.

You then present multiple NIC's to the VM and bind each NIC to the appropriate VLAN inside of the HyperVisor (ESXi in my case). Then inside pfsesne you will see 4 interfaces and all the VLAN work is being done where it should be - on the HyperVisor level.

That is what I have done anyway and it worked first time without issue. Oh I also got the OVF file from pfsense and just pushed that into ESXi - was the easiest build I ever did.
 
soisix said:
If your host has a NIC which supports VLANS (.q) then you can setup the VLANS inside of ESXi.

You then present multiple NIC's to the VM and bind each NIC to the appropriate VLAN inside of the HyperVisor (ESXi in my case). Then inside pfsesne you will see 4 interfaces and all the VLAN work is being done where it should be - on the HyperVisor level.
Click to expand...
Exactly this, works a treat and makes moving the VM between hosts very straight forward
icon14.gif
 
groen said:
But snort interface does not support vlan it just supports interface, will it still work?
Click to expand...
Yes, because as far as pfSense is concerned there aren't any VLANs - as soisix says, the VLANs are configured at the hypervisor level as different port groups and you're just presenting normal NICs/interfaces to pfSense.

I'm running snort on my pfSense install and can confirm this works properly with VLANs set up on ESXi and my switches :)

ETA, we're talking about having essentially one vSwitch for ESXi and the VM traffic, using one physical NIC port connected to a VLAN tagged port on your switch. That is then split down into port groups for each VLAN you're using, and then your pfSense VM has a number of virtual NICs each bound to a port group (i.e. VLAN) as required. ESXi uses one physical NIC, but pfSense sees 1, 2, 3 or however many virtual NICs (i.e. VLANs) you need.

I'm not sure if that's clearer or more confusing, sorry :p
 
Last edited:
You must log in or register to reply here.
Back
Top Bottom