Running a VM as my firewall (Untangle, pfSense etc)

ChrisD.

ChrisD.

ChrisD.

Man of Honour
Joined
20 Sep 2006
Posts
36,041
I'm considering ditching my USG Pro as, well, the software is getting on now and I have a requirement to run BGP and VPNs and it's getting increasingly difficult and frustrating to do this via a json file. Not only that, but I'm getting some weird issues whereby I have to update it to the same firmware to stop packet loss.

I've got some decent vSphere hardware and I run quite a few VMs at home already. Frustratingly they are not near the ONT so I'm considering getting another small host to run a dual NIC and set it up with an Untangle VM to run my home firewall. I have FTTP (900/100) and I'd like it to support multiple VLANs, BGP, Route and/or policy based VPNs etc. and run at line speed. Does anyone do this? If so how have you found Untangle vs pfSense (I used to run pfSense on a hardware appliance)? I'm drawn to Untangle because the GUI looks decent but then I believe it comes with a cost. Are there any alternatives? Or am I mad?
 
I run pfSense in a VM, on Hyper-V currently. It's been superb, I really like the gui it's easy to navigate and set up. Also using pfblockerng package for adblocking.

The other alternative is OPNsense which is a fork of pfsense, but I couldn't get along with the gui on that for whatever reason.

Pf/opnsense should cater for all your needs easily though. I'm using it for vlans, policy based routing, vpn client and server, adblocking as above etc.
 
I run Mikrotik CHR on a Proxmox VM, found it way better than OPNSense personally, although it's a bit of a learning curve to get used to it's much better than anything else imo.
I will be getting a dedicated x86 machine to run as a router instead, just cause I like being a bit creative with my Proxmox machine sometimes and I don't like it affecting my whole net when I have to restart it for example.

Otherwise no issues, was pretty simple to setup and it just works and handles me 940/940 issue no issues.
Using a i7-920, 1GB Ram allocated to the VM, it never uses more than 100MB RAM even when using the whole connection.
 
I have a server at home but chose to run pfsense on a HP Thin client T730 with a low profile quad intel network card (NC365T), its been superb and I don't have to worry If I'm doing any work on the server which will need a reboot etc, kids are happy with near 100% uptime :D

food for thought, although your requirements may be different
 
Last edited:
lmfy2k said:
I have a server at home but chose to run pfsense on a HP Thin client with a quad intel network card, its been superb and I don't have to worry If I'm doing any work on the server which will need a reboot etc, kids are happy with near 100% uptime :D

food for thought, although your requirements may be different
Click to expand...

I have done similar. I have two systems, one being a Dell Optiplex 5050 with an Intel Dual Gig NIC, which runs pfSense, Home Assistant and Unifi Video in their own VMs so that all the critical services are up 24/7. The other box is a Dell Optiplex 5070 which runs unRaid with the rest of ther services which wont upset everyone if I need to reboot :)
 
OPNSense and I assume PfSense aswell, since they're both BSD won't use multiple threads for PPPoE.
So just keep that in mind if you are using PPPoE, not sure what ISP you are with.
There's a thread about it on TBB forums called - "Router hardware capable of routing 900mbps over PPPoE"
 
There's an i7-9700 based system locally for a decent price in a satellite PC case. Pretty tempted to get that and experiment for a short while. Running something on it as bare metal vs as a VM.
 
ChrisD. said:
There's an i7-9700 based system locally for a decent price in a satellite PC case. Pretty tempted to get that and experiment for a short while. Running something on it as bare metal vs as a VM.
Click to expand...

Sounds decent. Got the i7-9700 in my unRaid box it's plenty powerful enough for 30+ dockers running and a couple of VMs.
 
I run pfSense on dedicated hardware and have a VM setup for it as well for emergency use on one of my servers. During testing and initial deployment I used the VM and then decided to go with a separate device so I can work on the servers without impacting the firewall and inter vlan routing as I don't have any L3 switches yet. Both modes were fine I just preferred the standalone device approach.

I looked at Untangle but the price jump wasn't ideal and then I found it doesn't support link aggregation which at the time was a deal breaker for me as almost all of my kit was 1Gbps and I wanted to bond two NICs for LAN due to inter vlan routing and potentially another two for WAN (VM 1.1Gbps pre SH5).
 
I've just had a light bulb moment for something I can try. I have a QNAP NAS which is next to the ONT and in it I have two 10 Gbps interfaces and two spare 2.5 Gbps interfaces. I use the two 10 Gbps on the LAN side and it provides storage to my vSphere environment as well as media for Plex. It's an AMD V1500B CPU so it supports AES-NI and I have plenty of RAM and fast storage in it. I'm going to try Untangle using their trial as a VM within Virtualisation Station on the QNAP and use one of the 2.5 Gbps ports as the 'WAN' interface and plug it directly into the ONT and pass it through.
 
Last edited:
I managed to pick up an i7-9700, 16GB RAM, motherboard, PSU and case for £200, I then added a dual 10 Gbps SFP based NIC from eBay and a new CPU heatsink and fan, total cost around £265 or so. The CPU is a little higher spec than I was after but it does mean I can run some other workloads on the box too. ESXi installed, one interface to my ONT and the other to my main 10 Gbps switch and rest of the network. I'll probably get another single interface NIC so I can use the dual NIC on the same VDS as the rest of the hosts.

The installation is a bit weird, you seem to have to do things in a certain order before it'll allow you access to configure things. I got there in the end and so far I'm liking it. My IPSEC VPN came up straight away (with SHA-2 which the USG does not do), QoS was easy to configure and I finally have a Tunnel based VPN working to my VPN provider along with tunnel tagging for some clients (this took the most time and I found the answer on their forums after Googling quite a bit). I have quite a bit more testing to do, such as BGP with my NSX lab as an example, more time spent with filtering and their IDS to get my head around, then there's the reporting and how to use it properly when I get an issue. I may ask them to extend the 14 day trial before moving onto OPNsense to see how that works in comparison.

I'm still noticing some weird behaviour though, specifically around port forwarding and the IPSEC VPN seemingly to drop at random times, so more investigation to do. It's also frustrating that if I make any VLAN changes on the Untangle I then also have to do it in the UniFi controller so that the configuration if matched on my switches which I was expecting but I'd forgotten how easy UniFi make it for you. It's just a shame their USG is really lacking these days.

Frustratingly I would need IPSEC which brings with it a cost and although I could run that internally and run NAT-T I'd rather it done on my main firewall. With that said I get a grant each year to spend on lab/work related stuff so I could just buy a 3 year license with that.
 
Last edited:
You should give it a shot, more of a learning curve, but once it's setup it just works.
I wouldn't switch to anything else now, you get a lot of information about what's going on and although the interface might not look as 'fancy' as other things around, it is way more functional.

Keep in mind when you first install it, you will be limited to 1Mbps, so you will need to register a licence on the free tier.
You'll only get 2 months on this trial, but after these 2 months the only thing you will lose is the updates, so I didn't even see the need to buy it :)
 
I plan to ditch the standard BT router in favour of Pfsense soon, need to tidy up my network as well, separating everything off. Been a long long time since i did anything like it so its a bit of a learning curve. I actually will have the choice of PFsense or Mikrotik RouterOS no idea if one is better than the other.
 
You must log in or register to reply here.
Back
Top Bottom