Virtual router appliance - pfSense on ESX - any gotchas?

Shad

Shad

Shad

Associate
Joined
1 Dec 2005
Posts
803
So I've become sufficiently fed up with my new Netgear SRX5308 that I'm going to ditch it and run a pfSense virtual appliance instead. I've got a quick and dirty test VM running at the moment which has the LAN side sharing bandwidth with a few other VMs on the vswitch, so the first thing I'll be doing is adding another NIC and creating a new vswitch for pfSense (and perhaps some other low bandwidth VMs). The WAN NIC is a pass-through device, making use of a 1GbE port on the motherboard that ESX does not recognise.

But mainly I am wondering if anyone else is doing this and if there are any particular issues I should be aware of? Performance seems excellent so far and configuring firewall rules is quite similar to the Prosafe Netgear routers so I feel quite at home.

I run DHCP from a Windows server but I'd quite like to run a DHCP server on pfSense for a specific vlan for guest wifi access (from a DD-WRT AP). Is that something it can do?

Cheers :)
 
Definitely :D

I'm just trying to weigh up the pros and cons between running something basic but dedicated like a Dell R200, vs the VM. On the one hand the VM adds very little overhead (resources, cost or power consumption) but for me puts the Internet connection at greater risk of going down since I often need to power down the host to change drives. Vs the cost and power consumption of a dedicated box.

I think a basic R200 should idle at between 0.3A and 0.4A which isn't too bad. Also, moar kit :cool: :rolleyes: :D
 
Pfsense Is great, runs on minimal hardware or vm resources. Easy to setup and there are loads of YouTube videos on how to set it up. Install squid and you've got great proxy server too. I'm just trying to setup it up as VPN server, but haven't quite got It working yet. Does what it says on on the box. VLAN support works like dream which I use all the time in my test environment.
 
Yep, pretty simple to do as long as you can work out which nics in Pfsense are connected to which networks.. that took a bit of time when I set them up :D.

Apart from that it was very simple and quick. Worked as advertised. No issues I could see and I was using as virtual routers between two virtual datacenters within a single vSphere host for testing replication and failover.

RB
 
What's pfSense like on an Atom box? At 100Mb/s I was using about 25% CPU on my Phenom 965 based ESX host, with some basic rules, snort and some logging. The cost of an Atom box like that is higher up-front than, say, an R200 - but would probably use less juice so could be cheaper in the long run.
 
The ones I built were based on this: http://www.mini-itx.com/store/~c1-rack

With an Atom 330 (JNC92-330), 1GB RAM, SATA HDD & 3 port Gbe daughter card (giving me 4 x Gbe in total). It drew approx 0.3A and performed without a hiccup, although all we were doing was simple VPN and NAT on multiple VLANs.

We also have some on R200s, to give you an example of a live system, we have an R200 w/E5400, single SATA, 4GB RAM, 2 x additional dual port NICs running 5 Site-to-Site VPNs & Roadrunner VPN, 30 VLANs, CARP enabled and multiple WANs.

Average throughput is around 10 - 70 Mbps and the CPU runs less than 20% usually. The R200s draw about 0.5 - 0.7A each.
 
Wonderful information there volkan, thanks very much :)

I think I'll run pfSense on a USB stick, should use a little less power than a hard drive. I'll let you guys know how much power I end up sucking!
 
It's the kind of thing I'd rather have dedicated hardware for. My ESX box regularly gets shut down to add/remove hard drives. It's an extra layer that can fail and cause a disruption to Internet connectivity.

I would rather use the pfSense VM as a backup/failover for any instance when the dedicated system is unavailable.
 
Using Volkan's figures, average 0.6A is going to cost you £10 a month to run, and it's going to be hot and loud.
 
I'm anticipating it will use slightly less power than that, based on the specs and what I've read so far. But even so, £10/mo is fine. It comes under the 'hobby' budget :)

You don't want to know how much power I draw in total if you think that's bad...
 
Supermicro do some fairly cheap 1U mITX chassis. The SC5xx series are all mITX 1Us.

Have just seen a CSE-503L-200B for around 86 quid for example.

Depending on which way you want to go, the Intel D2500CC is also a very nice Atom board and comes with dual nics. Seems to be selling for around 75 quid.

I am getting a number of these boards in for use as PFSense or PABX units. They seem pretty much tailored for it.

RB
 
A bit off topic now but... I got the R200 today and set it up this evening. It's a basic unit (dual core Xeon 3065 @ 2.33GHz, 2Gb ram, single 250Gb drive) and before I enabled the power management in pfSense it was using around 90W which is about 0.375A. Now that's enabled though the dashboard says the CPU is down to 500MHz so the usage should be a bit lower, I'll check it tomorrow :)

Seems plenty fast enough!
 
You must log in or register to reply here.
Back
Top Bottom