Virtual router appliance - pfSense on ESX - any gotchas?

Shad · 17 Nov 2012 at 12:14

So I've become sufficiently fed up with my new Netgear SRX5308 that I'm going to ditch it and run a pfSense virtual appliance instead. I've got a quick and dirty test VM running at the moment which has the LAN side sharing bandwidth with a few other VMs on the vswitch, so the first thing I'll be doing is adding another NIC and creating a new vswitch for pfSense (and perhaps some other low bandwidth VMs). The WAN NIC is a pass-through device, making use of a 1GbE port on the motherboard that ESX does not recognise.

But mainly I am wondering if anyone else is doing this and if there are any particular issues I should be aware of? Performance seems excellent so far and configuring firewall rules is quite similar to the Prosafe Netgear routers so I feel quite at home.

I run DHCP from a Windows server but I'd quite like to run a DHCP server on pfSense for a specific vlan for guest wifi access (from a DD-WRT AP). Is that something it can do?

Cheers

Shad · 17 Nov 2012 at 17:17

Definitely

I'm just trying to weigh up the pros and cons between running something basic but dedicated like a Dell R200, vs the VM. On the one hand the VM adds very little overhead (resources, cost or power consumption) but for me puts the Internet connection at greater risk of going down since I often need to power down the host to change drives. Vs the cost and power consumption of a dedicated box.

I think a basic R200 should idle at between 0.3A and 0.4A which isn't too bad. Also, moar kit :cool:

Shad · 19 Nov 2012 at 11:07

What's pfSense like on an Atom box? At 100Mb/s I was using about 25% CPU on my Phenom 965 based ESX host, with some basic rules, snort and some logging. The cost of an Atom box like that is higher up-front than, say, an R200 - but would probably use less juice so could be cheaper in the long run.

Shad · 19 Nov 2012 at 16:06

Wonderful information there volkan, thanks very much

I think I'll run pfSense on a USB stick, should use a little less power than a hard drive. I'll let you guys know how much power I end up sucking!

Shad · 19 Nov 2012 at 16:56

It's the kind of thing I'd rather have dedicated hardware for. My ESX box regularly gets shut down to add/remove hard drives. It's an extra layer that can fail and cause a disruption to Internet connectivity.

I would rather use the pfSense VM as a backup/failover for any instance when the dedicated system is unavailable.

Shad · 19 Nov 2012 at 17:03

I'm anticipating it will use slightly less power than that, based on the specs and what I've read so far. But even so, £10/mo is fine. It comes under the 'hobby' budget

You don't want to know how much power I draw in total if you think that's bad...

Shad · 20 Nov 2012 at 21:07

A bit off topic now but... I got the R200 today and set it up this evening. It's a basic unit (dual core Xeon 3065 @ 2.33GHz, 2Gb ram, single 250Gb drive) and before I enabled the power management in pfSense it was using around 90W which is about 0.375A. Now that's enabled though the dashboard says the CPU is down to 500MHz so the usage should be a bit lower, I'll check it tomorrow

Seems plenty fast enough!

Shad · 21 Nov 2012 at 10:02

Pretty good for a 1U. You get the usual 100% fan speed while it powers on of course, but then it settles down and it's really not that loud at all. I would classify it as a loud desktop machine.

Certainly much quieter than the fully kitted out PE2950 it's sat above at the moment