pfSense with network storage

[Raxxard]

Hi!

 

I'm looking into building my own router based on the LTT video. I have one question regarding maybe using the same machine to install my hard drives from my main PC into it and being able to access it locally (remote access is not needed). Would I be able to do this? Does it make any security compromises?

 

Thank you for your advice!

 

[Levent]

Have you thought about virtualization pfsense and also running a virtualized setup of whatever storage solution that fits to your needs?

[Raxxard]

2 minutes ago, Levent said:

Have you thought about virtualization pfsense and also running a virtualized setup of whatever storage solution that fits to your needs?

Yes, I heard about this solution on reddit while trying to find answer to this question. However, I'm trying to do this project on a budget and if the cost of the virtualization software would be too high then I'd rather skip this solution. Do you have anything in mind where I could save on this?

[Levent]

3 minutes ago, Raxxard said:

Yes, I heard about this solution on reddit while trying to find answer to this question. However, I'm trying to do this project on a budget and if the cost of the virtualization software would be too high then I'd rather skip this solution. Do you have anything in mind where I could save on this?

Actually Proxmox is free and I can recommend it, its relatively straight forward to set up as well. As far as using pfsense as a NAS, I am not sure if it supports any sort of plugins or has a feature of that sort.

[Needfuldoer]

You don't want to mix other roles into your firewall. Run Proxmox as your hypervisor, pass a multi-port Intel NIC through to a pfsense/OPNsense VM, and pass a drive controller through to a TrueNAS Scale VM. Then you can also set up containers or another VM if you want to run other "infrastructure" type systems like Home Assistant or PiHole.

[Raxxard]

9 minutes ago, Needfuldoer said:

You don't want to mix other roles into your firewall. Run Proxmox as your hypervisor, pass a multi-port Intel NIC through to a pfsense/OPNsense VM, and pass a drive controller through to a TrueNAS Scale VM. Then you can also set up containers or another VM if you want to run other "infrastructure" type systems like Home Assistant or PiHole.

 

26 minutes ago, Levent said:

Actually Proxmox is free and I can recommend it, its relatively straight forward to set up as well. As far as using pfsense as a NAS, I am not sure if it supports any sort of plugins or has a feature of that sort.

Thank you for your suggestion. Will take a look at Proxmox and will figure this out!

[LIGISTX]

2 hours ago, Raxxard said:

 

Thank you for your suggestion. Will take a look at Proxmox and will figure this out!

Proxmox is great, but…. I wouldn’t recommend virtualizing pfsense unless you are well versed in networking and virtualization. If your server goes down for physical maintenance for say adding a drive, replacing a drive, maybe something isn’t happy and needs a reboot. During that time, you have no networking and no internet. Now say something doesn’t boot up correctly, maybe the pfsense vm doesn’t launch… now what? How do you get into the hypervisors webUI or SSH in to fix it if your router (which is a vm under the hypervisor) is not on? If you can answer this question, your ready to go virtual with your network infrastructure. If you can’t, your likely not ready because this is an issue you will inevitably face, ask me how I know. 
 

I run pfsense, truenas, and many other VM’s all virtually on my homelab and it’s great. But that is only possible because I ran these things bare metal for years and now have a very good working understanding of networking and homelab stuff in general. So yes, it’s very much possible, but I didn’t attempt to virtualize pfsense until I had years of virtualization experience and years of pfsense on bare metal in my house. 

[Raxxard]

1 hour ago, LIGISTX said:

Proxmox is great, but…. I wouldn’t recommend virtualizing pfsense unless you are well versed in networking and virtualization. If your server goes down for physical maintenance for say adding a drive, replacing a drive, maybe something isn’t happy and needs a reboot. During that time, you have no networking and no internet. Now say something doesn’t boot up correctly, maybe the pfsense vm doesn’t launch… now what? How do you get into the hypervisors webUI or SSH in to fix it if your router (which is a vm under the hypervisor) is not on? If you can answer this question, your ready to go virtual with your network infrastructure. If you can’t, your likely not ready because this is an issue you will inevitably face, ask me how I know. 
 

I run pfsense, truenas, and many other VM’s all virtually on my homelab and it’s great. But that is only possible because I ran these things bare metal for years and now have a very good working understanding of networking and homelab stuff in general. So yes, it’s very much possible, but I didn’t attempt to virtualize pfsense until I had years of virtualization experience and years of pfsense on bare metal in my house. 

Isn't it possible to get into the web interface of Promox even when internet is down with the set IP address?

[The Hope]

I also think that virtualizing pfSense is very risky for a novice, as LIGISTX has said.

 

Furthermore, I never understood the hype around Proxmox.

FreeBSD's bhyve hypervisor can clone (or snapshot) a VM in less than a second--even if running on a 10 year old laptop computer--whereas ProxMox cannot (even if you install ZFS as the file system everywhere used by ProxMox).

 

You can also say that bhyve is one of the fastest virtualization technologies in other areas:

https://klarasystems.com/articles/virtualization-showdown-freebsd-bhyve-linux-kvm/?utm_source=discoverbsd

 

To answer the OP's original question. pfSense is one of the fastest router softwares out there, if not the fastest out there. So you don't need powerful hardware to run this, a Pentium 4 is probably still powerful enough. I mean you don't need expensive hardware to run this and it should be easy to put together something really cheap to run specifically for pfSense.

[Raxxard]

9 minutes ago, The Hope said:

I also think that virtualizing pfSense is very risky for a novice, as LIGISTX has said.

 

Furthermore, I never understood the hype around Proxmox.

FreeBSD's bhyve hypervisor can clone (or snapshot) a VM in less than a second--even if running on a 10 year old laptop computer--whereas ProxMox cannot (even if you install ZFS as the file system everywhere used by ProxMox).

 

You can also say that bhyve is one of the fastest virtualization technologies in other areas:

https://klarasystems.com/articles/virtualization-showdown-freebsd-bhyve-linux-kvm/?utm_source=discoverbsd

 

To answer the OP's original question. pfSense is one of the fastest router softwares out there, if not the fastest out there. So you don't need powerful hardware to run this, a Pentium 4 is probably still powerful enough. I mean you don't need expensive hardware to run this and it should be easy to put together something really cheap to run specifically for pfSense.

I got an overskill setup (i5-4670k, 8 gigs of RAM, SSD) for this purpose. That's why I'm trying to figure out a way to at least better utilize the system. Running a 2-in-1 sounded like a good idea. Could you please give me some reasons why NOT to virtualize the pfSense (or opnSense) environment? What could be the drawbacks? Maybe I can live with them, maybe I can't. 

 

It's important to note that this is just a fun learning project for me, that can actually have a nice benefit for my home setup. We are not talking about professional use.

[The Hope]

6 minutes ago, Raxxard said:

I got an overskill setup (i5-4670k, 8 gigs of RAM, SSD) for this purpose. That's why I'm trying to figure out a way to at least better utilize the system. Running a 2-in-1 sounded like a good idea. Could you please give me some reasons why NOT to virtualize the pfSense (or opnSense) environment? What could be the drawbacks? Maybe I can live with them, maybe I can't. 

 

It's important to note that this is just a fun learning project for me, that can actually have a nice benefit for my home setup. We are not talking about professional use.

I mainly meant what LIGISTX had already said.

 

Actually, before you use a firewall, you should learn how to configure it.

Few options are better for learning this than FreeBSD and OpenBSD. They both use PF, and although these two PF versions have grown apart, they are still very similar. PF is easier to configure than any Linux firewall, mainly because of its syntax, but also for other reasons.

Of course you can also use FreeBSD and OpenBSD as NAS. So this seems like the best solution to me.

Your biggest problem is that you don't have any experience with these types of systems, so you're going to run into a lack of knowledge and experience. But it is the perfect learning experience.

Another advantage of starting with FreeBSD or OpenBSD is that you will be able to configure your firewall and NAS without actually having to use a GUI. The GUI is one of the most vulnerable things in a firewall and also in most NAS systems, because it adds (a lot) of complexity, and complexity is the biggest enemy of security.

 

That's my final advice

[Electronics Wizardy]

1 hour ago, The Hope said:

FreeBSD's bhyve hypervisor can clone (or snapshot) a VM in less than a second--even if running on a 10 year old laptop computer--whereas ProxMox cannot (even if you install ZFS as the file system everywhere used by ProxMox).

Proxmox can do the sub 1 second snapshot too. Ive just did one. By default proxmox included ram in its snapshots and that takes a good amount of time to write onto disk, but if its a disk only snapshot, its super fast.

 

1 hour ago, The Hope said:

Furthermore, I never understood the hype around Proxmox.

Its not super exciting, but its a free hypervisor that has a nice gui and is fairly easy to use.

 

Yea you don't need a gui, but its really nice to have and makes it much easier to discover features. And a lot of home users want a simple solution as there not full time sysadmins.

 

 

[LIGISTX]

2 hours ago, Raxxard said:

Isn't it possible to get into the web interface of Promox even when internet is down with the set IP address?

“Yes”… but it’s not just internet being down, it’s your entire network. If you go on your Wifi, it won’t actually do anything. You would connect to it (if it even lets you, it may not since it won’t have a DHCP server to hand out an IP… since your DHCP server isn’t on), or you could plug into a ethernet (same issue). There would no longer be a router doing DHCP duty, so your devices won’t have IP’s and your LAN no longer exists.

 

The solution is just to manually put a laptop (or a PC that is close enough to run a wire), on the same subnet your proxmox webUI is on (if you have a flat network that is just the typical 192.168.1.1, it’s just that, but things get a little more fun once you start using vlans which is likely inevitable once you are using pfsense and managed switches and AP’s), then you would be able to get to the webUI. But you also don’t have internet to help you troubleshoot.

 

Again, yes. It is possible to virtualize a NAS OS like truenas or unraid next to pfsense both under a hypervisor. But… I would run them both bare metal for a good long while first so you can get a better set of mental tools to be able to deal with issues as they arise - because they will arise. It’s crappy enough when your NAS is offline, it’s really crappy when your entire network is down.