NAS/pfsense router using unraid possible?

[sazrocks]

Is it possible to use a computer as both a NAS and pfsense router using UnRAID or something similar? Are there any problems that might come up? This is assuming I have separate NICs for the NAS and pfsense VMs.

[Electronics Wizardy]

Possible, but not reccomended.

 

Id suggest using something like centos, all the features of unraid and free and more customizable.

 

Id stay away from having a router in a vm so your whole network doesn't go down if that system goes down.

[jj9987]

It should be possible in theory. You can set up pfSense in a virtual machine, easiest would be if you have multiple NICs and you can passthrough one to the VM. Here is a guide on Limetech forum regarding NIC passthrough - https://lime-technology.com/forum/index.php?topic=39638.0

 

There is one problem though - in the event that the VM or host crashes, your whole network routing will be unavailable. It is still suggested to have a router as separate computer/device.

[sazrocks]

3 minutes ago, jj9987 said:

It should be possible in theory. You can set up pfSense in a virtual machine, easiest would be if you have multiple NICs and you can passthrough one to the VM. Here is a guide on Limetech forum regarding NIC passthrough - https://lime-technology.com/forum/index.php?topic=39638.0

 

There is one problem though - in the event that the VM or host crashes, your whole network routing will be unavailable.

 

3 minutes ago, Electronics Wizardy said:

Possible, but not reccomended.

 

Id stay away from having a router in a vm so your whole network doesn't go down if that system goes down.

Okay, so its possible, but for reliability's sake I should have them in separate boxes.

4 minutes ago, Electronics Wizardy said:

 

Id suggest using something like centos, all the features of unraid and free and more customizable.

 

I thought unraid was something that could host VMs at a very low level? What exactly is centos and how is it different from unraid? I'm still pretty new to this stuff.

[Electronics Wizardy]

Just now, sazrocks said:

I thought unraid was something that could host VMs at a very low level? What exactly is centos and how is it different from unraid? I'm still pretty new to this stuff.

unraid and centos are both linux distros and both use KVM for hosting vm's, so its the same thing under the hood.

 

 

[sazrocks]

30 minutes ago, Electronics Wizardy said:

unraid and centos are both linux distros and both use KVM for hosting vm's, so its the same thing under the hood.

 

 

Just dug a bit deeper and holy crap there's a lot here. Thanks for telling me about centos!

[thendawg]

Its definitely a possibility, a few things to consider though (some have already been mentioned), if the physical server goes down for any reason, youll loose all wan connectivity (and dns or other routing as well, depending on how you have the network configured), so basically youre creating a single point of failure for both your wan routing/firewall, as well as NAS, and whatever else you run on the hardware. Obviously this would never be advised in a production enterprise environment, but for home use it's all up to you. If you do wish to go this route, Id make sure the machine has some types of fault tolerance, such as some type of disk redundancy (RAID 1, 5, 6, etc), and redundant power supplies. This will help insure that most faults wont cause the machine to go down.

 

I personally don't know a ton about unraid, how stable it is, etc, however I personally prefer using VMWare ESXi as, for one, Im most familiar with it, and second, its extremely stable and used in production enterprise environments around the world. KVM (rhel/centos) I would call a close second. There is a completely free license available for esxi that will give you basically the same capabilities as KVM, but with a bit more management and reporting functionality (and a clean, pretty GUI). Basically the free esxi license simply limits you to a single physical host and no vsphere features - so no vcenter - that means no web gui, no HA features, no clustering, no backup API's (yeah there's more but those are the things I think of off the top of my head). For a single host in a home environment though, those things really arent needed (although Id like to have some of the backup capabilities, thatd be nice). 

 

Finally, I'll finish by saying, Im doing exactly what you're talking about and havent had a single issue in over a year of usage. I previously had an older server running esxi 5.0 and an old desktop running pfsense. After some issues with the NIC, I decided to try just virtualizing pfsense when I upgraded to the newer server with esxi 6.0 and have never looked back. Another added benifit of having it virtualized, I was able to isolate some of my servers by putting them on different networks with specific routing rules, all just using vswitches and adding additional vnics to the pfsense VM. This could be done with a separate pfsense box, but wouldve required the use of multiple links between the server and pfsense box along with configuring vlans on the switch. As I recommended above, my esxi server has redundant PSU's and the datastore pfsense resides in is on a local RAID 5. 

 

To even further increase reliability Ive considered cabling two NIC ports from the server to my switch, than a single from my switch to cable modem, put the 3 in a seperate vlan, then set the 2 links on the WAN vswitch as failover only. (thus giving me fault tolerance in case one of the two quad port nics in my server fail) - havent got around to this yet, but I have the ports, so I may play with it, however, Im also planning on adding a Verizon LTE gateway as a second failover gateway for pfSense, so that would end up using my 1 free NIC port.

 

As for performance, my box has dual X5670's and 64GB Ram. The pfSense VM has 2 cores and 2GB Ram dedicated to it. I also tested using VMDirectPath IO to dedicate a NIC to WAN traffic for the pfSense VM, however, it had no observable benefit over simply using vNics and vSwitches. Currently its configured with a dedicated "WAN" vswitch, which only has the pfSense WAN vNIC and the physical NIC going to my cable modem on it. Ive done some research on this in regards to security and have found that ESxi presents no additional attack surfaces over pfsense itself - so as long as you dont do something stupid like putting a management vmkernel port on your external facing vswitch, its just as secure as a physical pfsense box. As far as overall performance goes, my current connection is only 500mbit down/50 up, and it has no issue maxing my connection. I setup a synthetic test, using pfsense to NAT/route between a system on the WAN side and LAN side, in this test I achieved around 900mbit (switch is gigabit). Ive been tempted to try switching from E1000 to vmxnet vnics, but until I get a WAN connection where pfsense provides a bottleneck, I dont intend to mess with it. 

 

Just let me know if you have any other questions, Im sure there are things Ive left out, but Id be happy to lend a hand. My job is in the network storage side of the business, so virtualization is something I spend a ton of time with.