when working with pfsense, do you guys use a physical hardware or do you guys use pfsense in a virtualization environment for your primary network.
Virtual for me. Being able to take snapshots alone is worth it. There is nothing worse than a failed upgrade when it comes to a firewall.
1 Like
Physical for me. You can setup auto backups (for free) so redeploying pfsense is one of the easiest things to do. Snapshots only as good as the time you take them. The auto backup feature does a backup every committed change. Yes you can setup the auto feature in a VM too but if for whatever reason you have a bad config or corrupted something in your lab then your snapshots keep carrying over the issues.
I don’t want to be troubleshooting in a virtual environment. I like the independence of something I can work on than save a few bucks making it a VM. Also there is a reason they call it a forbidden router when you put PFsense in a VM. Just don’t do it and save yourself the heartache down the road, even though you’ll have people tell you it “works just fine”.
There are a couple of benefits when running virtual instances compared to physical. First is your backup is completely independent of the system itself. What would stop an attacker from changing or deleting backups if the pfSense is compromised? At least with virtualization you have a layer of security between the backup and it’s OS. It’s easy enough to run those daily too.
Second benefit is if an upgrade blows up on you. Yes you can restore by installing the OS, reconfiging LAN configs manually ,then updating to the version you were running (hopefully this was documented), and then restoring the original config; or you could just do a snapshot restore that will take seconds.
Physical and I use the ZFS snapshots feature which makes it really easy to roll back.
4 Likes
tho if i wanted to do pfsense virtualized, i assume i would need to use the ISP’s router as the primary and use pfsense in virtualized secondary. i’m trying to get some details on how i would achieve this.
I would setup your ISP’s router/modem into bridged mode and then have the public IP passed to the pfSense outside interface.
I would not recommend virtualizing pfSense. I tried at one point long ago and ended up giving up on it. VLANS were a nightmare with Hyper-V. I think it’s easier to configure trunking with VMWARE. In the setup I manage, we have 3 locations. All 3 locations have physical hardware running pfSense. Runs flawlessly. My rack servers all utilize Hyper-V because it’s convenient and works well for what we do or I would have tried to play with it more in something like EXI or vSphear.
Physical for me. Two reasons:
- I like the network to stay up during server maintenance
- I had a problem during the lockdown years with Zoom dropouts. At the time I had a virtual pfsense firewall (qemu/kvm on stock Ubuntu 20.04). Moving it to a physical box fixed those dropouts. Perhaps a real-time kernel would have fixed it, but I didn’t know how to do that.
1 Like
Physical for me. It’s more for performance and security reasons. If the VM ever gets compromised you hope the host server don’t get compromised as well. Having physical dedicated machine takes care of that issue.
Also, hellva alot easier to troubleshoot networking issues.
1 Like
Why not both? I have a really low power box as my backup pfsense in a carp setup. Primary pfsense box virtualized with dedicated 10g nics. This way I get the performance as well as being able to take my vm host down for maintenance. Best part is, I got redundancy. Pfsense Carp is very reliable and maintenance free as long as you set things up correctly. Btw you do not need static ip’s from your ISP. You just need two public ip’s and most isp’s let you request two through dhcp
Physical for me, I used to run virtual, but I didn’t like the network connection going offline when more and more patching is done via the internet, just made a bit of a faff for a home environment. In a resilient environment with multiple hypervisor servers and such I’d consider it. I’d consider it if it was an internal zone firewall and not WAN facing.
At home I’ve used Pondesk Atom based system, Dell R220 and currently running a Sophos XG230 Rev2 again with LCD and such working. G4400 CPU, 8GB RAM, a bunch of NICs and 64GB SanDisk drive.
Liking the Sophos hardware as I’ll prob use the SFP ports for extra ports back to the switch and it’s got the potential for a 10GB Flex module to be installed, but that’ll be hard to find on the used market.
I was back testing pfsense on alternative hardware as I saw the odd performance issue with the Dell R220, which I think is down to the Broadcom NICs.
@OP, firewalls, in general, are virtualized when they are policing internal traffic from systems you can control, or separating low security sensitive zone.
From a security and reliability reason though, security devices like a firewall that protect and segregate networks, they should always be a physical devices that is the nearest to the wire with no foreign layers in between, and accessible via console if the network goes down around.
Now for lab or home environment, either is fine and goes with your budget.
Your problem was more with Hyper-V as an hypervisor than pfsense.
The network stack on Windows isn’t the best since the last 25 years, so doing network stuff through virtualization isn’t recommanded.
Yes. I agree. Like I said, I utilize Hyper-V because its already there. VMware can pass through NICs to VM’s but we just don’t have a need for the hypervisor. Hyper-V handles everything I need this infrastructure to do. I just prefer real hardware for pfSense.
ProxMox VM (aka PVE). I have two physical hosts running PVE. I run pfSense in HA (HIgh Availability), one on each of the hosts (gives live connection update across that, so even connections are maintained if one goes down!)
I have grown to truly love the capabilities of running more and more system/server/backend things in a VM. MUCH nicer than raw hardware.
I have fiber to the doorstep here, with gigabit up and down, cheap for life (ie $65 a month)… to get full performance:
- use Intel chip nics that support full virtualization. Avoid Realtek - there be headaches in that direction
- use a host CPU that has a bit of performance. MOST important: it needs both modern virtualization capabilities, and pretty good encryption/compression performance. Hints on that below.
Lookup your cpu chip at:
- ark.intel.com to see its VM capabilites
- cpubenchmark.com and go to the specific cpu page, to see encryption/compression performance.
Just for example: a high end atom chip (C3558) will not make you happy if you want high speed throughput. While it can encrypt at 1.7GB/sec, it can only compress at 37MB/sec
Nor will Raspberry Pi 4 – (BCM2711). 20MB/sec data compression, 268 MB/sec data encryption. But no AES instructions 
2 Likes
Production FW in lab is physical. But I have a few VM’s to learn with.
Appreciated for all the feedbacks! 