I wanted to configure a PfSense on an Intel NuC but the issue was that it had one internal NIC only.
USB-Ethernet is a mess, I’m always getting 502 errors when trying to access the GUI from LAN, even though the USB Adapter was assigned to WAN and not LAN…
As I was researching topics on Reddit about this 502 error last week, I started to chat with someone who already had to do what I’m trying to do.
After spending the whole day on this again today, I went back to the subreddit and read what he said once more, and I think I misunderstood in the first place…
At some point, he says:
"I assigned port 1 (WAN/ISP) to VLAN 10. The ISP sends traffic to the switch via Port 1.
Since Port 1 is part of VLAN 10, this traffic is tagged with VLAN 10. The switch forwards this VLAN 10 tagged traffic to Port 2, where the pfSense WAN interface receives it."
I configured the VLAN on the switch like he said, but I also created the same VLAN and applied it to the WAN interface on PfSense…which he doesn’t seem to have talked about when I think about it.
So maybe I’d rather assign the NIC to WAN and not a VLAN for it to actually work?
I have bought a Qotom a few months ago to install my PBX and it works pretty well. The only isue for me (as I bought directly to Qotom) was that I had a $60 fee just because I bought something out of the SEPA Banking Zone…I’d have to buy a few in order to make it worth!
Never thought about eBay actually, I’ll have a look!
Oh ok I see, maybe NZ is the closest you can get anything from !
I wouldn’t virtualise my router myself, to much hassle.
My ideal cheap setup would consist of two identical Qotom for pfSense and a small form factor pc with a 4 port NIC. With two boxes for pfSense, I would have redundancy, if they are not identical it will take some faffing to get the same pfSense image installed. The PC would run Proxmox in an emergency you could run pfSense without too much trouble.
Though I can see shipping would be an issue, perhaps buy everything at once !
As with everything else there are pros and cons about installing firewalls on bare metal. Here are a few pros, in my opinion, about installing them in a VM:
Easy backups. For example Proxmox VE has integrated backups, you can set a schedule and the entire VM gets backed up automatically.
Following from the previous point: safer upgrades. You can make a snapshot of the entire VM prior to any updates. If anything goes wrong, you just roll back and everything is operational again in a minute or less.
You can mess with the settings and experiment freely. If anything goes wrong you just rollback the VM with 1 click.
Straightforward super simple hardware upgrades. No need to mess with network cards, support, changing Ethernet names and so forth. Since everything is virtualized you can move your VM to a different hardware host and it works out of the box.
Free KVM out of the box. Everyone has messed up a firewall rule and locked themselves out of a firewall. On bare metal you have to physically go to the box, stick a keyboard and monitor in, or invest in a hardware KVM. With Proxmox VE you get it for free.
Always in sync testing / staging environment. Just clone the production VM, virtually disconnect the network cards or change their IP addresses, and you got yourself a 1:1 identical copy to experiment with.
Ability to run them on a much broader range of hardware. Proxmox supports a much broader hardware range than pfSense or OPNSense.
Provided it is setup correctly, I believe the pros in your typical environments far outweigh any potential cons of not running a firewall bare metal.
For reference I have been running OPNSense virtualized in Proxmox VE for the last 3 years and never had a single issue due to the virtualization.
For 1) if the Proxmox VE update requires a reboot (not all of them do) then yes your Internet connection briefly goes down. Why would it take your entire network down though?
That question aside you could plan both the Proxmox VE and firewall upgrades in the same batch, so you don’t have multiple downtimes (unless there’s a critical Proxmox update you need to apply now).
For 2) the hardware is similar whether you running it virtualized or not. The virtualization overhead in terms of CPU is typically not significant. Memory overhead is more impactful than the CPU if your Mini-PC is severely hardware constrained. I am running OPNSense virtualized under Proxmox VE on a Mini-PC, alongside several other VMs.
In addition to the downsides you mentioned, the most important imho is the security aspect. If there is a critical Proxmox VE vulnerability that would in theory allow someone to escape the guest OS a skilled attacker can potentially gain access to the host OS.
It is up to everyone to run their risk profile and weight the pros vs cons for their particular setup.
I guess you run DNS and DHCP services on another platform/device, and have a HA failover device with a backup WAN.
Aside from pfSense updates approx once per year, my bare metal pfSense appliance is a “set it and forget it” Ron Popeil device. On the other hand, Proxmox receives updates several times per month.
Yes I do. Primary/secondary DNS servers, same for DHCP, time servers, local Debian repositories mirrors and a lot more. But I enjoy tinkering with this stuff so my network is likely way more complex than the typical home network, or even most home labs.
Since the NUC will have a wireless module, see if it is a card based module. If it is, there are a few choices to convert that to a wired port and those choices are not horribly expensive.
That said, I have not used one of these cards before, but I know they exist and have seen people using them for this purpose. Maybe it works, maybe it doesn’t, but I’d say you are a good 75% or better odds of it working as long as it is an Intel chip. Pfsense and Realtek don’t really play very nicely, at least in the older versions.
