Running Pfsense as a VM

Hi, I am currently planning for a job at a client, do you have any Pros and Cons of why running PfSense as a VM? I am gonna use XCP-NG. It is gonna run on a 1U Supermicro server.

I prefer not to as it’s hardly a cost savings and there is more potential for issues. Also server updates to the hypervisor mean you are taking down the firewall.

I currently run my pfSense install as a virtual machine on a Proxmox 6 node and while I have not had any problems with it from an operational perspective per se and being able to back up the whole pfSense computer in a single backup archive is very handy and makes for restoring it from a misconfiguration or moving it to another node entirely very quick. In fact, the hardest part is realigning the physical interfaces to the virtual ones.

However, there have challenges such as the one LTS_Tom pointed out. For my hypervisor, you need to do a restart after kernel updates. As well when I have done major upgrades or modifications to my network needing to keep the hypervisor running to keep pfSense and its various services can be a challenge. Though I have been able to work around it, I did have to come up with some very creative solutions to do some tasks while it was offline.

I am however thinking that I will keep it virtualized but move it to a dedicated node that is not part of my main hypervisor cluster, it will be a smaller node but will run the following: pfSense, Unifi Controller, SSL certificate server and reverse proxy server which I am calling my core stack. By removing it from a cluster of other nodes as long as that machine is operational everything will work fine. I also plan to have my next build support hardware passthrough and I intend to look into passing the pfSense related NICs directly to pfSense to simplify some of the complexity.