I am looking into running pfsense in a virtual machine (VM).

Some background

For some months I have been writing a check list for building a new file/backup server for my home network. The server will be available 24/7.

I use a Linksys WRT54GL 1.1 router with DD-WRT. Been stable for more than a decade. I use static IP addresses in my LAN, but I have the router configured with DHCP for testing and a wireless connection. For guests I added a separate wireless subnet that is not bridged to my LAN.

I want to install a VPN into my home network. While DD-WRT nominally supports that, I want to have a more flexible firewall/router system. The WRT54GL lacks expansion and storage abilities. I have a fringe need to use a Windows box in my LAN and I want that system isolated on its own VLAN.

While I have used Linux systems for more than 13 years and have no BSD background, I am leaning toward pfsense because of the features, large community support, professional/enterprise influence, and web browser interface. The web browser interface mostly shields a user from needing deep knowledge of BSD.

Thus I would have two devices that need to be available 24/7 or at least available concurrently. Is running pfsense in a VM palatable? Sensible? Kill two birds with one stone?

Other thoughts

I have used VirtualBox since the early 1.x days. I have not used kvm/libvirt although I want to learn more. I have not yet decided on the server OS.

I am connected to an excellent WISP, yet I am unlikely ever to see Mbps connection speeds beyond low double digits. Any wireless support I use in my home network will always exceed ISP speeds, but I want as fast as possible since my wired side is all 1 Gbps.

To support wireless devices I need to add a wireless NIC in the new server but I have not researched how to tie/bridge that into a pfsense VM. I want a quality wireless NIC for a server AP and not just a client wireless card.

I am not against using a separate pfsense appliance, which likely would be more straightforward to configure and maintain. I am just looking for conversation here. I appreciate comments, suggestions, ideas, advantages, disadvantages, etc.

Thanks.

Well I use centos 7 as a virtual host. Everything on it is virtual machine based. I have not really tested internal speeds but using it I can pull around 245mbit down. 96mbit up. This is very close to what I get connecting directly.

Set up your bridge or bridges, there are tons of guides. Pass the bridge to nic or better yet have more than one nic. I have one for wan and one for physical connections.

Wan is passed directly to pfsense. Make very sure that you disable tcp checksum otherwise you will think your bridges are messed up but they actually work fine. If your isp supplied modem assigns private range ip addresses make sure to uncheck the option for bogons and blocking private adresses. Other than that, I do recommend KVM for something like this rather than virtualbox. Many people say VB is great, and I am sure it is but it does not offer all the fine grained tuning that you can get with KVM. Note I have not really used VB, but for running serious stuff, I will only consider KVM or vmware.

So what you are suggesting, it is possible and really not that difficult to do and it works just fine.

Linux is adopting many of the good things BDS has been using so you won't have any problems at all with it.

There are a number of pre-made virtual appliances already that one can download and click to run by the way.

I have done more reading about this. Although possible and people have done this, the developer recommendation is to run the AP separately from pfsense. Additionally, I suspect a good AP NIC is needed and not just a standard client wireless card. Regardless, I don't know how I will resolve wireless. I could keep the Linksys running, but that partially defeats my goals because I want to retire the device.

Then again, this is a home LAN. Perhaps a basic wireless NIC will be sufficient. In my home LAN, wireless is used almost entirely for web surfing. Muscle work and heavy file transfers are performed on wired systems.

The pfsense folks sell premade appliances and wireless is an option but that gets expensive fast. Then again, sometimes in life throwing money at a project is actually the most efficient way to move forward.

Everything always looks fine on paper -- the grunt work will reveal the realities.

I am aware of the various Linux based router/firewall distros. Other than name I haven't looked at them in any depth. Might be easier from a Linux perspective, but my research indicates the pfsense web interface does a good job of shielding people from most of the innards of BSD. There seems to be far more tutorials online for pfsense than all of the similar Linux distros combined.

Well, wan is not wireless. Not sure why you confuse those. Wan is a wired connection that goes into your modem to connect your network to the internet.

Pass through I spoke about is using advanced virtualization to make the nic work as if physically installed on the virtual machine.

Pfsense does not look fine on paper.it works as stated. I use it in production and have for 4 years now.

For wireless, I have a netgear r7000 router. Plug it in on the lan side and you will have very good speeds.

Just install it and see if it works for you.

Not confused. I just used the wrong snippet to reply.

I understand the WAN NIC should be dedicated to the firewall/router VM. That way if the VM is compromised the VM remains isolated from the host and LAN.

I like the idea of virtualizing some server services. If the new server hardware goes belly up, the VM can be copied from backups to my office system, minimizing down time. Probably a good idea to just keep the VMs in sync between the two systems and run a couple of fire drills to get a feel for the transfer.

I need to learn more about squid and web caching. For years I have been using dnsmasq for name caching and URL blocking (addn-hosts option). If I start using squid I think the two would be redundant. I was thinking of installing the caching services in another isolated VM.

While I appreciate that running a separate wireless AP likely is less hassle, one of my goals is to consolidate as much as possible into the new server and retire the Linksys router to emergency backup role. I run two wireless subnets now, one for my LAN and one for guests. The latter subnet is isolated from the LAN. I have an old $20 wireless Gigabyte AirCruiser G PCI wireless NIC laying around. I don't know how well that would work in the new rig as an AP, if at all.

Well there is one way to find out. Chuck it in and see. Just remember to pass the physical hardware to virtual machines, please make sure you have vtd capability. Without that, it will not work. Generally speaking for intel, that means a xeon or non xxxxk processor. If the processor model ends with k it will support virtualization but not assigning hardware. Also double check to make sure your bios supports vtd.

Once that is certain, you need to edit the kernel boot parameter to enable intel_iommu

Thanks for responses. The project is still on paper -- will be a while before moving forward.