Level1 Presents: THE FORBIDDEN ROUTER

Don't Virtualize it! Unless you know the risks and challenges which were well covered in this video.

LAWRENCESYSTEMS

Aww, at the end I didn't see the clicky bits where the subscribe and video suggestions are.

Regarding the forbidden router, the fragility is my main concern with one machine to rule them all. Would be nice if you could have a second little box that maybe can't route at full capacity / with as much might, but is basically an online replica that could be switched over to for maintenance of if the main machine gets explodey.

JeffGeerling

for those who think this is a bad idea "just because" - be aware a lot of high end commercial firewall/routers are offered as VMs run on a cluster - Palo Alto for example offer virtual instances, Cisco offer virtual ASAs, etc.

Flip-side to the bad-juju with having your router virtualized is that it does make some things a lot more painless though - OS upgrades, configuration changes, etc. are trivial to back out in their entirety by rolling back to a previous snapshot.

And if you're willing to take the minor performance hit by using virtual NICs instead of hardware pass-through (assuming you've only got gigabit internet or less, which shouldn't be too much of a restriction for most) your VM becomes completely hardware independent. Big epyc box blow up? Spin up the hypervisor on whatever spare machine you have, and restore your VM files (or even just plug in the disk).

I use virtualized pfsense a LOT for internal VM segregation, home-lab-workstation (Have a lot of virtual NICs and use virtual pfsense to route between them for disposable test networks), etc. It runs on any hypervisor that FreeBSD runs on, which pretty much includes HyperV, VMWare Workstation/Fusion, Virtualbox, etc. - so if you have a high power workstation you can experiment with fully isolated virtual networks (test active directory stuff, etc.) without necessarily needing to use a server for it.

as wendell says, just make sure you're aware of the risks (obviously, keep your pfsense instance and your hypervisor up to date to ensure you're protected from VM escape).

JethroRose

The one KEY benefit I DO see with the idea of virtualising the router / firewall is: Checkpoint / Snapshot prior to an upgrade / update, and if it breaks, restore back to that snapshot, get back online within 60 seconds! Also, a great way in a lab to check out different appliances / options. In the real world, yes, I have come across complete virtual environments like this and they have been rock solid for years! Really comes down to the initial planning phase to ensure all contingencies are planned for while maintaining both security integrity and uptime... Personally, I like the blinky lights on my rack mounted 1u appliance box :D

davidflorey

I'vd had pfsense as a VM on Unraid for a year now and it has been great. My Unraid box is a dual Xeon with 32 cores. I agree that having the router in my main server is not optimal and my next project will be an economical build for a dedicated pfSense router box. Great content guys. Thanks.

johngreene

I did this exact thing over a year ago. It was easy and it's worked out very well. Highly recommend running pFsense in a KVM virtual machine.

acf

Been running pfSense in a Hyper-V setup for hy home for the past 5 years, not a single issue in terms of the VM side, have had my own Networking issues (routing, etc) but thats all. I also setup another pfSense VM on my remote server to create an IPSec tunnel between them.

Highly recommend this type of setup. I run my pfSense VM on an old Dell R810.

Sipheren

Exactly the way my setup is going. With the summer heat wave on the horizon and electricity bill nearly doubling I am seriously considering rebuilding the homelab - having one forbidden router/VM host/ docker host/wifi AP which runs all the time (and just barely sips 30 watts) and then having another bulk data/media storage (refurbished rack server with 12 drives) that powers on only when needed.

totojejedinecnynick

I've been running pfsense as a VM on a Linux host (qemu/kvm) for a while now with a couple of nic's passed through to it and it works just fine. quick and easy to set up.

MrTubeuser

I've basically had a similar setup for about 8 months now. Proxmox host, Dual Gb NIC (one for LAN, one for WAN) via PCI pass through to pfsense, pihole DNS. gigabit internet. A few other Vms, on an old intel i7 6700/32GB ddr4. Works a treat.

brad

Mate, that intro is simply superior, cracks me up every time. Just wanted to let you know I love your style, slowly going through all this juicy content you've created over the years.

re: virtualisation, I think as long as you understand it relatively well and have solid foundational networking knowledge it's probably the way to go. Reasonable redundancy levels should always be catered for regardless of your deployment choice - especially when failure triggers multiple voices echoing "is the Internet down?" throughout your house ;)

DR & LCP (Lab Continuity Planning :D) is kinda fun anyway, right? Right?? 😅

Shiftito

I've been running a pfSense in VMs for over a decade. The only issue I've run into was the old minimum boot volume becoming too small around 2.3. The main trick is static IPs on the hypervisors, otherwise cold starts might be troublesome.

I'm also a full time IT manager, so your mileage will vary.

Also, RIP VMware if the purchase by Broadcom goes through.

tad

I’ve had pfsense running virtually in VMWare for various applications for years :)
The only reason my homelab isn’t setup that way is because my wife gets mad at me when the internet goes off

NickF

I am running PFSense as an edge firewall/router on Hyper-V using an old FX-8350 system I had laying around. Works amazingly well! I even have enough remaining system resources to run my unify host for three AP's!

mrwonk

Running a pfSense router for several months and very happy with how it works with both my internal networks. Left over hardware from an upgrade a few years back, discrete hardware just works well for me and the slight extra cost for electricity is worth the simplicity and makes the occasional PD easy and quick, after all my time is worth something.

Riptide

Still only 5 min into the video but couldn't help but comment once I heard "Virtualizing pfSense!". I built a beefy VM host to serve as my home lab and virtualize all my services that I use to learn on and as a result pfSense is one of them. It has dual NICs (my VM host server) and I pass one of them directly to the pfSense VM using pci passthrough so I didn't have to decide which libvirt networking configuration would have the least amount of drawbacks. VM Host is a Ryzen 9 5950, 128GB RAM (non-ECC, more expensive) 20TB of disk space and a couple of old AMD W7000 Firepros I had laying around. Currently serves pfSense, Samba file sharing, camera security system, Plex and nextcloud. Love your vids and am in awe of your teams expertise!!!

jsaenzMusic

Thank you for doing these. As someone who is about to dive into this without any experience... your stuff provides a calm reasoned information based approach on how to deal with increasingly complex problems barely understood by anyone now days.

bookworm

I've been running pfsense as a vm for close to 2 yrs now and it works amazingly well. The only difference is that I use Hyper-V instead of proxmox, esxi or xcp-ng. I personally find Hyper-V more easier to use, i've got pfblocker, openvpn, squid proxy, HA proxy and Multiple vlans running of the pfsense. I haven't had to touch it in over a year now, it just simply works. I also have a simple windows vm and some docker containers running off that small virtualization box. The box is a Beelink mini pc, similar to an intel NUC, just a bit more cheaper. I have a separate much more powerful VM host machine for all other work / testing.

AaronMolligan

I have been virtualizing pf-sence for years now. I have used it with zen, hyper-v, Vmware, & virtualbox.

rider-

Nice vid! Was already trying to build a "Forbidden Router" and was looking at XCP-NG so your timing is impeccable. Can't wait to see your follow up vids!

rooster