pfSense within VirtualBox on FreeNAS

Status
Not open for further replies.

notjoe

Explorer
Joined
Nov 25, 2015
Messages
63
Hey all,

I did some searching but didn't come up with much. So, I thought I'd ask on the forums before spending a bunch of time on something that may not work. I'll probably have some additional questions but I'll start off with the first one first. I may even do a write-up (if this works, since there doesn't seem to be one).

The TL;DR is that I would like to Virtualize pfSense under Virtualbox running inside of a FreeNAS jail.

Before I go to far, the first hurdle I saw was the inability to add a secondary nic to the jail that virtualbox is running inside of. Is this possible, via the gui? I know it is if I was playing with a bare metal freebsd installation and jails.
 

tvsjr

Guru
Joined
Aug 29, 2015
Messages
959
Did you try searching?
https://forums.freenas.org/index.php?threads/has-anyone-tried-running-pfsense.30221/

Answer: no. Pfsense wants kernel-level access to the NICs. Even if you could make it work, you'd have external traffic talking to FreeNAS before being sent to the jail. Bad idea.

Firewalls belong on dedicated hardware. I bought a nice 1U Supermicro box with SM mobo and an E3-1270 off eBay for $200. Add 32GB memory, two SSDs for a mirrored boot, and bingo, 50-watt, 4 gigabit interface, extremely capable firewall/VPN/IDS.
 

notjoe

Explorer
Joined
Nov 25, 2015
Messages
63
Did you try searching?
https://forums.freenas.org/index.php?threads/has-anyone-tried-running-pfsense.30221/

Answer: no. Pfsense wants kernel-level access to the NICs. Even if you could make it work, you'd have external traffic talking to FreeNAS before being sent to the jail. Bad idea.

Firewalls belong on dedicated hardware. I bought a nice 1U Supermicro box with SM mobo and an E3-1270 off eBay for $200. Add 32GB memory, two SSDs for a mirrored boot, and bingo, 50-watt, 4 gigabit interface, extremely capable firewall/VPN/IDS.

I get where you're going with that. To some extent you're right, partially(imho). My ISP has my internet on a vlan, which could easily be added inside of the vm to keep it separated. The pppoe connection would also be established within the vm. It'd be enough isolation that I'd be comfortable with it. It's still have kernel level access (I'm talking about running it inside of VirtualBox) to the nics. Whether VirtualBox (running inside of a jail) could provide that sort of direct access to the nic is a different story. With that being said, my pfSense installation is already on a dedicated machine but i was just thinking I could consolidate it all.
 

brando56894

Wizard
Joined
Feb 15, 2014
Messages
1,537
Your lucky to get a better response than I did! No one would tell me why it wouldn't work, I ended up just buying a bare bones PC for $120 and putting 4 GB RAM and a 60 GB SSD in it (both are overkill) and it works fine, slightly annoying to get installed because the installer is really finicky.

Sent from my Nexus 6 using Tapatalk
 

tvsjr

Guru
Joined
Aug 29, 2015
Messages
959
Brando - perhaps because the question has been answered previously? By the way, 4GB RAM and a 60GB SSD is in no way overkill... my pfSense box has 32GB RAM and 120GB SSD. It all depends what you're doing with it. In my case, running things like Snort, which are far more intensive than the firewall itself.

Back to the OP, it doesn't matter if you get "kernel-level" access to the NICs through VirtualBox. If you don't have that level of access at the jail level, it doesn't help. I'm not savvy enough with jails to know if you can pass a complete NIC through (a true hardware passthrough) without it first terminating connections on the underlying OS. However, as a typically-paranoid type who does cybersecurity professionally, I honestly wouldn't want any unsecure traffic terminating directly on an "internal" device - whether the underlying OS sees it or not. I'm all for virtualization, but there are times when a dedicated box is just the right answer.

I did play with virtualized pfSense for awhile myself, just to say I did it. I also observed some issues using QoS/rate-limiting, especially on very latency sensitive workloads (like VoIP)... if the VM host was even moderately loaded, the scheduling algorithm would give the QoS algorithms hell. Again, there are just some things that deserve a dedicated physical box. Personally, I'm also tasking mine to be a NUT server, time server (connected to a local GPS-disciplined rubidium oscillator), etc.
 
Status
Not open for further replies.
Top