Pfsense on a Virtual machine. NIC question

[nsafreak]

A while back I posted about my router hitting a bandwidth limitation due to CPU usage ( Asus Rt-n16 for reference) and I've been waiting for a deal on a decent newer router. It recently occurred to me that I have a server with more than enough spare resources to run pfsense in a VM. The question is whether I should get an Intel dual interface server nic from Amazon ( usually all of $35) and dedicate that to the VM. Or would it be just fine to create a pair of virtual interfaces on my onboard realtek nic and go from there? Advantages or disadvantages to either approach? Server specs are in Sig if needed.

 

[thecoolnessrune]

Your virtual interfaces idea only works if you have switches that can do VLANs. You'll need to tag your WAN side, (and untag it on the egress port going to your modem unless your modem supports it too), and you'll need the traffic tagged going into your computer's nics so that the tagged traffic gets to the tagged port on your WAN. If you don't have infrastructure that can do tagged VLANs, then you'll need to go the more direct route and have a dedicated NIC port for the WAN side, and the LAN side.

I currently do Cable Modem --> WAN VLAN Switch Port where traffic is tagged / untagged --> Travel to back room via LACP links --> Exit WAN traffic tagged into ESXi Servers --> Outside WAN Port Group with the WAN VLAN --> PFSense Virtual Machine link on the outside port group --> PFSense Virtual machine link on the inside LAN port group.

Works just fine that way, but like I said, you have to have switching at least on the modem side that allows VLAN tagging / untagging if your modem doesn't allow you to set VLANs. After that, you just need to have switching / nics that will pass VLAN information.

 

[nsafreak]

I do have a HP Procurve 3500yl switch that does support vlans so I should be able to set that up.

 

[kevnich2]

Pfsense can easily handle virtual interfaces via vlan, but it also can complicate things when trying to troubleshoot. I would highly recommend a minimum of two interfaces to atleast have the option for dedicated WAN and LAN interfaces. Pfsense is a very nice scalable platform

 

[thecoolnessrune]

You can do VLANS while still having separate vNICs on the VM. That's what I do as it makes it easy to shut down and turn up the WAN interface. Also makes it simple to route traffic as I just have an entire port group on the WAN VLAN. That lets me have a redundant pfSense box on another host ready to go.

Sent from my Nexus 6P using Tapatalk