OPNsense Bare Metal vs Virtualization

Submitted ⁨⁨16⁩ ⁨hours⁩ ago⁩ by ⁨CosmicRanger@sh.itjust.works⁩ to ⁨selfhosted@lemmy.world⁩

Looking for some advice / recommendations / considerations on running OPNsense on bare metal vs virtualized, and if virtualized how best to do so.

I currently have OPNsense running bare metal on a Protectli FW6E Vault, with the following specs:

Intel i7-8550U CPU @ 1.80GHz
120GB mSATA (1% utilization)
16GB RAM (6.5% utilization)
6 Gigabit Ethernet NIC ports

The Vault running OPNsense is the primary firewall and router, any wireless devices connect through a dumb AP running OpenWRT. Connected over Ethernet I have a RPi running HomeAssistant OS (would probably also move to virtual if that’s the chosen direction) as well as a TrueNAS setup.

How much of a performance hit would be expected running in some sort of container vs the current bare metal setup? Are there any other concerns with running the main firewall / router virtually vs bare metal to take into account?

source

Comments

Sort:hotnew top

percent@infosec.pub ⁨1⁩ ⁨hour⁩ ago
I went with a dedicated mini PC with one of those motherboards that are designed for building a network appliance. It has been running very smoothly for a few years, and I just log in occasionally to run system updates.

I want my Internet connection to continue working, regardless of my tinkering with home server stuff.

source
RonnyZittledong@lemmy.world ⁨15⁩ ⁨hours⁩ ago
In my opinion core infrastructure like the router should not be virtualized. I want to be able to work on my proxmox server or reboot it without bringing down the whole network. And if there is a problem with my proxmox server I now have the additional headache of having the network down too and my IPKVMs don’t work.

source
salacious_coaster@infosec.pub ⁨15⁩ ⁨hours⁩ ago
Virtualizing the router adds a point of failure and set of dependencies for a critical component of your network. And you already have a good purpose-built hardware and no stated problems. So why virtualize?

source
daBeans@sh.itjust.works ⁨13⁩ ⁨hours⁩ ago
I run Proxmox on my router (an Intel NUC) with an OpenWRT VM (though I used to run OPNSense, and might try going back to it later). It makes things more complicated, but I’m familiar enough with Proxmox that I’m okay with that complexity.

Setup right, I don’t think you’d experience any performance hit in terms of your network, and your 8th gen i7 is likely better than my Celeron J4025, so I imagine your Web UIs will be fast enough even virtualized.

I virtualized my router because it let me experiment with different router options way more easily (I could switch from OPNSense to OpenWRT and fall back on my old OPNSense VM if I messed anything up, I could setup VLANs in a cloned VM and fallback to my old VM if I couldn’t get it working, etc.). I’m a very indecisive person loll. But if there’s no reason for you to virtualize it, then I wouldn’t bother unless you just want to.

I vaguely remember my Intel NIC gave problems with OPNSense, but running virtualized meant I could use Linux drivers (via Proxmox) and give OPNSense a VirtIO NIC that it would be happy with. Oh, and it’s nice being able to run the Unifi Web Server in an LXC on the router so it doesn’t go down whenever I mess with my server PC.

Personally, I only run network-specific things on my Proxmox instance on the router (so, OpenWRT/OPNSense, and the Unifi Web Server). My more home-lab stuff is run on a completely separate machine. Like others have said, I don’t want my internet to go down when I mess with my server.

If you do end up virtualizing ur router, in my personal experience using VirtIO network devices for the VM seems to work best for me (the E1000 seemed to hamper my upload/download speeds quite a bit, VirtIO made it pretty much line-speed — that could just be OpenWRT quirks or my NIC, idk).

source
hamsda@feddit.org ⁨9⁩ ⁨hours⁩ ago
I did not run OPNSense, but I have a direct comparison for pfSense as VM on Proxmox VE vs pfSense on a ~400€ official pfSense physical appliance.

I do not feel any internet-speed or LAN-speed differences in the 2 setups, I did not measure it though. The change VM -> physical appliance was not planned.

Running a VM-firewall just got tiring fast, as I realized that Proxmox VE needs a lot more reboot-updates than pfsense does. And every time you reboot your pfSense-VM-Hypervisor, your internet’s gone for a short time. Yes, you’re not forced to reboot. I like to do it anyway, if it’s been advised by the people creating the software I use.

Though I gotta say, the pfSense webinterface is actually really snappy and fast when running on an x86 VM. Now that I have a Netgate 2100 physical pfSense appliance, the webinterface takes a looooong time to respond in comparison.

I guess the most important thing is to test it for yourself and to always keep an easy migration-path open, like exporting firewall-settings to a file so you can migrate easily, if the need arises.

source
coffelov@lemmy.ml ⁨15⁩ ⁨hours⁩ ago
Some years ago i posted something simillar to your post, in conclusion it is safe to run on a vm and have the ethernet ports pointed to it, i personally use bare metal since im still not too familiar with opnsense to start thinking of migrating to a vm

source