PFSense + HyperV & An odd setup. Will it blend?

I was looking for a 2nd PC to use PFSense on or maybe a decent router for 2.3gb internet with Yayzi... but then I had a thought...

Could I do something else... This: ?

Connect the ONT at the wall to a dual port 2.5gb nic that is passed to pfsense running in hyper v on my PC. Then that is connected via the 2nd port to the 2.5gb on my motherboard.
I also pass though a USB gigabit adapter I use to pfsense that can connect to my router to provide wifi. Or I could use the wifi on my motherboard directly as it is 6E and actaully faster than my AX3000 TPlink router.

Would this work out at all? Is there a better layout I am not thinking of?

£30 odd on a dual 2.5gb network card (id have to check it could send/receive 2.5gb of data at the same time via the 2 ports or it be usless) is far cheaper than £100+ for a router and will have the added security of pfsense.

I'm hoping that would work. Downside is my PC would have to be on 24/7 but its on most the time anyway.

Thoughts?

Edited by Seansmit17 (Sat 25-May-24 04:59:57)

I can't vouch for how pfSense runs in Hyper-V but have run in on a Mac Xserve (rack server) under Virtualbox
and under KVM (Linux+QEMU+LibVirt) on PC hardware.

So personally I'd be doing as KVM physical host with Windows and pfSense guests
that way the attack surface of the host system would be reduced (as would not install the desktop environment)
as Windows (guest) could then be shutdown or even just suspended when not in use.

It's as much a matter of taste though, and experience on how well you can secure either setup.

Edited by prlzx (Sat 25-May-24 15:28:35)

With your approach, if Hyper-V creates virtual network adapters, you don't need to patch the second port of the dual back into your main board built-in.

Your Windows host and pfSense can both have a virtual adapter on the same internal network (or virtual switch if you like) for that and won't actually flow over any physical NIC or be constrained to their speed.

To pfSense it will be a LAN on one of its NICs and to Windows it will see an extra NIC and be able to get its addressing from that pfSense LAN.

You could call that internal network the host-to-guest LAN or whatever makes sense logically.

However you play it you will need to think about your default route though as Windows will sometimes have 2 default gateways while setting it all up and will choose what it thinks has the better metric, unless you configure one of them manually or manage the routes persistently (with route -p add)

Edited by prlzx (Sat 25-May-24 15:54:16)

Thanks,

So a dual port was a waste.. but that being said it was only a little bit more. And when I DO build a dedicated box for this task It will be useful to have a dual port card as then i dont need to worry about either buying another 2.5g card or finding a mobo that has onboard 2.5g networking.

The card arrives tomorrow so I might try getting everything set up but working with my VM connection (hub is in modem mode) just so i know more about what I am doing when my new connection from Yayzi is installed.

Having a play about to get used to how things work with pfsense and networking. Networking is not my strong suit but I can get most things I need to do done.

I have pfsense working in a VM. I have set up an internal switch and set one of my network adapters to be used as well. That is connected to my VM hub in modem mode and things are working... mostly.

I am on the internet fine but pfsense says it does not have an IP from the WAN.. but it must do as I am connected to the net lol

Fun times ahead.

I run OPNsense which is a cousin of Pfsense on a Qotom box with an Intel processor.
The Dashboard shows the IP addresses of the interfaces.

I have hit a roadblock I am unable to get past.

I have pfsense working from what I can tell. I am online at any rate.

But I still need wirless access. So, I put my router in AP mode. Disabled DHCP and set an IP manually (192.168.1.2) pfsense is on 192.168.1.1.

I have my router connected to another network card in my PC and have passed that though to the pfsense vm same as i did for the network card im using for the wan thats connected to my virgin hub.

But I can not access the router from my pc, wifi clients are failling to connect as they are not getting an IP from DHCP. If I set an IP manually there is not internet access and I can not access pfsence either.

I have made sure the interfaces are enabled and even tried to bridge the connections in pfsense and still nothing.

I have no idea what is wrong or what i a doing wrong.

Any ideas?


EDIT:

I did notice one thing.... The VM was off and I still had internet.... So DHCP was getting the VM ip info in windows and not via the VM.. Opps? Maybe thats an issue.. Will investigate


EDIT 2:

FIXED

I dont know what the issue was but after booting, rebooting, unplugging, everything 60 times... POP all of a sudden OPNSense had a WAN IP from VM... And my router thats in AP mode for wifi just popped up on DHCP as well as all my other wifi devices..

Thank god for that. Only took me 6 hours! And I am still not sure what the issue was. I think it was something to do with how the network interfaces were set up in Hyper V's switch manager.

Just glad its all working. Got some practice in for when CityFibre is installed and I got to go and tweak this to work with that set up.

Now I get to play with OPNSense firewall etc etc... but first some sleep to give me heart a rest xD

Edited by Seansmit17 (Sun 26-May-24 05:11:56)

you changed from pfsense to opnsense? as you said opnsense right at the end.

I am surprised opnsense is as popular as it is, it seems to have more users than pfsense now, but so much stuff on it is unpolished, unfinished etc.

If you get the problem again, potential gotchas that can cause LAN connectivity issues.

VLAN configuration.
On hypervisors, virtual switch configuration.
On hypervisors, firewall configuration.
On opnsense, pfsense etc. if using wrong NIC for LAN/WAN.

Edited by Chrysalis (Wed 29-May-24 22:19:34)

Have you seen the Aliexpress Topton/CW/Kingnovy 4 port i226 N100 boxes?

These are ideal for this and will probably pay for itself just in power saving in a year or less depending on how much power your PC uses.

I have a couple (running Proxmox) with one a cold standby and they are pretty much perfect for this.

I have considered them, But I decided on a full desktop to use as a server so i can use it for pfsense as well as a web and game server.

Picked up a 2nd hand I5 4690 system. Planning on sticking a i7 4790K in it soon.

Its got enough power to do what i need. Yes it uses a bit more juice, about 66w at idle currently.

I am having other issues with opnsense/pfsense now but I am still working my way into learning how it all works.

Im sure Ill be posting again soon with issues

Set up sorted for the most part.

I do need to get a 2.5gb network switch though. Other than that all is working. I ended up going with Proxmox with a pfsense VM and also changing my dual port 2.5g network card from a realtek chip to Intel. The realtek one apparently does not play nice with pfsense.

I will have to do some VLAN stuff once Yayzi is installed but apart from that I should be able to unplug from the Virgin Hub 4 and connect to the newly installed ONT and carry on

I managed to get all this working with no IT work experience and yet I cant get a job in the IT sector as I have no IT work experience.. Go figure.

I managed to get all this working with no IT work experience and yet I cant get a job in the IT sector as I have no IT work experience.. Go figure

That's a bit like saying you changed the brakes on your car with no work experience but no garage will hire you as a mechanic.

If you are going up for trainee jobs then it could just be people with more experience/qualifications are getting the jobs - the market may be strong enough that there are people with lots of experience going for relatively junior roles. To get a foot in the door you might have to start on an IT Service Desk or similar role to get some experience - you also need to be doing as much learning as possible doing whatever training you can get in order to round out the CV.

In reply to a post by Seansmit17:

I ended up going with Proxmox with a pfsense VM and also changing my dual port 2.5g network card from a realtek chip to Intel.

I managed to get all this working with no IT work experience and yet I cant get a job in the IT sector as I have no IT work experience.. Go figure. laugh

Padawan you show great promise.

Tryout other firewalls OPNsense, Sophos XG HOME edition.
Can do samething in XCP-ng other then Proxmox.
Master Docker and Kubernetes.

Most off all have fun learning.

https://www.sophos.com/en-us/free-tools/sophos-xg-fi...

Edited by amiga_dude (Tue 04-Jun-24 09:12:47)

Game servers don't use that much CPU power.
I've got mine running on an Intel N100.
You could have got an N300 model that has 8 cores and that would be more than enough to do OPNsense and game servers.

Thanks Dan

You would think... but not so much

We run a MC server thats got well over 400 mods and uses a goo chunk of ram and a butt load of CPU.

The system I am using at the moment will do the job, Im going to change the CPU to an i7 4770K vs the other one I mentioned as its much cheaper.

I am planning on upgrading my main PC later this year so my server will become what I have now and that will be overkill. (Ryzen 7 5800X3D, 64GB DDR4-3600) I'm not to worried about power though, right now the intel server is using around 70 watts, Sure its a little more than a lower power i3 but cost wise its a few £ a month.

Will also be running a Palworld server, Satisfactory and maybe one other on top. Plus the pfsense router VM, Proxmox and a webserver (game server and web server are on the same Ubuntu VM)

Oh I get that but there's a lot more to it than that.

I know much more than just this but my point was that with out a good base knowledge on how this stuff works I would never of gotten it working at all or at least it would of taken a long time.

Its not like I am going in not knowing anything or very little at all.

The car thing is a funny way of putting it to me as I grew up fixing cars with my dad as he was a mechanic, and now fix my own motorcycle so that's a job you would think I could get... I've not tired tho .

Honestly, I have tried to "show off" my computer knowledge at interviews and its been the same answer every time Lack of work experience. How is one to get it if that's what employers want xD

I did go for an apprentice job at the same company my Mother works at... I got turned down due to my age and they took on a fresh out of collage 18 year old. They never said that to my face mind but that's the information my Mother was able to glean from them since her job is quite high up the "food chain".

I would go and grab me some Comp TIA curses but at £200+ a pop and then going to an interview and getting told the same thing id probably choke the interviewer with the certificate!

The joke goes:
I'm here for the job. Oh you need experience for a job, That's what I am here for. Then go get a job for experience. Give me a job then? You need experience to get a job...

Anyway, Way off topic

Minecraft is single core.
The N100 has is close to single core speed of a 4770k but lower multicore performance.
The N305 is faster in single core than a 4770k and much higher multicore performance.
Both have way lower power usage.

Thanks
Dan