Stux
MVP
- Joined
- Jun 2, 2016
- Messages
- 4,419
So you end up with them both virtualized and that isn't an issue at all?
How much work is it to make this type of setup actually work, and what spec changes would I need to make it not slow and suck?
Sent from my iPhone using Tapatalk
The biggest issue is that if you have to restart/upgrade your ESXi, you have to take down your internet firewall/gateway. Think about what that means.
BUT that does mean that you don't have to run a separate box for your gateway.
pfSense needs a gig or so of RAM, at least 1 dedicated ethernet port (for WAN), preferably two, and a vCPU (or 2) depending on how much throughput you want. Of course, it only uses vCPU when you're actually using it... same with the RAM, it can swap with the ESXi host cache and page to your boot M.2.
As I mentioned my board has 2 gigabit ports, so one can be WAN, and one LAN. The LAN one can connect to my switch, and internally ESXi can connect any VMs I want directly the LAN group so that internet bound traffic doesn't even need to go to the switch.
Some say that doing this is less secure than a separate box. I'm sorry, but if someone knows how to break out of a VM guest into the hypervisor then they have bigger fish to catch than me...
The most important thing though is that there are two gigabit ports and one of them has the IPMI fallback set on it by default (the first). Do not put your WAN on that port! It would mean exposing IPMI to the interwebz.
Explicit pfSense/ESXi setup instructions coming soon ;)