On Tue, 2017-10-10 at 14:16 -0700, Walter Parker wrote: > On Tue, Oct 10, 2017 at 12:57 PM, Doug Lytle <[email protected]> > wrote: > > > > > > Or do you think I am absolutely crazy? Or maybe Just one > > > > > Hardware and > > > > one virtual? > > > > Quite a few of my firewalls are virtualized using ESXI and have > > done so > > for a few years now. > > > > Doug > > _______________________________________________ > > pfSense mailing list > > https://lists.pfsense.org/mailman/listinfo/list > > Support the project with Gold! https://pfsense.org/gold > > > > I run my ESXi boxes with pfSense as the firewall. It has worked well > for > years. I'd recommend that over standalone HW firewalls. > > > Walter >
I do all of the above and then some. You need to decide what is required and use the various technologies according to your budget, performance requirements, risk requirements and continuity requirements. So: * Virt: works very well on VMware (probably others - can't comment) * Continuity through upgrades: Needs HA with CARP => you must have at least three IPs per WAN link If you can manage at least three IPv4s per external link then it does not really matter whether you use physical or VM these days unless you need an extreme IPSEC throughput. If you do go the two VM route, then make sure they run on two different hosts at all times. With VMware Enterprise Plus you can create affinity rules in DRS. My work systems are physical these days, and are blindingly quick on pretty old hardware - a pair of Dell R320s with a lot of network cards. They have a pair of NICs on board and you can fit at least two quad GB NICs in them. I effectively use them as layer three switches n router n firewall with a GUI and a lot more. VoIP calls and IPSEC/OpenVPN tunnels etc carry on regardless on upgrades/reboots of the nodes. On other sites I have deployed a single pfSense box as a VM. Upgrades need down time but you can snapshot it first for a backout if it goes wrong. Backups needed. On single VM hosts eg one esxi with pfsense router as a VM, you can't remotely, safely do nearly any changes. I've banned this model. Some sites have a single physical box - APU2 based in most cases. Backups. Also a stock of replacement boxes. Cheers Jon _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
