xen-users
Re: [Xen-users] pfSense HVM
On 06/05/10 19:54, Jonathan Tripathy wrote:
On 29/05/10 02:20, Nicolas Vilz 'niv' wrote:
On 05/29/10 01:46, Jonathan Tripathy wrote:
actually, i use pfSense in hvm quite a while... it works. recently i
tried to get pfSense in pv, but that needs to be polished some time
before it is ready to use. (it works, but it is half broken that way
and i spent the whole day yesterday to get a clear view on that
problem).
That's good that it works well in HVM. What kind of throughput can you
get? My co-lo is giving me a 100Mbit connection, thing Xen can
handle that?
I think it is worth a try. problem is, you get 8139cp emulated
chipset with hvm (without pci passthrough) and I don't really know,
if that can handle 100mbit.
I had several event setups with pfSense as Uplink gateway one
physical on a dl380 and one as HVM. On the WAN side there where 3
16MBit uplinks, on the LAN side there where up to 400 people
accessing the WAN side.
Once the physical pfsense crashed because of RAM failure. Nobody
noticed. Not even I noticed. So I can say, for 3x 16MBit you don't
really notice a difference between physical pfsense and HVM
virtualised one.
make sure, you can access that dom0 in event of emergency. If anything
happens to your pfsense, which is possible, you probably can't access
your dom0 anymore and are stuck and thats probably not what you want.
This is a really good point, and I'm not sure what to do in this case.
The only thing I can think of, is to give the 2nd physical NIC on the
server access to the Dom0 directly (bypassing the pfSense firewall
DomU), however I'm not sure if my co-lo can provision this without
extra
costs...
and then your dom0 will be accessible. that is what you wanted to
prevent for extra security.
one advantage an extra NIC gives you in this situation, is: you can
get hardwired access to a different network, which has nothing to do
phyically with your main network and your pfsense in front. i don't
know if your co-lo can make this happen, but it would be a
possibility. an extra port for a NIC will normaly cost you something
extra.
btw, you don't need to passthrough your nic for that behavior. In a
bridged setup you just have to leave your bridge interface to the
outside without an ip address.
Since the NIC will be the physical interface for the WAN, I thought I
would use PCI Passthrough for extra security? So that the Dom0 has *no
access* to the physical NIC? Or am I incorrect?
if you passthrough your NIC, then you are right. no access from dom0
to physical NIC.
if you just setup a bridge on the WAN NIC and put the pfsense domU
with one foot on that NIC, you have the possibility to setup another
domU to be accessible outside, and you can setup emergency access to
dom0 on that bridge, too. if you don't need dom0 for an external
access, you can leave the bridge interface without an ip address,
like i wrote above. I don't know, if someone can gain access to your
dom0, when this dom0 has an unconfigured bridge listening on your WAN
port.
you have to decide, how secure your setup shall be and what will you
have to do, if your pfsense crashes.
if your co-lo doesn't allow you to have several MAC addresses on that
port, you won't be able to use that kind of setup either.
in that case the only possible solution for you will be passthrough
one of your two NICs to pfsense and hardwire the other one to your
dom0 for emergency access.
PCI Passthrough is possible for your hardware, right? If not, you are
still able to use the bridged setup as long as just one MAC shows up
on that port.
Sincerly
Nicolas
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
Hi Nic,
What kind of throughput are you getting with your pfsense guest? I've
got my Gigabit NIC passthrough to the pfsense DomU (To act as the
"WAN"), then I've connected the "LAN" side of pfsense to a Xen bridge,
with the Dom0 is also connected to. I tried to do a file tranfer (via
samba) from a machine on the "WAN" to the Dom0. The speed was capping
out at 90Mbps. In the pfsense config, I've made the NIC "e1000" and
pfsense does show it's connected at 1000.
Any ideas?
Not really, i tried e1000 as well, but couldn't see any advantage for
that (Throughput was nearly the same or worse). Either i don't see the
difference between emulated 8139cp and e1000 or there is no difference
when using it for openvpn in a bridged setup. I will analyze that
further. The real performance boost would be the pv driver with freebsd
and pfsense, but i haven't done that yet (patched pfsense kernel with
xen modules). Inside openvpn i get a max throughput of 800 kb/s, where
there should be 100Mbit or 1000 Mbit (if i emulate the right one). Thats
a bit confusing for me, but i keep observing and searching. Pfsense
shows connected at 1000 Mbit, too on my side.
That doesn't really help you right now, but that is what i know and
experienced so far.
Sincerly
Nicolas
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
|
|
|