Want to run PiaF on Proxmox with pfSense

[joeg]

I am looking at a new setup that's pushing the envelope a bit for me. Just wondering if this might work.

Will be getting a new server, and will set up Proxmox on the server. In the partititions I want to run pfSense on one and PiaF Purple on another. I'll set up a third one to be a file, SQL and Web server.

I presume the PiaF Purple is not a problem, I just load up the ISO into a virtual machine, install it and set it up, correct?

Here's the rub. It appears that Proxmox requires a full IP configuration to get itself going. Of course I can't install the pfSense router until the Proxmox is set up. Can Proxmox ultimately get its IP info from a router that's running in one of its own virtual machines?

Or do I have to just resign myself to keeping my current cheapie router?

Thanks in advance!

 

[tmo]

using proxmox, you can either fully virtualize the PIAF using KVM or use OpenVZ. IP config is very simple using the latter.

You will probably need to add vmbrs to pfsense manually, for each VM NIC in /etc/network/interfaces.

There should be additional info at the proxmox forums about this.

 

[dswartz]

I am doing this myself. An openvz piaf bronze, and pfsense 2.0 in a KVM. The issue you raise should not really be an issue, since neither the proxmox host or the piaf should have dynamic IP - give them a static and it works fine. One caveat: I found it best to add a couple of /etc/hosts entries for the piaf VM and others so the proxmox host wouldn't have issues if the pfsense VM was down for some reason.

 

[jmullinix]

I am not sure that I would want to do this. I understand the virtues of virtualization, but I am not sure that I want my edge router/firewall on a virtual slice.

To me, the edge router/firewall is my first line of defense against the bad guys. That device needs to be tough and with a minimum of things installed on it. I used to use ClearOS (fka Clark Connect) at the edge and have decided that PFSense is a better solution.

1. PFSense runs on FreeBSD
2. It is designed from the ground up as a firewall.
3. ClearOS is sort of a "Swiss Army system" with lots of additional components that could be vulnerabilities.

Running your firewall on a Virtual Slice sounds neat, but I would think that it brings the vulnerabilities of the underlying operating system into play, in this case I believe it is Debian.

Just my 2 cents worth.

 

[dswartz]

true, but i think this is mitigated (at least in my setup) by the fact there no process on the proxmox host uses the WAN nic.

 

[dswartz]

I switched away from clearos for similar reasons. When it was clarkconnect it was good, but they started putting all kinds of heavyweight enterprisey features in and it got too clunky for me.

 

[luckman212]

Interesting idea. Please update us with your progress on this- very curious how it ultimately works out (or doesn't). Good luck!

 

[dswartz]

luckman, not sure who you were addressing, but if it was me, i've been up on this for several weeks with zero issues. i also have my mail/web/samba server as an openvz centos5 server.

 

[luckman212]

I guess I was directing it at the OP, but I'm glad to hear that you're running things this way without issues. What is the underlying hardware that you've got all of this sitting on?

 

[dswartz]

A server mobo with 2 dual-core amd 2.2ghz cpus (so 4 total cores) and 8gb ECC RAM Here is a load output on the proxmox host:

23:03:08 up 18 days, 32 min, 2 users, load average: 0.06, 0.07, 0.02

I have 4 actual VMs running: the KVM pfsense gateway, an openvz piaf bronze, an openvz centos5 server and a windows xp pro KVM (which I use for telecommuting.)

 

[dswartz]

btw, i was very lucky to score this mobo - i got it off ebay "as is" (with no ram, but i had that from the predecessor server), but including the two cpus installed already. it was stripped out of a rackmount server that was being upgraded or somesuch. cost? $98!

 

[luckman212]

Don't want to get too far off topic here, but that seems quite nice. How's your dahdi_test output? What timing source are you using for * (res_timing_dahdi or res_timing_pthread ?) Any timing issues?? What about the overall kernel clocksource (acpi_pm, hpet, tsc ?). Sorry for all the questions. I'm a bit obsessed with timers, timing & accuracy these days.

 

[dswartz]

Ah, I have no dahdi at all - voip all the way. Asterisk seems to opt for the pthreads timer. The host defaulted to hpet.

 

[luckman212]

I don't have any dadhdi hardware either- you can still run dahdi_test to test the accuracy of your timers. I yearn for res_timing_timerfd.

 

[dswartz]

Unfortunately, as configured, there is no dahdi device to use. Oh well. Yeah, I've love to have timerfd too. Ironically, the underlying host supports it, but the openvz guest can't because it's runtime is too old (centos5).

 

[joeg]

Will report back

Hello concerned citizens,

I'm going to get this up and running in about a week or so, meaning the 2nd week of January 2011. I'll report back on how it goes. I appreciated the poster who said he had insignificant security concerns given that the Proxmox doesn't own the WAN port.

Regarding PiaF Purple in a Proxmox slice, I just install the ISO, go through the rest of the install, and I'm golden, right? Just like on a dedicated machine?

 

[joeg]

Due to some interesting changes, I probably won't be virtualizing the pfSense router. However, I have another hard (for me) question. Really want to run PiaF Purple in a Proxmox OpenVZ. My hardware is too old for KVMs. Can this be done? Also have another thread to this effect.

 

[dswartz]

Not sure what would be involved, sorry...