OPNsense Forum

English Forums => Hardware and Performance => Topic started by: thowe on January 16, 2021, 12:57:44 pm

Title: With performant hardware - bare metal or Proxmox as base?
Post by: thowe on January 16, 2021, 12:57:44 pm

Hi everybody

I have been running OPNsense successfully on an APU2c4 for quite some time. Absolutely stable system.

Now I want to make my firewall fit, if I should have GBit internet one day and so I can run some more services performant:
- Blocklists
- Suricata IDS
- maybe Sensei (only analysis and reporting)

On the shortlist is a Yanling Hardware appliance (from Aliexpress) with 6 Intel NIC, Intel i5-8250U CPU, 16GB RAM, 500GB SSD. (Almost) identical in construction to Protectli FW6D. Now I wonder if I should install OPNsense directly on the hardware, or if I should install Proxmox as a base, so that I can benefit even better from the great performance of the hardware.

Advantages would be:
- Console reachable over the LAN
- Snapshot possibility before updates or an experimental change
- Quick jump of a backup VM in case of problems

Looking at the forum, I see a mixed picture: Some swear by Proxmox as a base and have a stable system. Others struggle with stability and/or performance.

Those who have gone the Proxmox route:
- What are your experiences?
- If Proxmox: Which VM setup would you recommend? (Which CPU, which NIC, RAM settings etc.)

What do I need to consider when setting up Proxmox so that the WAN port is not vulnerable via Proxmox? Should I best choose pass-through of the WAN NIC to the OPNsense VM instead of virtual bridge?

Thanks a lot for your inputs!
Tom

Title: Re: With performant hardware - bare metal or Proxmox as base?
Post by: datenimperator on January 16, 2021, 04:04:21 pm

FWIW... I used to run a virtualized OpnSense FW on Proxmox, but switched to one-purpose dedicated appliances after a while. Sure, it's possible to run one VM as a router/firewall for others, but the additional hassle wasn't worth the little benefit, IMO.

* Basic routing and DNS should be available at all times, even when Proxmox is restarting
* VM startup order is crucial
* Network config is much more complex with this setup (although certainly possible)

While Proxmox is a great piece of software, I never used it for firewalling again. Just my $.02

- Christian

Title: Re: With performant hardware - bare metal or Proxmox as base?
Post by: thowe on January 17, 2021, 12:18:39 pm

Thanks Christian

I can understand your arguments very well. Frankly, I thought absolutely identical until a few weeks ago. But after I put a small Intel NUC into operation as an internal Proxmox server and find the possibilities sensational, I also see the advantages. Especially to be productive again quickly after failed updates (with snapshot restore).

But yes. Your arguments, however, lead me again to rather want to put on baremetal.

Title: Re: With performant hardware - bare metal or Proxmox as base?
Post by: Gauss23 on January 17, 2021, 01:08:43 pm

From my side the most important hardware feature is IPMI/BMC to be able to connect to the device remotely (even bios and mount remote dvd-isos).

Running OPNsense virtualized has the advantage of taking snapshots before applying updates and taking full-system backups is easier, too. Of course it adds an additional layer you need to take care of.  Even if the OPNsense is the only VM on that host.
Performance should be better without virtualization though.