Virtualised vs Bare metal for extra software

[PeeWeeHerman]

Hi All,

I have a bit of a configuration dilemma. I have a decent old PC and would like to install OPNsense but would like to add additional software so the hardware doesn't go to waste.

Hardware:
- Intel I7-2600K with 1GB Nic on motherboard
- 32GB DDR3
- Intel I350-4 Nic
- 500GB Single SSD

Internet Setup:
- 350Down/35Up - Fibre connection
- Router/Modem connecting to the onboard Nic as WAN

Internet Usage:
- Streaming (Need B/W Volume)
- Gaming (Need Low Latency)
- Home Working (Need Stability)

Core Firewall Software:
- OPNsense
- AdGuard Plugin - Using the 'core' blacklists, nothing crazy.
- Sensei Plugin (Maybe, still not convinced if I need it together with AdGuard)
- IDS/IPS Plugin - Once again just the 'core' blacklists.
- No VPNs on the FW, I have VPN software on the windows boxes.
- Some sort of Parental control script or will use Sensei
- lets-encrypt plugin
- Cron Jobs

Expected Nic Assignment:
- On-Board - WAN
- Card Nic0 (Main Lan) - My PC (access to FW Interface/SSH) / Work PC Subnet
- Card Nic1 (OPT1) - TV/Firestick/Netflix
- Card Nic2 (OPT2) - Family Ruter/Home Wifi (Laptops/Phones)
- Card Nic3 (OPT3) - IoT/Alexa Vlans

Additional Software:
- Jenkins Controller (No agents) - Would be controlling agents inside network and in cloud.
- Grafana Server (Could use the community plugin)
- Log/Statistics database (MySql/Mongo) with scheduled offsite backups.

So I now have 2 options:
1) Run everything on the same server. Jenkins and the DB maintenance would be done via SSH to the FW box.
2) Virtualise (Proxmox?) - Firewall on one VM with passthrough NICs and the other software on one or two other VMs.

Question: Which option is 'better ^(tm)'?

Each one has obvious pros but the cons:

Cons - Option 1:
Running other software outside of the confines of the FW is never a good idea.
The log/statistics database I can lock down, I think the problem is Jenkins.
Issue1: It runs on Java, Issue2: Even if I consider Jenkins itself safe, no way I can validate the integrity of it's plugins. Yes I can try lock it all down, but I'm human, I'll miss something.

Cons - Option 2:
Virtualising firewall. While I'm relatively convinced that the hypervisor will not be compromised I'm somewhat worried about the extra layer of complexity. That said. if I get my Nic pass-through done correctly everything else should be relatively problem free.

So having written this all out I've almost talked myself into option 2 since the benefit of virtualization and the con of putting 'alien' software on the firewall seem to outweigh all else.

Can anyone shed some light and/or maybe suggest another reason to swing either way?

Thanks!

[Maurice]

Short answer: Virtualise. For all the reasons you mentioned.

Cheers

Maurice