OPNsense - virtualized or not?

Started by kss, January 10, 2023, 04:07:55 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
January 10, 2023, 04:07:55 PM
Hopefully an easy question --

I have OPNsense running on a dedicated dual-ethernet machine for our SOHO. This deployment is not virtualized.

Should this instance of OPNSense instead be running on the same hardware virtualized? Why or why not?
January 10, 2023, 04:54:43 PM #1
Yes, very easy question. Have you tried searching before starting a new war on that?  ;D
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005

1100 down / 770 up, Bufferbloat A
January 10, 2023, 07:25:01 PM #2
My research says it "Depends," which could conceivably start a religious war.  ;D

ChatGPT answered along similar lines, but I find it much spookier! See ChatGPT's answer below:

QuoteThe decision to virtualize a firewall or run it on bare-metal depends on a variety of factors, including the specific requirements of your organization's network security infrastructure and the capabilities of the firewall software and hardware that you are using.

One of the main benefits of virtualizing a firewall is that it can be more easily managed and scaled than a physical firewall. This can be particularly beneficial for organizations with dynamic or rapidly changing network requirements. Virtual firewalls can also be more easily replicated, making it easier to test new configurations or to create disaster recovery plans. Additionally, virtual firewalls can be run on commodity hardware, which can be less expensive than specialized firewall appliances.

On the other hand, running a firewall on bare-metal can offer several advantages as well. For example, running a firewall on bare-metal can provide better performance, as virtualized firewalls can be affected by the overhead of the virtualization layer. Also, Some organizations may prefer to keep their firewalls separate from their other virtualized infrastructure for better security and fault isolation. Additionally, certain organizations may have certain compliance requirements that mandate the use of physical firewalls.

Ultimately, the decision of whether to virtualize a firewall or run it on bare-metal will depend on the specific needs of your organization and the features and capabilities of the firewall software and hardware that you are using. It would be a good idea to consult with a network security expert or to consult the vendor's documentation and guidelines to understand the best practices and any limitation to follow before making a final decision.
January 10, 2023, 07:43:42 PM #3 Last Edit: January 10, 2023, 08:14:58 PM by pmhausen
Does the hardware you run OPNsense on have at least twice the power and capacity to run OPNsense? Because in that case you could run a different workload in parallel with OPNsense on the same system. That's the benefit of virtualisation. You can run multiple different systems on one machine.

If you don't have the capacity or do not intend to do this, virtualisation does not offer any advantages, only drawbacks. OPNsense can be difficult to virtualise depending on the hypervisor and give variying performance results depending on the network interface presented by the hypervisor.

Snapshots and rollback can be implemented by installing with ZFS.

HTH,
Patrick
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
January 10, 2023, 08:02:29 PM #4
That makes sense, thank you.

The firewall does have some spare capacity, which is running unvirtualized but I don't need the CPU cycles for any other compelling purpose (core i5 3470T dual core CPU, 2*GbE ports, 8GB RAM, 32 GB SSD).

I think I will just leave the production system alone for a bit longer and resist the temptation to muck with it.
January 10, 2023, 08:27:28 PM #5 Last Edit: January 12, 2023, 11:05:46 AM by meyergru
Slightly off-topic, on your cited ChatGPT answer, regardless if it is "correct" or not (BEWARE, this gets long!):

ChatGPT is IHMO much over-estimated: It somehow reminds my of the first occurence of AI hype in the early 60s, when Josef Weizenbaum wrote Eliza (1966) in an attempt to show how the Turing Test could seemingly be passed but obviously the "thing" that passed it was not intelligent. In the aftermath of that, projects were created in an ill-fated attempt to salvage the remains by feeding an AI with the supposedly missing "world knowledge", by which it would then really become intelligent. Sounds familiar?

People involved in that matter (e.g. Vladimir Cherniavsky) later said that after a few years in vain, it turned out that the more information the system was being fed, the more contradictions turned up - which probably was to be expected, because of Gödel's incompleteness theorem.

Many "experts" now present ChatGPT as probably "replacing all of your jobs", when they really fall into the same trap. Even universities want to "ban ChatGPT", even if plagiarism by using it could easily be identified as I can show here by asking it some simple questions:

QuoteQ: Write a C program to calculate primes that are divisible by 11.

A: ... (The generated program outputs 11, but does never terminate after that.)

Then going on, insisting:

QuoteQ: How many primes are there that are divisible by 11?

A: There are an infinite number of prime numbers that are divisible by 11, because there are an infinite number of prime numbers and any prime number that is divisible by 11 will also be a prime number. Some examples of prime numbers that are divisible by 11 include 22, 121, and 487.

To find more prime numbers that are divisible by 11, you can use a program similar to the one I provided in my previous response. This program will generate numbers and check if they are prime and divisible by 11, and it will continue to run until it is interrupted. To find the first few such numbers, you can add a break statement to exit the loop after a certain number of numbers have been found.

It is worth noting that prime numbers that are divisible by 11 are relatively rare. For example, there are only 7 prime numbers between 1 and 100 that are divisible by 11 (namely 11, 22, 33, 44, 55, 66, and 77).

Which is obviously utterly wrong. I told ChatGPT that and a day later the answer to the same question was:

QuoteA: There are an infinite number of primes that are divisible by 11. This is
because any multiple of 11, such as 11, 22, 33, 44, etc., is divisible
by 11, but these numbers are not prime. Prime numbers are numbers that
are divisible only by 1 and themselves, so they cannot be divisible by
any other number, including 11.

Which is still mostly wrong. Then, i tried:

QuoteQ: How many primes are there that are divisible by 9?

A: There are no prime numbers that are divisible by 9. Prime numbers are numbers that are only divisible by 1 and themselves. Since 9 is divisible by 3, any number that is divisible by 9 is also divisible by 3, and therefore is not a prime number.

Well, one lucky shot. But then:

QuoteQ: How many primes are there that are divisible by 3?

A: There are no prime numbers that are divisible by 3. Prime numbers are numbers that are only divisible by 1 and themselves. Since 3 is divisible by 3, any number that is divisible by 3 is also divisible by 3, and therefore is not a prime number. However, there are some prime numbers that are close to being divisible by 3. For example, 3 is not a prime number, but 7 is a prime number and it is only 1 away from being divisible by 3. Similarly, 11 is a prime number and it is only 2 away from being divisible by 3. These are just two examples, but there are an infinite number of prime numbers that are close to being divisible by 3.

Wow. Wrong again! But how eloquently put.

All this is to show that ChatGPT is fundamentally not any more "intelligent" than Eliza. It only fits within our times as a "Fake Fact Generator" that sounds convincing because it can talk eloquently. Which is probably why it convinced Jordan Peterson, which in turn I find disturbing, because in a way, he himself does exactly that and should be able to spot it.

Thus, I am not at all convinced by anything that is put up before me coming from that AI, because:

I bet that when I mark the above answers as false, they will be changed in a short while. And what if I mark even correct answers as false? Will ChatGPT then accept my lies as truth, like any dumb person? What does that say about anything that ChatGPT states?

So, please do not cite ChatGPT (much less call that "research") - take that for a religious war!  8)

@pmhausen's answer instead grasps the question and adds a genuine thought to its core, namely that virtualising a firewall is no virtue in itself, but only when the hardware still has something left on the table to actually work with besides the firewall itself. Thereby, he identifies as truly intelligent and knowledgable, he might even turn out to be a human. Lesser experts like me might have reflected on the security aspects of using a non-dedicated hardware for a firewall...

Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005

1100 down / 770 up, Bufferbloat A
January 11, 2023, 07:59:26 AM #6
I would guess it depends on often you tinker with the virtualization software/hardware. If virtualization layer fail/stops your internet access will go down aswell.

I am currently building the same solution myself. My reason is that I wan't to get rid of number of 24/7 running devices at home and build something which can take advantage of my 10gigabit WAN.
Print
Go Up Pages1
User actions