Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
Virtualised vs Bare metal for extra software
« previous
next »
Print
Pages: [
1
]
Author
Topic: Virtualised vs Bare metal for extra software (Read 2847 times)
PeeWeeHerman
Newbie
Posts: 4
Karma: 0
Virtualised vs Bare metal for extra software
«
on:
April 19, 2021, 08:57:50 pm »
Hi All,
I have a bit of a configuration dilemma. I have a decent old PC and would like to install OPNsense but would like to add additional software so the hardware doesn't go to waste.
Hardware:
- Intel I7-2600K with 1GB Nic on motherboard
- 32GB DDR3
- Intel I350-4 Nic
- 500GB Single SSD
Internet Setup:
- 350Down/35Up - Fibre connection
- Router/Modem connecting to the onboard Nic as WAN
Internet Usage:
- Streaming (Need B/W Volume)
- Gaming (Need Low Latency)
- Home Working (Need Stability)
Core Firewall Software:
- OPNsense
- AdGuard Plugin - Using the 'core' blacklists, nothing crazy.
- Sensei Plugin (Maybe, still not convinced if I need it together with AdGuard)
- IDS/IPS Plugin - Once again just the 'core' blacklists.
- No VPNs on the FW, I have VPN software on the windows boxes.
- Some sort of Parental control script or will use Sensei
- lets-encrypt plugin
- Cron Jobs
Expected Nic Assignment:
- On-Board - WAN
- Card Nic0 (Main Lan) - My PC (access to FW Interface/SSH) / Work PC Subnet
- Card Nic1 (OPT1) - TV/Firestick/Netflix
- Card Nic2 (OPT2) - Family Ruter/Home Wifi (Laptops/Phones)
- Card Nic3 (OPT3) - IoT/Alexa Vlans
Additional Software:
- Jenkins Controller (No agents) - Would be controlling agents inside network and in cloud.
- Grafana Server (Could use the community plugin)
- Log/Statistics database (MySql/Mongo) with scheduled offsite backups.
So I now have 2 options:
1) Run everything on the same server. Jenkins and the DB maintenance would be done via SSH to the FW box.
2) Virtualise (Proxmox?) - Firewall on one VM with passthrough NICs and the other software on one or two other VMs.
Question:
Which option is '
better
(tm)
'?
Each one has obvious pros but the cons:
Cons - Option 1:
Running other software outside of the confines of the FW is never a good idea.
The log/statistics database I can lock down, I think the problem is Jenkins.
Issue1: It runs on Java, Issue2: Even if I consider Jenkins itself safe, no way I can validate the integrity of it's plugins. Yes I can try lock it all down, but I'm human, I'll miss something.
Cons - Option 2:
Virtualising firewall. While I'm relatively convinced that the hypervisor will not be compromised I'm somewhat worried about the extra layer of complexity. That said. if I get my Nic pass-through done correctly everything else should be relatively problem free.
So having written this all out I've almost talked myself into option 2 since the benefit of virtualization and the con of putting 'alien' software on the firewall seem to outweigh all else.
Can anyone shed some light and/or maybe suggest another reason to swing either way?
Thanks!
Logged
Maurice
Hero Member
Posts: 1213
Karma: 158
Re: Virtualised vs Bare metal for extra software
«
Reply #1 on:
April 19, 2021, 09:05:16 pm »
Short answer: Virtualise. For all the reasons you mentioned.
Cheers
Maurice
Logged
OPNsense virtual machine images
OPNsense aarch64 firmware repository
Commercial support & engineering available. PM for details (en / de).
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
Virtualised vs Bare metal for extra software