Page 1 of 4 123 ... LastLast
Results 1 to 10 of 35
  1. #1
    Untangler
    Join Date
    Dec 2010
    Posts
    75

    Default pfSense and UT on same VMWare ESX 5 Host

    I went from using UT to pfSense over a 2 year period and have determined I like both. I want the state-full firewall of pfs and I want the nicely packaged UTM features of UT so my solution after months of thinking is this:

    I have been running a pfs vm on a VMWare ESX 5 host for over a year now and it runs perfect. So I want to deploy a UT vm in bridge mode mostly for the Virus filter function. And I want to deploy on the same ESX host.

    The host is a dell poweredge 2950 with dual procs and 8 GB of ram available for the UT vm. Three 10K hard drives in raid 5. I previously had UT 8 running on this physical server.

    Is it possible as I would have to cable from one vSwitch to another on the same physical server?

    Is this a recipe for problems?

    Thanks,

  2. #2
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,486

    Default

    Quote Originally Posted by photonman View Post
    Is this a recipe for problems?
    It can be.
    Some people have great success virtualizing untangle, some even specifically with pfsense and untangle.
    Others run into intermittent and performance or bizarre issues.

    I wish I could say I knew why some people fall into one camp vs the other.
    Knowledge of your hypervisor and the ability to troubleshoot will go a long way though.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  3. #3
    Untangler
    Join Date
    Dec 2010
    Posts
    75

    Default

    I have my UT vm all set up now so it is just a matter of cabling the connections.

    not sure if I need a x-over to go from the pfsense vm nic to the UT vm external interface? These two interfaces are actually on the same Intel quad nic pci board.

    then a straight through cable from the UT vm internal interface to the LAN switch?

    I am really hoping I can get this to work good as the premium package has everything I want.

  4. #4
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,498

    Default

    Quote Originally Posted by dmorris View Post
    I wish I could say I knew why some people fall into one camp vs the other.
    Knowledge of your hypervisor and the ability to troubleshoot will go a long way though.
    I can say why, and oddly enough you just did too.

    Knowledge of the hypervisor...

    There are a ton of people attempting virtualization out there, that have no clue how a hypervisor should work. They think multiple VMs operating on a single server is a hypervisor, when it really isn't.

    Virtualizing Untangle is a terrific risk. If you have a file server or two operating within a hypervisor, with local storage, and local network interfacing. This is your typical cheap single server virtualization stack. The massive single point of failure nightmare but we all do it to save money maneuver. If you do this with your DC, and a file server, if the unit is overloaded somewhere it slows down some processes, but you don't really notice.

    Add Untangle to this mixture, and it's responsible for the border security, and the hypervisor is overloaded for a brief moment, packets are dropped! This directly equates to a visible problem your users will gripe about. And, to make matters worse, you can often create situations where the VMs are dependent on each other for connectivity, and the entire platform is busy chasing its tail trying to resolve something.

    It's the same problem created when you have Untangle use AD servers for DNS, and then have those DNS servers going back through Untangle to get online and resolve dns queries. A network session that has already used the AD server for a DNS lookup, and generated Untangle controlled traffic, is now having to, on creation of the http session, go back through the AD servers to check the web filter database which in turn is going back out again to get the information it needs.

    How many times are you involving the gateway here? Virtualizing Untangle brings this concept to the forefront, in a very brutal way. If you are concentrating stuff on a single hardware platform, and you're asking it to do things twice, you no longer have the resources to be inefficient with your design!

    Even if you have a proper SAN, with redundant storage networks, and plenty of host centric NICs, if you aren't careful you'll paint yourself into a corner.

    So to answer your question photonman, yes you can virtualize Untangle, with PFSense or any other router you want. However, if you don't map things out well, expect trouble.

    Here's a hint, if Untangle's internal interface is attached to a physical NIC that is shared with any other VMs... you're doing it wrong.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  5. #5
    Untangler
    Join Date
    Dec 2010
    Posts
    75

    Default

    Quote Originally Posted by sky-knight View Post
    Here's a hint, if Untangle's internal interface is attached to a physical NIC that is shared with any other VMs... you're doing it wrong.
    so are you saying I should not be using a single quad nic card even if each nic on the quad card is attached to a seperate vSwitch in the ESX host.

    vmnic 1 on vSwitch1 for UT external
    vmnic 2 on vSwitch2 for UT internal
    vmnic 3 on vSwitch3 for pfsense wan
    vmnic 4 on vSwitch4 for pfsense lan

    right now with just pfsense running, it is fine. pfSense and UT will be the only vm's on this ESX host.

    I guess things can get hairy on the hardware side of things. may have to rethink things.
    Last edited by photonman; 10-10-2012 at 08:38 PM.

  6. #6
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,498

    Default

    If all you're running is Untangle, and PFSense on that system. I can't see where you'd have a problem. PFSense uses resources in such a way as to need to measure memory used in megabytes, not gigabytes. The only real worry I'd have for your configuration is drive speed. Untangle is a database server, make sure you don't over tune reports to keep too much data and you should be fine.

    What I meant when I pointed out the NIC sharing is the ever popular SBS mechanic. I have a VMWare ESXi host, it's got an SBS whatever on it, I have two interfaces. One for Untangle's External, one for Untangle's internal, and the SBS VM.

    Then the customer wonders why when Bob over in the graphics department opens up a photoshop file stored on a share on the SBS machine, everyone in the company looses internet. That gigabit link only goes so far! This situation gets even more nuts when you find out the SBS box has Exchange on it, and the internal array used by ESXi is 4 RAID 10 7200 RPM disks... or worse... a two disk raid 1...
    Last edited by sky-knight; 10-10-2012 at 09:04 PM.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  7. #7
    Untangler
    Join Date
    Dec 2010
    Posts
    75

    Default

    Thanks for the comments.

    So I got my crossover cables ready and will try to get things connected up at lunchtime PST noon.

    pfSense is very efficient with ram and processor unless you have all kinds of packages like squid and havp loaded. I did not like how a lot of the packages are not updated or only in beta for pfs 2.0 so UT offers tried and true neatly packed packages and I think I can make a best of breed custom UTM with this setup.

  8. #8
    Untangler
    Join Date
    Dec 2010
    Posts
    75

    Default

    WORKED!

    Had to use a crossover to go from the pfsense vmnic to the UT ext vmnic.

    I was having trouble getting linked and about ready to give up but then I decided to "Accept" mac address changes and forged transmits on the vSwitches for the UT interfaces and then things lit up. Not sure if both are needed but it matches the pictures in the UT documentation for configuring UT on vmware from ova template. Originally I only had Promiscuous mode enabled.

    So now I will download the lite package and see how the network runs.

    Thanks again.

  9. #9
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,498

    Default

    Why bother with the crossover? If you aren't putting a switch in there, I would have simply put those two interfaces on the same vSwitch and been done with it.

    Virtual networking is magic, if you "wire" it correctly.

    Untangle bridges need promiscuous mode enabled on both relevant vswitches to function.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  10. #10
    Untangler
    Join Date
    Dec 2010
    Posts
    75

    Default

    Quote Originally Posted by sky-knight View Post
    Why bother with the crossover?...Virtual networking is magic, if you "wire" it correctly.
    Ah...great idea...thanks again, again.

    Except then, I would be putting pfSense LAN interface on promiscuous mode too, not a big deal I guess for the internal interface?
    Last edited by photonman; 10-11-2012 at 03:10 PM.

Page 1 of 4 123 ... LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2