I’ve found my perfect home setup that would work well businesses as well. I’ve got a Supermicro 502-2 with 4 gig ram and a dual core 1.66 ghz Atom cpu with two hdd in raid with NS7 installed as firewall. Then I have a dell r410 running Xen with NS virtualized for all other necessary operating systems. With the Supermicro functioning as a firewall it’s plenty powerful to handle the load with power to spare. The Supermicro 502-2 runs about $80 USD used. Pretty sweet deal for a dedicated firewall.
Great price for a Supermicro board.
And your setup seem cool too.
If you run a system using VM’s why opt for a 2nd physical device as a firewall? You could have virtualized that one as well. Just install a hypervisor on the Dell, VT-d eth0 to the firewall VM. Share eth1 to all VM’s including the hypervisor and you are set on 1 box.
I originally had it set up that way, and it did work great… Until there was a power outage. Since the firewall and DHCP server were virtualized it was problematic because I would have to restart the vms, I could never get it set where it would dependably restart the vms in the order I needed. For support it costed money, and this was a free project so there wasn’t a budget. I lucked out and got the supermicro for free, which led to this setup.
No it’s the way to go…
When your firewall is up… you can freely working on your homelab without afraid nothing.
When you use one server… there’s always the riks to swap all… and loose all.
With the separate firewall instance… the network backbone stay up!
@Jim, I follow your reasoning, but you may have overlooked the VT-d part of my suggestion. If a network adapter is exclusively bound to a VM (the firewall) other servers (including the host) can not use that network adapter. Even when something breaks, there is no way your network gets compromised because there is no firewall in front of the network.
If the firewall VM breaks, there is no Internet access. If another VM breaks, there is still a firewall in front of the LAN.
I have to agree with @Jim, I prefer to host my firewall on a separate device / computer. If only because of security concerns and the reliability of the host device.
Only $80 USD wow.
They are out of stock right now, but $84 USD isn’t bad… especially if you are on a tight budget. And if I may say, with NS being as awesome as it is, the small atom cpu and 4 gig ram works just fine as a firewall and in my case firewall and NAS. With full load of 6-10 users. Just to test it out I set a 50 gig file to transfer to the NAS, set 2 users to stream 720p, had one user stream 1080p, and there were two others browsing I was still able to consistently pull around 20 mbps speed testing, the cpu didn’t rise above 60% use and the ram never touched the swap space.
@robb, I had originally setup the way that you described and it worked good. However, I found out during a couple of power outages when the server had to hard shut down that I would have to manually restart the firewall. While digging in looking for solutions I was offered the Supermicro box for free, so this setup became the solution. The budget for this was free only, there wasn’t any money that could be re-allocated. So instead of trying to manipulate the hypervisor I deployed the supermicro box as a dedicated firewall. If/when I get the hypervisor to behave correctly in the event of a hard shutdown then that’s great, but in the mean time the supermicro box will automatically come back online allowing me to vpn in and manually restart the vm’s if need be.
I do understand your reasoning. And probably due to the current outage, the VM’s didn’t come up automagically? I have set up pfSense + Karoshi server as VM’s on an Ubuntu host with KVM and in KVM I have set the VM’s to auto start after a reboot. Was your hypervisor damaged or corrupted because of the outage? (just curious here)
Xen (the free version) was used as the hypervisor, and it didn’t seem to be damaged or corrupted during the outage(s). I set the VM’s to stepped auto start in the event of a power failure but Xen wasn’t consistent with actually starting the VM’s as it was supposed to. Sometime it would, and sometimes it wouldn’t and would error. While trying to come up with a fix/solution the supermicro box was offered for free. I don’t have an issue with virtualizing a firewall because it worked great, and in the future if the supermicro box goes out I’ll most likely give it another shot with a different hypervisor. I’m sure if I would have kept at it I would have learned how to fix it, but I honestly didn’t have the time and once the supermicro box was gifted the problem was solved.
I’ve never heard of Karoshi until you mentioned it. [quote=“robb, post:10, topic:7003”]
I have set up pfSense + Karoshi server as VM’s
After looking it up, it looks interesting. If you don’t mind me asking, what do you use it for? I’m going to spin up a VM of it as time permits.
I have implemented the 2 VM’s at a primary school here in Belgium. I volunteer at that school to manage their IT environment.
BTW, I am in close contact with Paul Sharrad, the developer of the Karoshi Server project.