Level1 Presents: THE FORBIDDEN ROUTER

NOOOOO!!! Don't Virtualize it! Unless you know the risks and challenges which were well covered in this video.

Aww, at the end I didn't see the clicky bits where the subscribe and video suggestions are.
Regarding the forbidden router, the fragility is my main concern with one machine to rule them all. Would be nice if you could have a second little box that maybe can't route at full capacity / with as much might, but is basically an online replica that could be switched over to for maintenance of if the main machine gets explodey.

Nice vid! Was already trying to build a "Forbidden Router" and was looking at XCP-NG so your timing is impeccable. Can't wait to see your follow up vids!

Thank you for doing these. As someone who is about to dive into this without any experience... your stuff provides a calm reasoned information based approach on how to deal with increasingly complex problems barely understood by anyone now days.

The one KEY benefit I DO see with the idea of virtualising the router / firewall is: Checkpoint / Snapshot prior to an upgrade / update, and if it breaks, restore back to that snapshot, get back online within 60 seconds! Also, a great way in a lab to check out different appliances / options. In the real world, yes, I have come across complete virtual environments like this and they have been rock solid for years! Really comes down to the initial planning phase to ensure all contingencies are planned for while maintaining both security integrity and uptime... Personally, I like the blinky lights on my rack mounted 1u appliance box :D

Finally someone tackles the challenge of setting up pihole/unbound and Steamcache on one machine! I have waited forever to find a good tutorial on that! Thanks Wendel. Looking forward to it :)

I'vd had pfsense as a VM on Unraid for a year now and it has been great. My Unraid box is a dual Xeon with 32 cores. I agree that having the router in my main server is not optimal and my next project will be an economical build for a dedicated pfSense router box. Great content guys. Thanks.

for those who think this is a bad idea "just because" - be aware a lot of high end commercial firewall/routers are offered as VMs run on a cluster - Palo Alto for example offer virtual instances, Cisco offer virtual ASAs, etc.
Flip-side to the bad-juju with having your router virtualized is that it does make some things a lot more painless though - OS upgrades, configuration changes, etc. are trivial to back out in their entirety by rolling back to a previous snapshot.
And if you're willing to take the minor performance hit by using virtual NICs instead of hardware pass-through (assuming you've only got gigabit internet or less, which shouldn't be too much of a restriction for most) your VM becomes completely hardware independent. Big epyc box blow up? Spin up the hypervisor on whatever spare machine you have, and restore your VM files (or even just plug in the disk).
I use virtualized pfsense a LOT for internal VM segregation, home-lab-workstation (Have a lot of virtual NICs and use virtual pfsense to route between them for disposable test networks), etc. It runs on any hypervisor that FreeBSD runs on, which pretty much includes HyperV, VMWare Workstation/Fusion, Virtualbox, etc. - so if you have a high power workstation you can experiment with fully isolated virtual networks (test active directory stuff, etc.) without necessarily needing to use a server for it.
as wendell says, just make sure you're aware of the risks (obviously, keep your pfsense instance and your hypervisor up to date to ensure you're protected from VM escape).

Mate, that intro is simply superior, cracks me up every time. Just wanted to let you know I love your style, slowly going through all this juicy content you've created over the years.
re: virtualisation, I think as long as you understand it relatively well and have solid foundational networking knowledge it's probably the way to go. Reasonable redundancy levels should always be catered for regardless of your deployment choice - especially when failure triggers multiple voices echoing "is the Internet down?" throughout your house ;)
DR & LCP (Lab Continuity Planning :D) is kinda fun anyway, right? Right?? 😅

Been running pfSense in a Hyper-V setup for hy home for the past 5 years, not a single issue in terms of the VM side, have had my own Networking issues (routing, etc) but thats all. I also setup another pfSense VM on my remote server to create an IPSec tunnel between them.
Highly recommend this type of setup. I run my pfSense VM on an old Dell R810.

I’ve had pfsense running virtually in VMWare for various applications for years :)
The only reason my homelab isn’t setup that way is because my wife gets mad at me when the internet goes off

Exactly the way my setup is going. With the summer heat wave on the horizon and electricity bill nearly doubling I am seriously considering rebuilding the homelab - having one forbidden router/VM host/ docker host/wifi AP which runs all the time (and just barely sips 30 watts) and then having another bulk data/media storage (refurbished rack server with 12 drives) that powers on only when needed.

I've got a Netgate RCC-VE 2440 with an Atom C2358 that's been faithfully routing my home internet (which is now gigabit fiber) for about seven years. It's decked out with a 4G LTE modem, WiFi card, and mSATA storage, and it was originally running pfSense but I switched to Linux for reasons. It's starting to get a little on in years so I'm excited to explore other options... thank you for this video!

Running a pfSense router for several months and very happy with how it works with both my internal networks. Left over hardware from an upgrade a few years back, discrete hardware just works well for me and the slight extra cost for electricity is worth the simplicity and makes the occasional PD easy and quick, after all my time is worth something.

I am running PFSense as an edge firewall/router on Hyper-V using an old FX-8350 system I had laying around. Works amazingly well! I even have enough remaining system resources to run my unify host for three AP's!

I've been running a pfSense in VMs for over a decade. The only issue I've run into was the old minimum boot volume becoming too small around 2.3. The main trick is static IPs on the hypervisors, otherwise cold starts might be troublesome.
I'm also a full time IT manager, so your mileage will vary.
Also, RIP VMware if the purchase by Broadcom goes through.

Dude! Stop reading my mind! I was just thinking about this LAST NIGHT. You are truly awesome!

I expect Craft Computing is drinking this up like he's been locked in a McMenamin's beer cooler.

I love the new intro music, and I love the channel more with each video you all post! Great content.

I've basically had a similar setup for about 8 months now. Proxmox host, Dual Gb NIC (one for LAN, one for WAN) via PCI pass through to pfsense, pihole DNS. gigabit internet. A few other Vms, on an old intel i7 6700/32GB ddr4. Works a treat.

I've been running pfsense as a VM on a Linux host (qemu/kvm) for a while now with a couple of nic's passed through to it and it works just fine. quick and easy to set up.

Still only 5 min into the video but couldn't help but comment once I heard "Virtualizing pfSense!". I built a beefy VM host to serve as my home lab and virtualize all my services that I use to learn on and as a result pfSense is one of them. It has dual NICs (my VM host server) and I pass one of them directly to the pfSense VM using pci passthrough so I didn't have to decide which libvirt networking configuration would have the least amount of drawbacks. VM Host is a Ryzen 9 5950, 128GB RAM (non-ECC, more expensive) 20TB of disk space and a couple of old AMD W7000 Firepros I had laying around. Currently serves pfSense, Samba file sharing, camera security system, Plex and nextcloud. Love your vids and am in awe of your teams expertise!!!

Great introduction to the topic! I will be following with interest, even though I'm aware of the risks and don't plan on virtualizing my home firewall on my lab VM infrastructure (the risk of breakage from me messing with it too much is very real).
The answer to that, of course, would be to treat the VM host running your firewall as an appliance. Mess around with your other hypervisors, but leave that one the [bleep] alone. Case in point: this is exactly what "network function virtualization" appliances like the Juniper NFX or Cisco ENCS series are meant for, and they're great if that's what you need. You're just not going to be in there updating the BIOS or tweaking it on a regular basis, which is probably why they're more stable than our average home lab servers. :-D

I did this exact thing over a year ago. It was easy and it's worked out very well. Highly recommend running pFsense in a KVM virtual machine.

Thanks Wendell for covering this topic, the homelab people in the comments may have the experience and hardware laying around to experiment with but I expect you'll do your best to point out the caveats and pitfalls for someone just walking into this type of project of a single networking appliance versus the herd of animals.

Only partway through the video but it's wild how relevant these videos are to me. Purchased a used old 4 port protectli vault on ebay but that got me thinking about whether I could just slap opnsense in a VM on one of my existing servers, bridge the LAN side, and call it a day. Thanks for sharing your expertise!

I ran my Astaro / Sophos NextGen Firewalls as VMs for years. The ONLY reason I went to a physical appliance was because I wanted the aesthetics of the 1u unit in my 1/4 Wallmount Rack. I still have a Sophos XG running virtualized as my HA node.

I implemented an old Server 2003 VM on a server once at a client to route between multiple segments on the network. It was fun but I'm sure it had some latency issues. It worked for what we needed. The Server acted as the DHCP server for one of the segments as well. Nerd fun.

I've been running pfSense as a PROXMOX VM for years on an old Mac Mini cluster. Things can get tricky after a power outage or a shutdown and restart, especially with a separate management VLAN. I use virtual NICs vice PCI passthrough. That way in a cluster you can migrate machines around without networking issues. I also use an Edgerouterx as the upstream DFGW for the pfSense wan IP, that way ISP DHCP address stays the same and it's also easy to split off a separate lab network from the edge router without messing up the "production" network. You can also have a DMZ network on 2nd box or logically separated with a pfSense VM running as a FW and a reverse proxy to host websites/services with SSL certs under one DHCP address.

watched from virtualized pfsense router. On exsi. Honestly it worked so well I roled it out my parents house. Using my old Dell r610 host setup running proxymox

Sweet, I've been hoping to see Wendell do a show on this topic.
I like it, now I've got a new build to consider.

I've been thinking about doing this. Thanks for the info!

I got this... Makes sure you have a router as well for management network, cause you may want to update xcp-ng. You do need that if stuff hits a fan, which will happen! Mine is NAS, TV-tuner, router, voip-gateway, Home assistant server, wifi/switch controller and of course everything software a house would need.

I had actually just set this up like two weeks ago on my Mac Pro 4,1. Ubuntu LTS as the hypervisor, with PFSense running under KVM, PCIe passthrough of the NICs. Docker. The whole nine. Seems like great minds think alike. Very interested in that newer hypervisor based on Xen, though.

Just done this myself, but using ESXI - the free version is pretty nice (just register for a code), and allows you to do PCI-E passthrough in the GUI. Passed through an i340-T4 to pfSEnse and an LSI SAS card to TrueNAS, both seem happy so far. Remains to be seen whether I'll keep pfSense virtualised or not though, I do like having a dedicated box for it... but going from three physical boxes to one is also really nice :)

If you can make it wife friendly when it goes t&ts up then I might head back to the dark side. I remember receiving several 'dark' calls from my wife when the internet wasn't running when i had pfsense virtualised years ago - nothing is better then the simple instruction of 'switch it off and back on again' and that doesn't tend to end happily when you have a box full of virtualized machines :)

I'm really looking forward to this since i've been running the same concept on proxmox for three months. Sadly I have't had time to try clustering like Jeff Geerling says, but one of these days I might have the time. Also I have one other problem, the speed is full 1 GB but the other way it's 100 MB but that might be a configuration error from my side. My setup is Proxmox 7,x (I don't remeber) on an 12 core xeon 128 GB RAM, with PCI passthrough on the WAN side and virtual interfaces on the LAN site, all 10 GB

Lol, I started going down this road that the video is about last year. I've been doing it because I've been dissatisfied with the network solutions I had and I'm trying to learn more about more complicated network application structures on a closer to enterprise level. I'm not a sysadmin, I'm barely IT, but given how hard it's been to get anyone to look at my partial college education in computer engineering and my general IT certs, I've been hoping a homelab setup would be a good way to get my foot in the door.
BTW, I did try to run Pfsense on a standalone box first, but considering what else I was buying, I cheaper out a little. The processor that was on it was terrible and I ran into all kinds of issues from DHCP requests timing out to eventually the box literally not booting or letting me in to run a factory reset. Maybe I'll have it do something else later, but I gave up and just decided to virtualize it on my existing hardware (FX8320 beats out about every Intel atom anyways, even if I'm only allocating one core lol)
Okay, weird, my first edit deleted itself when I added the second edit... But yeah I setup VMware's free esxi and went with truenas core (did VMware because I read about issues using KVMs with truenas core) and bought a couple of compatible 1gbps NICs for Pfsense, a 10gbps nic for the nas, a multigig switch, a couple 2.5gbps NICs for the 2 gaming desktops, and loaded my steam games on the 4x10TB hard drives that are striped and mirrored with a 1TB SSD cache (not NVMe because the motherboard is old). My next projects are setting up Vaultwarden on the raspberry Pi and setting wireguard up again but directly on Pfsense to get other devices to connect to it (thought about doing reverse proxy but I don't currently have enough users or applications I want to use away from home to want to start managing that kind of exposure, but I will get there eventually)

I have been virtualizing pf-sence for years now. I have used it with zen, hyper-v, Vmware, & virtualbox.

I was waiting for this video every since you foreshadowed it about 5 months back when talking about your 100 Gbe EDR NIC. I am not sure whether this is due to the EPYC platform you have, but I have actually had better performance virtualizing Pfsense on Proxmox. I found the ability to select the exact CPU platform on Proxmox to make a huge difference. I can't get more than 10gbe/s on XCP-NG with FDR connectx-3 or EDR connectx-4. It would be nice if you compared the SR-IVO vs the pass through setup, so we can tell whether there is really performance issues one way or another. RoCE will be fantastic if you can show that as well. You're going to have a hard time saturating that 100gbe NIC, so maybe RDMA-Based NVMe-oF would be another nice scenario to see. As always thank you for sharing your findings.

Running ESXi on a used OptiPlex with a host of VMs (including pfSense) for over a year now with no issues. The reduced noise, clutter and power consumption is worth the risk for me.

Been running mine in proxmox for about 2 years now. It's mind blowing what you can do for free. I bought an intel motherboard that had 2 ports on it for my i7 3770 with 32gb ram sas card and it only cost me £250 ( the hard drives were more ). Once your using lxc containers only ram is the limit of what I can run as only pfsense and open media vault run in vms.
I do have to double NAT but had no issues. You just pass ports through from the ISP router to the pfsence. Pfsence has the 2 onboard nic ports and the proxmox has a intel 1000 4 port card in SMB multi channel

Great vid, been running my own routers (FreeBSD with jails) since 2004 :D

I've been running pfsense as a vm for close to 2 yrs now and it works amazingly well. The only difference is that I use Hyper-V instead of proxmox, esxi or xcp-ng. I personally find Hyper-V more easier to use, i've got pfblocker, openvpn, squid proxy, HA proxy and Multiple vlans running of the pfsense. I haven't had to touch it in over a year now, it just simply works. I also have a simple windows vm and some docker containers running off that small virtualization box. The box is a Beelink mini pc, similar to an intel NUC, just a bit more cheaper. I have a separate much more powerful VM host machine for all other work / testing.

You keep saying I shouldn't do this, and I keep thinking more and more that I want to!

I got a 1u supermicro SYS-5019D-4C-FN8TP with quad 10gb ports and a handful of 1gb ports. Used proxmox to virtualize pfsense and connect to my 2.5gb modem for > 1gb connection. Using it as my security appliance with AD, PiHole and a Linux Network Tool VM. With a quad core xeon and 32gb ram it works great. The thing I love about this server is the front facing network ports so it looks great in my rack with my switches.

Looking forward to the DNS video. I currently have a pi hole and want to add a Steam Cache machine to my network as well.

That’s exactly what I planned on doing! Virtualized that and include a couple of vm’s for intrusion monitoring and dns handling

Oh yeah, I did this at my parents house and host their family photos on a ZFS mirror. pfSense in a ProxMox container. I did it with two NICs, router LAN and management interface on same bridge.
And one of my rack mounted routers too, for local stuff.

Great video, I have done about same thing with unRAID running virtualized RouterOS with 100Gbit virtual eth + 2 dedicated eth ports. Setupping wasn't the easiest but its 'hanging' :D

This is so fun! As much as 10 years ago I started to run m0n0wall in a vm as that provided me more option than my default cable router. That was on ESXi 3.5 and later on I made the switch to Pfsense under vmware. Nowadays I still run Pfsense but under hyper-v. And my system currently is a I7 2600 with 16GB. It had 3 NICS, one 1GBs to the internet on fiber (yay!), one to the appliance network on 1GBs and 1 on 2.5GBs to my machines. The day 10GBs switches won't cost hundreds of euro's, I'll upgrade. Probably the I7 2600 too. In other vm's I have my webserver, a SAN and a NAS.
SR-IOV is enabled for the most important connection; Internet.

You broke me mr Wilson... 1 month many dozens of installs, got it all working but seem to have reached the limit of my asus tuf gaming x570 as it falls apart when finalized... I guess i cannot have every pci and nvme filled? found a 4 port 1gb card but pci-x not so common these days. Will drink until i pass out and worry about it tommorow. Much fun man, all the best. Thanks for the challenge.

I have pfsense running on proxmox with pcie pt for a dedicated nic. Has been running great for over a year in this conf.

IMO, for home and small business, automatic failover high-availability is a cure worse than the disease. Bespoke software configurations and distributed systems are for the big boys who lose $10,000/minute when the network is down, and can afford a team of developers to maintain it.
Better to have a dedicated bare-metal router that's cheap enough that you can buy two. The manual failover procedure is simple enough that a five year old can do it following written instructions, as long as the router and the spare aren't too high to reach. If you do software upgrades A/B style by swapping to the spare, that solves the, "if you aren't testing it, it doesn't work," problem and protects you from regression bugs.
OEM business desktops have low idle power because of energy star regulations, and Kaby Lake and earlier are quite cheap used. In current market conditions, cheaper than a RasPi 4, even.

PFSense is awesome, virtualizing it is cool too. I tried to use it for advanced routing between-VMs when there's only one hardware NIC available and it seemed to work.
Also, while pfsense is better than most consumer routers, by the time you have a homelab sometimes it is more beneficial to use enterprise-grade hardware systems ... software-only routers inherently lack ASICs or other acceleration tricks.

I am researching pfsense and building a router that can handle 1gb fiber up/down. What would you consider to be a good core count or processor to shoot for? I thought about using a thin client/mini tower from eBay with a 4 port intel nic. Would love to see an updated video on something like this. Thanks!

I am doing the same approach on my HP microserver, having Windows Sever based with Hyper-V VMs.
- virtualized Sophos UTM Home for routing & VLAN,
- a Fedora VM for podman containers,
- Windows server core for Windows AD.
Would go the proxmox/xcp-ng if I am rebuilding it.
I dealt with fragile part taking advantage of the IPMI and Windows GUI

This kind of stuff is a lot of fun. I have proxmox running on an old SFF optiplex 9020 with a Haswell i5 and 16 GB RAM. There's an old HP N360T(?) dual gigabit NIC in one expansion slot and a 2TB Samsung 983DCT in the other. It's running VMs for pfSense for routing, Ubuntu Server 20.04 for docker with LanCache, and Windows Server 2022 Core for file shares. The SSD is passed through to Ubuntu for the LanCache with cockpit running on top for web management. Windows Server has admin center for web management. Overall it's been a really fun project and an excellent LAN party in a box. Next step is a pi hole container and 10G on the LAN side. Unfortunately, will have to choose between full speed on the SSD or 10G NICs if I stick with the 9020 and it's pcie layout.

Ran into this myself: I'm using OPNSense for a router, but ended up using an old Pi B for my Unifi controller, and there are other bits I'd like to run on my router box.

Have a solid recovery plan if you attempt this.
But you shouldn't be afraid to experiment provided you have a solid recovery plan.

amazing 10/10 for that intro

Love me some forbidden networking. VM firewalls and router-on-a-stick (single Ethernet port plus a switch) are fun to play with. My main concern is cases where things *partially* fail (a single config file disappears) or you swap a network card. Done wrong, setups like this can fail open.

I love the concept on eco-friendliness alone. It's too close for comfort for my noob butt. It feels like the gate to my property to be right next to the safe in bedroom closet door.

Got a Poweredge T710 cheap on craigslist and virtualized everything with Proxmox (including pfsense) for the last year without any problems. (pfsense, plex, portainer, openmedia, transmission, heimdall, homeassistant, truenas...). Just gotta have enough memory :)

I absolutely love stuff like this. These kinds of projects are such good ways to get more life out of older hardware.

I use a E300-9D supermicro box for this, much smaller, 8 ethernet ports of which 4 are 10GBE out of the box, and support for a single slot PCIe card which is populated with a ASM2824 switch card to add 4 more M.2 drives for a total of 5, and a mini PCIe slot for a Wifi AP (or cellular backup if you want).

I did exactly this, but with 2x Hyper-V hosts at home for around 3 years, with pfSense. pfSense running CARP between two boxes, always pinned to separate hosts with a dedicated passthrough NIC for each. I of course had an old Ubiquiti Edgerouter configured and ready to go if SHTF, but it never actually did.
I only stopped because I simplified my (running 24/7) home server setup to a single host and replaced the pfSense VM's with a Fortigate to save power and heat output...

I just stick to stuff I can do on OpenBSD, works great for me. OpenBSD has a VM hypervisor now too, so you can put the applications in there, and keep the routing outside.

This is good content and I like the chill music barely noticable in the background. I use mikrotik RouterOS x86-64 on baremetal. I also have Ubiquiti gear. At any rate, this dude (sorry, I don't know your name) is NOT a level 1 tech. He's more like level 3 as he knows a lot and has proven deep knowledge of zfs and even filesystems in general. I like the humbleness of the channel name.

In Romania they just introduced 10Gbit internet for $10. The 2.5Gb plan is $9, the 1Gb plan is $8. Full Duplex, international traffic included. Bought an asus xg-c100c, waiting 1-2 weeks for internet installation. If I don't hit 7 Gbps, I will buy intel x550-t1.

I've run pfsense in a vm on top of unraid (so, KVM) for years on a used supermicro dual xeon(1366 era) server board (liquidated from an old facebook server swap out best I can tell). Never had an issue.
I also had a used netgate passive cooled appliance set up in a complicated HA/CARP implementation for fail over purposes because everyone told me I was making a bad choice... never engaged once. I eventually tore it down and left a basic linksys router (has an on/off switch is why) sitting on top of the cabinet with a couple labelled cables stating plug me in here and switch me on if the internet dies. It's only every been needed when I tested the checklist with the missus. I've yet to have a failure.
If you know what you are getting into - vm router implementations are really great.

I didn't have a good experience with the passthrough and XCP-NG. I had a GPU and a PCI USB hub. These two things had to be configured in a very specific order for them to work. And even then, the mouse stopped working whenever I played a video and only then. I actually tried with two different PCI USB hubs and I reinstalled both the hypervisor and the windows VM multiple times.
However everything went real smooth with vmware. Just sharing my experience with xcpng.

Lets GO! running promox with pfSense, pi-hole, Unifi, and experimenting with XPenology a rip of Senologys software and future plans for Home Assist and PBX running on a Dell R210ii

I'm curious why you chose XCP-ng vs Proxmox? Also looking forward to performance data on virtual vs passthrough NICs. Would you ever recommend virtualizing routers with CARP/HA between VMs on different physical boxes for a business with high uptime requirements? I just recently struggled with this decision and decided to just have two 1u servers each running OPNsense bare metal in HA configuration. I didn't trust the extra complexity of VMs when uptime is key but I'm curious to hear others thoughts.

Did this for a while with xcp-ng and opnsense. It was fun doing it, and didn't have any issues with performance. The only problem, however, is patching xcp-ng(and the subsequent reboot) would bring down the internet for everyone. The wife acceptance factor on this fun/geeky setup is very low, so ended up abandoning it. If there were a way to easily hotswap router vms between two xcp ng servers to maintain Internet connectivity, well, I'd still be using it today.

oooh I may want to go this route under my virtual-manager. I already uses virt-manager with PCI-passthrough for my gaming computer I could add a vm with pf-sense.

Wendell, I might have missed it but did you make a Windows Server Storage Spaces ReFS RAID Implementation video? I would love to see a ZFS / ReFS RAID side-by-side comparison video.

Ive done something similar with a Pi 4 8gb (dont recommend). Left the fibre routing with the plastic box, but the rest, DNS, DHCP, Unify WiFi etc ... run in docker images. What I like about it is the cloneability of the system. I do boot off a HDD as I found SD cards died with the logging. What I hate is just not enough horsepower and slower ethernet. 1 gig is doable for me but not ideal. Its mostly stable except when updating or building some of my services. I was worried about the ram capacity but for my use its been okay (again not ideal). My biggest other issue has been those UPS hats just not providing enough power and the built-in WiFi being a blocker from creating a mesh or bridge (more of a fallback since Im having to use ethernet over powerline adaptors to my fibre box, and having a separate backup WiFi connection would be great).
Im debating going full compute module or getting one of those 2gb ethernet router boxes you can put your own ram / hdd / nvmes in. Ideally I would like to be able to transcode properly ... my pi also runs plex (again not the best idea)

Exactly and especially in today's age and specialized ASICs, you don't want to go the virtual way anymore with firewall because there is too many threats to check and to process that a general computing cpu can't cope with. 10+ years ago, yes, having vms for firewalls was good because we had abandon things like deep inspection and what not - it was too costly cpu-wise. But now, things have changed in the last 4-5 years and firewall are now legit core-switch-level devices that doesn't only police north-south traffic, but also the east-west traffic that is becoming more and more and issue in this security era. Two-tier architecture are the way to go now with access switch able to provide 10GE to end points, and uplinks of 25/40/100 Gbps are now common, and firewall able to process north of 400Gbps can save organization a lot of money in hardware and management.

Ah, this has been on my mind in the recent period. Should I go with a dedicated setup per device with cheaper HW or just virtualize the whole thing with one monster PC... Budget is a thing that I'm concerned about, so I am leaning more towards virtualization, but data integrity and back up are a major factor of concern with the nextCloud part...
Could you please explain backup strategies to physically different machines once you get to the nextCloud part? I wanted to perform a weekly backup to an offsite machine and have a basic idea of doing it using free DNS since I have a dynamic IP address on all locations. The idea would be to have the main machine use RAIDZ (3 disks), while the backup machine(s) would be a single disk since it is just a backup with not as capable HW (maybe even a RPi) that would be powered on on demand (remotely, maybe with an ESP8266 with a relay attached). I would really like your take on this since this is a first video in a while that I would have the budged to replicate :D

This with something like an SG-1100 or SG-3100 in an active-standby HA setup would be really cool.

Actually just tried opnsense on a truenas host a few days ago with virtual interfaces. Lots of problems with pppoe and vlans there. But I have used this architecture before and it seems to be stable with xen and proxmox.

I ran pfSense through VMware years ago so I could use the same system to also run my web server & other projects, it worked great the issue was when we finally got fiber, the virtual NIC just wasn't cutting it, was only getting about 600Mb/s through the VM, this was on a Ryzen 1700x at the time. Maybe it's better now with faster CPUs & improvements to VMware. Otherwise I'd say PCIe passthrough is a must if you have a gigabyte or higher connection coming in & you want to attempt something like this.

oh my i've been using "THE FORBIDDEN ROUTER" for a litte over 7~8 years now... lol, both on esxi and xcp-ng

I used to be proud of the fact that I turned a Raspberry Pi into a little wifi router to get around the fact that my university dorm room only had wired internet and blocked routers, but not computers that were being used like a hotspot. Now I feel like a noob.

Picked up a r610 for $ 100 from CL and running esxi 6.7 on it with pass-through for freenas and passing 2 nics to pfsense.
It's been working fine for a few months now.

For the DNS traffic, it would be nice! I quit using a router all together a while back, but it looks like my internet is about to be going a lot faster again...
It's tempting, but not near the hardware you're committing to such a feat! MTBF, no PCIe pass-through and a full spool for fiber runs for electrical isolation... STARLINK I'm not too keen on that dish going outside because we've had two satellite dishes blown off of our house!
Here's hoping that STARLINK will get faster... I may just build one on the cheap to handle router functions, no more.

Is that a HP enclosure with backplane? I thought about using one of these on a project but am not sure about the power delivery.

Sophos Home Firewall is also abgreat option virtualized FW, It natively supports most platforms.

I've been running and testing pfsense "on a stick" in a vm on both vmware and proxmox for years now using vnic's, and both have had absolutely no issue serving my 10+ VLANs and gigabit uplink, and in testing it was able to route 6 gigabit between vlans on just a single Intel i3-core
I have never experienced any kind of delays or other weird stuff, even when the tiny i3 has been fully loaded on the other cores, it's still been running way better than any consumer-level router i've ever tried. Only time i've experienced delays have been when pfsense shares cores with other VM's that are hammering it, then jitter increases substantially(Up to around 100ms i believe), but dedicating a core to pfsense and those problems went away.

I basically just got done doing this, for in the case of stuff breaking i have by WTR54GL in a box on the shelf so i can limp by till i can get it fixed (very glad i had that when my 10 year old board died) now on AM4 w/ a 2200GE (qemu on ubuntu server) planning to run raid arrays to make it less fragile, runs a lot better now than it did on the FM1 socket

This is the way I went, but I did it with Proxmox. XCP-ng is supposed to be great (and has its own advantages vs. Proxmox), but inertia is real & I'll probably stick with Proxmox until a specific need pulls me away from it. I run OPNsense in a VM (using a passed-through Intel I350-T2), and a Debian container that runs my services (many of them under Docker). I think this setup is only for fairly advanced users who understand & accept the tradeoffs with it & are also willing to spend time setting it up. If you've got the will & know-how to take it on, it's a really satisfying project with a nice long-term payoff.

Heh, a PfSense VM is what I've been running since I had time to figure it out during covid. It also load balances two internet connections, because one with all the videoconferencing during covid was getting to be an annoyance with multple peope simultaneously needing more reliability and sometiemes bandwidth. I'm quite happy with it, but as you say the main reason for it is that I want to economize.... not so much on hardware, but on power usage. My server board is a dual low power xeon, and it has a pfsense vm a pihole vm and a webserver vm. I agree with jeff though, duplicating the functions in a second machine on the network would be better, I can easily fall back by changing some plugs but having some failover would be better. So I'd agree that running a 'one piece of hardware does absolutely everything' solution doesn't really make sense.... unless you have two of them.

I love this!

I'm interested to know what HDD enclosure is that beside you?

Happened upon this video after setting up PfSense (along with some other VMs) in Proxmox... and after borking it with a configuration change that took my network down, needing to walk over and plug a monitor and keyboard into my server to troubleshoot the PfSense VM. I didn't not know what I was getting into!

I've been rocking a "forbidden" setup like this with TrueNAS and PfSense on my home server for a while now. Started out on bare metal on a busted laptop (no screen, so "headless" lmao) then migrated it to a Dell Optiplex 9020 with i7 4770, 32GB of RAM, 10GB SFP+ NIC, and a LSI2308 SAS HBA. The HBA is passed through to TrueNAS, and the WAN port (the 1GB RJ45 on the mobo) is passed through to pfSense.
I've since upgraded to a Ryzen setup for this rig, using a 5700G, 64GiB of 3200MT/s CL22 ECC memory. This gives me 1 more PCie x16 slot for more stuff in the future! Might add a low power GPU for NVENC and home media stuff.

You could build a cluster for Proxmox or XCP-NG for failover. This is interesting to me since I have a 3rd gen Epyc 7401 with 256 gb ecc memory and have considered turning this into my router, nas, pi-hole, etc. Haven't completed the video and would have to think some things through, but I have multiple 4x 10 gbe cards and even some 40 gbe cards for the mix for hardware passthrough. Hoping everything meshes well.

Timestamp:10:50 This reminds me of a lab/test environment I've setup with xcp-ng + OPNsense. My experience was better when letting xcp virtually assign the network interfaces to OPNsense.

I feel like you could install this on TrueNAS Scale and add a second node for High Availability right? Wouldn't that fix the fragility issue? I'm pretty sure pfsense comes with an automatic failover detection feature, but using TrueNASs built in kubernetes feature might also work.