Replacing commercial firewall with low end rack server running multiple VMs. Possible?

fragpicfragpic OG
edited December 2019 in Technical

So, I was able to snag a used IBM x3250 m4 rack server for really cheap and want to put it to good use.
I currently use a Fortigate 30D in my small office and I'm tired of paying the yearly license fee for it so
I want to replace that with the x3250 and save $$.
My initial plan was to install pfsense(open to suggestions) on it and use it as a dedicated firewall, but I realized that the specs on it are a bit overkill for using it only as a firewall. So, I want to also run Windows server on it to take care of Active Directory tasks.

Can anyone tell me how I can get something like this to work?
My plan is to install Proxmox on it and then create one VM for pfsense and another for the windows server, but I read somewhere that running your primary router/firewall on a VM is a bad idea.
Is that true? Is there any other way to get this to work?

Tagged:

Comments

  • You're really better off having standalone hardware for a firewall. A cheap older celeron/i3/i5 (verify they have AES support first) will be sufficient with an intel network card if you want to keep the server open for AD/other VMs.

    It is possible to virtualize pfsense/opnsense - although it just creates needless complexity for something as important as the main firewall for your business. It can be done and I'm sure someone else can give you a best practices breakdown, but I would just avoid the headache unless you really have no other options and can afford the time involved to maintain it.

    Thanked by (1)mfs

    🦍🍌

  • R210ii, HP T620plus, T730, M73/M93p SFF, X9SCM/L in a little 1U, lots of options. These are all old tech, but will do very well as dedicated PFSense boxes. For the SFF and thin clients, make sure there's space to add a $20 PCIe NIC.

    Thanked by (1)mfs
  • @seanho said:
    R210ii, HP T620plus, T730, M73/M93p SFF, X9SCM/L in a little 1U, lots of options. These are all old tech, but will do very well as dedicated PFSense boxes. For the SFF and thin clients, make sure there's space to add a $20 PCIe NIC.

    I already have an x3250 M4 and it has two NICs. My issue is more that the server is too powerful for using it only as a firewall, so I want to run another VM on it to fully utilize it's power.

  • I understand, my point is that these old boxes are so cheap nowadays that you can pick one up for a dedicated firewall and put your M4 to work with a hypervisor.

    You can have a second failover instance of PFSense (with CARP) on a VM if you like, but always have a dedicated box for firewall.

  • DreamDream OGServices Provider

    If you want to virtualize the PfSense, you could do that without a problem. We've done that some times for small companies.

    We've done it with 4 Nic's. 2 For PFsense the rest for the other machines.
    Install ESXI free version
    add the 2 Nic's for PFsense
    configure 1 as Wan and one as LAN
    and you should be ready to use it.

  • fragpicfragpic OG
    edited December 2019

    @seanho said:
    I understand, my point is that these old boxes are so cheap nowadays that you can pick one up for a dedicated firewall and put your M4 to work with a hypervisor.

    You can have a second failover instance of PFSense (with CARP) on a VM if you like, but always have a dedicated box for firewall.

    Unfortunately, I'm located in a country where it's pretty hard to find these servers are a low price and have no choice but to make thoe most of the M4

    @Dream said:
    If you want to virtualize the PfSense, you could do that without a problem. We've done that some times for small companies.

    We've done it with 4 Nic's. 2 For PFsense the rest for the other machines.
    Install ESXI free version
    add the 2 Nic's for PFsense
    configure 1 as Wan and one as LAN
    and you should be ready to use it.

    Is it possible to do the same thing but by using only 2 NICs?
    Like have the VMs share a single port for LAN and use 1 NIC for WAN

  • DreamDream OGServices Provider

    Yea sure should be possible, you could create a vSwitch in ESXI and route the internal VPS also direct trougt the pfsense

  • WSSWSS OGRetired

    I wouldn't do this because you've got a single point of failure for both your network, and your Forest.

    My pronouns are like/subscribe.

Sign In or Register to comment.