The other thing to keep in mind is to pass through physical nics. Using just the vnics will potentially lead to security risks. That’s the reason I went back to physical fws.
I could throw an extra NIC in the server and pass it through, but what are the security risks of using the virtualized NICs? I’m just using virtio to share a dedicated bridge adapter with the router VM.
If you just use 2 nodes, you will need a q-device to make quorum if you have one of the nodes down
I could just use VRRP / keepalived instead, no?
I should try Proxmox, thanks for the suggestion. I set up ZFS recently on my NAS and I regret not learning it earlier. I can see how the snapshotting would make managing VMs easier!
That is pretty sweet. I have a second server I could use for an HA configuration of the router VM. I’ve been meaning to play around with live migrations (KVM) so this could be a cool use case for testing.
I appreciate the advice. I have like 3 spare routers I can swap in if the server fails, plus I have internet on my phone lol. It’s a home environment, not mission critical. I’m glad you mentioned this though, as it made me realize I should have one of these routers configured and ready-to-go as a backup.
My logic is partly that I think a VM on an x86 server could potentially be more reliable than some random SBC like a Banana Pi because it’ll be running a mainline kernel with common peripherals, plus I can have RAID and ECC, etc (better hardware). I just don’t fully buy the “separation of concerns” argument because you can always use that against VMs, and the argument for VMs is cost effectiveness via better utilization of hardware. At home, it can also mean spending money on better hardware instead of redundant hardware (why do I need another Linux box?).
There are also risks involved in running your firewall on the same host as all your other VM’s
I don’t follow. It’s isolated via a dedicated bridge adapter on the host, which is not shared with other VMs. Further, WAN traffic is also isolated by a VLAN, which only the router VM is configured for.
Even if the virtualized router is down, I’ll still have access to the physical server over the network until the DHCP lease expires. The switch does the work of delivering my packets on the LAN, not the router.
Thanks for the tip about the pfSense limit. After running pfSense for like 8 years, my opinion is that is flush with features but overall, it’s trash. Nobody, not even Netgate, understands how to configure limiters, queues, and QoS properly. The official documentation and all the guides on the internet are all contradictory and wrong. I did loads of testing and it worked somewhat, but never as well as it should have on paper (ie. I got ping spikes if I ran a bandwidth test simultaneously, which shouldn’t happen.) I don’t necessarily think OpenWRT is any better, but I know the Linux kernel has multithreaded PPPOE and I expect some modern basics like SQM to work properly in it.