When it comes to the NAS, these single board computers make great reverse proxies that allow you to access your NAS, whether it's the Asustor or TrueNAS from the Internet without actually being directly exposed to the Internet and create a more secure connection while letting you access your stuff at high speed. They also do well as being a VPN server too. It's like having the security guard in a gated community physically go to the house and get the info for you instead of you going directly to the door.
Two very important thing to keep in mind about putting pfSense, whether in a VM or a physical machine. 1. Using Proxmox backup, you can backup the entire VM once you have it running. Store the backup somewhere safe and you can restore it to a Proxmox system fairly quickly if needed. 2. Always remember that pfSense can create a backup of your router settings via the "Diagnostics>Backup and Restore" menu item. That backup can come in handy whether you're restoring a pfSense system, completely reinstalling pfSense, or installing a new instance of the most current pfSense version, or even if you decide to move your pfSense system into a Proxmox VM. Super handy info to always remember. PS.... I just moved my stand alone pfSense from it's HP T620 thin client physical host to a VM within Proxmox running on an HP T740 thin client!
When it comes to your network stack, I personally recommend keeping that stuff to it's own box. I used to virtualize everything but it does become a problem when you have to take down the host computer for any reason. The only things I would consider stacking together is stuff like Wiregaurd and reverse proxies since that all needs network access anyway function. I also been setting up a second OpNsense box in a virtual machine to take over for the dedicated box if needed.
I've been looking at replacing my old Asus router with a diy alternative. I was looking at virtualising the whole thing but you've stopped me. Would you still suggest a diy router?
Yes, fully agreed. I had an entry level server with a 4 port NIC in my homelab. After installed Proxmox on it AND ignoring that little voice in my head saying NOT to do so, I subsequently installed pfSense to it doing direct pass through of the nic ports to pfSense.. All worked wonderfully for over two years...then I tried doing a Proxmox upgrade.... which failed to complete fully and left the pfSense VM mangled. No more virtualizing it for me. I got an HP T620+ off of ebay and now have JUST pfSense running on that thin client box....totally happy.... plus I feel totally confident that I could (if needed) reinstall pfSense on it and restore my pfSense backup very quickly.
For sure! In the follow up, I'm probably only going to run network related services that wouldn't even need to be up if the router was down. For sure wireguard, and then probably pihole (for local DNS), ddns, and nginx could be really cool.
Its for videos like this that UA-cam exists!! thank you so much. I like your calm and serious attitude (I say this, because this field is over-flooded with exaggerated and over the top content creators. ) I was looking for this exactly, many videos on this topic fail to address the main point.... the fact of having the PCIE cards dedicated to PFsense, makes it hard to figure out how to still keep a connection to the management interface of Proxmox. But you made that very clear.
When virtualizing pfSense/OPNsense it is recommended to use virtualized bridges that are set up 1:1 with physical NICs, instead of passing them through. Whenever you need to switch hardware, move VM to other physical machine etc., you can just update bridges config and VM won't see the difference, no reconfiguration needed on firewall's side. It speeds up disaster recovery as well if there is no HA setup. Overhead on those bridges should be minimal and even low power mini PCs should have no problem with saturating ethernet ports. For a non-critical homelab environment a pass-trough should be enough as well.
Your timing of this video is great. I've built a pfsense box out of a HP Elitedesk 800 G2. It is overkill, and I might downgrade to a small PC like that. I'm not sold on pfsense in a virtual machine as the primary, but maybe as a backup/failover situation. Curious to see how yours turns out. I hope to do a video on my experience soon too.
Just subscribed, thank you so much for the demo I really look forward to you proxmox tutorial. I hope that you’d include a portion of the tutorial on how protect proxmox as host os for the firewall 🙏 This is something that doesn’t have many tutorials on Thanks again
as someone who worked with Cisco, HP, Checkpoint network equipment and firewalls, I find PFSense to be a pain in the backside. It really makes no sense to me. Ive ran it in the past and it made me kind of scratch my head. The hardware you are using is rather interesting and Your production values are spot on. I've been working with Sophos XG home edition on some old desktop hardware. that might be worth a look as a counterpoint to PFSense, if you want to go that route. Hope you get well soon.
Interesting, I'll have to check that out! And no worries, I'm all good. Just a short little cold right around finishing this video up. Thanks as always Johnny!
Hi Haven, hope you're feeling better. I always enjoy your videos and this is no exception. Have you tried proxmox containers? Seems like you could save the whole debian VM and create containers for the services you'd want to use. Maybe it's not technically the same but since it's a tool built in into proxmox you'd want to try it out. Cheers!
LXC containers aren’t something I’ve really had the time or desire to dig into, hence why I’ve preferred to just use a VM and docker. That being said, it could definitely be something fun to look into down the road
honestly would have really enjoyed an uncut style of video. you know like a stream vod kinda thing. I find it so much easier to understand whats going on like that
Empty your mind, be formless. Shapeless, like water. If you put water into a cup, it becomes the cup. You put water into a bottle and it becomes the bottle. You put it in a teapot it becomes the teapot. Now, water can flow or it can crash. Be water, my friend. Bruce Lee
What about mini pc? It could be quiet dificult to intall two ethernet ports, but i think that on mini pc like a ThinkCenter M710q and some solidering i can usde the nvme to install one or two gigabit or 2,5 gigabit ethernet ports, but in this case you need an ssd for your operating sistem, or you can use the nvme e port to mount one ethernet port and with the one on bord maybe i could run pf sense. What do you think about this idea? Could it work?
There should be a way to create a virtual nic for proxmox to be able to talk to of sense directly if that’s possible then the third usb nic isn’t needed
I managed to pick one of these up at a liquidation store for 25 dollars. Unfortunately, something is corrupt, I tried installing windows 10, Windows 11, and Linux Debian with no success. Would've been a neat device for me to use. I was trying to use it as a mini pc to replace my massive tower.
I would probably start using VLANs at that point to save on the 3rd nic. Take the NIC create a bridge which is VLAN Aware and pass one nic for Wan Through. For the Other put the UI To it and then Add the UI onto a VLAN and also Put a Trunk Port to the PFSense VM.
@@HardwareHaven Exactly. So that on the Wan side you can connect your modem/gateway directly to have not the Chance of exposing something you did not want to. And as internet speeds usually are slower that gigabit, you can share the bandwidth on the Lan side.
Yeah, but I guess that’s not really too much of an issue if you’re not taking the server down very often. Definitely still a consideration though, and potentially a huge pain in the butt haha
Hey there, I would ask you for some help. For some apparent reason, when I play games like forza horizon 4 or gta V, my RAM utilisation is really low. There was no game among the tested ones that would use more than 4gb of ram. Ram specs: 16gb 1600mhz ddr3.
One thing that is still tripping me up after watching this. You gave the pfSense VM 2 CPU cores and then gave the Debian VM 4 CPU cores. How is this possible when the J4125 is only a 4 core CPU? Seeing as you're using this for pfSense and Home Assistant which both of these would in theory be active and running 24/7 it doesn't make sense to me how this isn't overloading the CPU.
@@HardwareHaven Very true point, I'd personally go this route since the Seeed box only has 8GB ram, which runs out quickly if you use ZFS or something RAM intensive.
An AIO mini server, hell yeah! A retired laptop could also work very well as laptops are low powered devices, the performance is still pretty good for these headless tasks(even a 2nd gen mobile i5 is faster than these celeron socs). I think the biggest challenges would be routing all the services together from Proxmox.
Laptops can be cool to use, but it still depends on the generation of the hardware if it is a viable option. I had an old netbook that pulled 30 watts at idle. Right now I'm testing a NUC knockoff and it is pulling 9 watts at full CPU load.
USB Ethernet for a server seems like a bad idea. Not recommended for critical components of your network. Not likely to be as stable as built-in and could have problems during reboot depending on your host OS.
You must be new to the channel, haha Joking lol, and yeah definitely not a great long term solution. However that's why I passed thru the onboard NICs to my router which is probably the more "mission critical" service. Granted I didn't have any issues with the USB interface for the few days I was testing. Thanks for the comment!
@@HardwareHaven Yeah, I realized after posting that in the video you actually said you wanted to deal with the “awkward usb Ethernet” thing in a future video. Thanks for the content.
@@HardwareHaven I doubt that all virtual machines and docker will need the entire 1 Gb channel at the same time. Of course it is possible. But for a home mini server, you can get by with one port, and it will work well
@@HardwareHaven You’d be receiving 1Gbps from your LAN network, while being able to still transmit 1Gbps to the WAN network at the same time. You’re overlooking that your link is likely full-duplex. 🙂 I personally prefer multiple ports still (I like 2 for bonding and 1 purely for management).
@@HardwareHaven If they do tell them I want one too 😄 Want to make a nas out of it. Great job with the Odyssey though. And it's got a much better looking case than the Odroid, once you attach a few antennas on it it looks like a proper bad-ass router 👌
sbc are getting better - this is a glimpse of future - for now 6/7th gen refurbs are much better value but hang in there for neext gen sbc/arm parts - opnsense is a better idea for much better licensing #forks
I don't think that's true... It's a bad idea to allocate more RAM than the host has. It's also a bad idea to assign more cores to a single VM than physically available, but virtualized cpu cores are meant to load balance between multiple VMs
Do not buy a Seeed Odyssey. I purchased one in December 2021 and it began acting up in mid-2022. I would get random crashes which became worse over time. Eventually, the machine became so unstable, it would not boot. I contacted Seeed in August and have been back and forth with them since then. After a number of email exchanges, they told me to log onto their website and fill out a form. They just denied my repair request because I purchased it from Amazon instead of their website. Very, very disappointing. At this point, they will not repair my computer and I'm stuck with a $300 paper weight. If you are considering an X86 single board computer, go with a Lattepande 3 Delta. Seeed customer service is terrible and their equipment is unreliable. I'm very disappointed in Seeed.
192.168.100.x is the subnet most cable modems use (192.168.100.1). Cable modems intercept these packets from the data stream. Of course, since you used this on your router, you won't be able to see your cablemodem's web page anymore.
I’ve never had a need to access my cable modem, so I never knew that haha. I have a combo router/modem from my ISP so I don’t believe that’s of any issue for me at least. Thanks for the heads up though
@@featherpony Yeah I've definitely made changes to the router/modem, but have only done it when I had a combo modem/router, so it was typically still 192.168.0.1 or 1.1.
When it comes to the NAS, these single board computers make great reverse proxies that allow you to access your NAS, whether it's the Asustor or TrueNAS from the Internet without actually being directly exposed to the Internet and create a more secure connection while letting you access your stuff at high speed. They also do well as being a VPN server too. It's like having the security guard in a gated community physically go to the house and get the info for you instead of you going directly to the door.
Yep. Reverse proxies are super cool. Maybe I can run nginx or something on the revisit of this!
That is what I have to get set up on my HomeLab with the Pis that I have sitting around.
@@HardwareHaven
You mentioned some problems with only having two ethernet ports....this may help.
ua-cam.com/video/wUcDg_ms0is/v-deo.html
Two very important thing to keep in mind about putting pfSense, whether in a VM or a physical machine. 1. Using Proxmox backup, you can backup the entire VM once you have it running. Store the backup somewhere safe and you can restore it to a Proxmox system fairly quickly if needed. 2. Always remember that pfSense can create a backup of your router settings via the "Diagnostics>Backup and Restore" menu item. That backup can come in handy whether you're restoring a pfSense system, completely reinstalling pfSense, or installing a new instance of the most current pfSense version, or even if you decide to move your pfSense system into a Proxmox VM. Super handy info to always remember. PS.... I just moved my stand alone pfSense from it's HP T620 thin client physical host to a VM within Proxmox running on an HP T740 thin client!
Please complete this series, it was awesome to watch! Have a good one
When it comes to your network stack, I personally recommend keeping that stuff to it's own box. I used to virtualize everything but it does become a problem when you have to take down the host computer for any reason. The only things I would consider stacking together is stuff like Wiregaurd and reverse proxies since that all needs network access anyway function.
I also been setting up a second OpNsense box in a virtual machine to take over for the dedicated box if needed.
I've been looking at replacing my old Asus router with a diy alternative. I was looking at virtualising the whole thing but you've stopped me. Would you still suggest a diy router?
@@limitedrespawns it really depends if you can cope with negatives. If downtime is not critical for you then its doesn't matter, and so on.
Yes, fully agreed. I had an entry level server with a 4 port NIC in my homelab. After installed Proxmox on it AND ignoring that little voice in my head saying NOT to do so, I subsequently installed pfSense to it doing direct pass through of the nic ports to pfSense.. All worked wonderfully for over two years...then I tried doing a Proxmox upgrade.... which failed to complete fully and left the pfSense VM mangled. No more virtualizing it for me. I got an HP T620+ off of ebay and now have JUST pfSense running on that thin client box....totally happy.... plus I feel totally confident that I could (if needed) reinstall pfSense on it and restore my pfSense backup very quickly.
For sure! In the follow up, I'm probably only going to run network related services that wouldn't even need to be up if the router was down. For sure wireguard, and then probably pihole (for local DNS), ddns, and nginx could be really cool.
@@ccupp2 is the hp t620+ still sufficient? If so, I think you've made my decision for me
IT'S ALWAYS THE UNDERRATED VID THAT'S LEGIT! THANK YOU!
Its for videos like this that UA-cam exists!! thank you so much.
I like your calm and serious attitude (I say this, because this field is over-flooded with exaggerated and over the top content creators. )
I was looking for this exactly, many videos on this topic fail to address the main point.... the fact of having the PCIE cards dedicated to PFsense, makes it hard to figure out how to still keep a connection to the management interface of Proxmox.
But you made that very clear.
Glad I could help!
Awesome video! I wasn't aware that this could be done in such a small factor machine. Great to know you are doing better.
Thanks! And yeah it wasn’t anything serious
When virtualizing pfSense/OPNsense it is recommended to use virtualized bridges that are set up 1:1 with physical NICs, instead of passing them through. Whenever you need to switch hardware, move VM to other physical machine etc., you can just update bridges config and VM won't see the difference, no reconfiguration needed on firewall's side. It speeds up disaster recovery as well if there is no HA setup.
Overhead on those bridges should be minimal and even low power mini PCs should have no problem with saturating ethernet ports. For a non-critical homelab environment a pass-trough should be enough as well.
Great video 😉 I am already looking forward to your next video (I am only a little Addicted to your videos )
Lol, that's good guess...? Definitely don't get too addicted haha
@@HardwareHaven I think its an good addiction
yay new vid for the day
Another very good one! Thank you and I am also glad you are doing better 😉
that was exactly what I needed , thank you so much
I like that you started using ventoy :) glad to help
Your timing of this video is great. I've built a pfsense box out of a HP Elitedesk 800 G2. It is overkill, and I might downgrade to a small PC like that. I'm not sold on pfsense in a virtual machine as the primary, but maybe as a backup/failover situation. Curious to see how yours turns out. I hope to do a video on my experience soon too.
yes an new episode
This tutorial is amazing and you are really good at teaching !! great job sir !
Just amazing as always ❤
Thanks, as always!
I enjoyed it!
And I hope you feel better
It was just a short spat haha. I'm all good, thanks!
Just subscribed, thank you so much for the demo
I really look forward to you proxmox tutorial.
I hope that you’d include a portion of the tutorial on how protect proxmox as host os for the firewall 🙏
This is something that doesn’t have many tutorials on
Thanks again
as someone who worked with Cisco, HP, Checkpoint network equipment and firewalls, I find PFSense to be a pain in the backside. It really makes no sense to me. Ive ran it in the past and it made me kind of scratch my head. The hardware you are using is rather interesting and Your production values are spot on. I've been working with Sophos XG home edition on some old desktop hardware. that might be worth a look as a counterpoint to PFSense, if you want to go that route. Hope you get well soon.
Interesting, I'll have to check that out! And no worries, I'm all good. Just a short little cold right around finishing this video up.
Thanks as always Johnny!
You said PFsense is a pain while not providing a single point as to why. It's really embarrassing
good work king, love you
Tysm, did everything as described
Hi Haven, hope you're feeling better.
I always enjoy your videos and this is no exception.
Have you tried proxmox containers? Seems like you could save the whole debian VM and create containers for the services you'd want to use. Maybe it's not technically the same but since it's a tool built in into proxmox you'd want to try it out.
Cheers!
LXC containers aren’t something I’ve really had the time or desire to dig into, hence why I’ve preferred to just use a VM and docker. That being said, it could definitely be something fun to look into down the road
WOOOOO
Wow thank you so much that really helped
Just spinning up my proxmox box with opnsense, thanks for pointing out how to passthru PCI-e network ports, I really didn't want to make them bridges.
Canot run on raspberry pi but you can use a Zima board which is really good replacement for it.
honestly would have really enjoyed an uncut style of video. you know like a stream vod kinda thing. I find it so much easier to understand whats going on like that
oh no... he's found virtualization
Haha, nah I just finally got around to making videos on it
Thank u for this ❤❤
Empty your mind, be formless. Shapeless, like water. If you put water into a cup, it becomes the cup. You put water into a bottle and it becomes the bottle. You put it in a teapot it becomes the teapot. Now, water can flow or it can crash. Be water, my friend.
Bruce Lee
What about mini pc? It could be quiet dificult to intall two ethernet ports, but i think that on mini pc like a ThinkCenter M710q and some solidering i can usde the nvme to install one or two gigabit or 2,5 gigabit ethernet ports, but in this case you need an ssd for your operating sistem, or you can use the nvme e port to mount one ethernet port and with the one on bord maybe i could run pf sense. What do you think about this idea? Could it work?
seeeeeeeeeeeeed
A year later: are you still using the same setup for your main router or have migrated to something else or bare-metal?
thank you bro thank you
There should be a way to create a virtual nic for proxmox to be able to talk to of sense directly if that’s possible then the third usb nic isn’t needed
I managed to pick one of these up at a liquidation store for 25 dollars. Unfortunately, something is corrupt, I tried installing windows 10, Windows 11, and Linux Debian with no success. Would've been a neat device for me to use.
I was trying to use it as a mini pc to replace my massive tower.
I would probably start using VLANs at that point to save on the 3rd nic.
Take the NIC create a bridge which is VLAN Aware and pass one nic for Wan Through. For the Other put the UI To it and then Add the UI onto a VLAN and also Put a Trunk Port to the PFSense VM.
I’m confused.. are you saying to have a dedicated NiC for WAN passed to the PFS VM, and then use a bridge on the second NIC for LAN/everything else?
@@HardwareHaven Exactly. So that on the Wan side you can connect your modem/gateway directly to have not the Chance of exposing something you did not want to. And as internet speeds usually are slower that gigabit, you can share the bandwidth on the Lan side.
thank you!!! video liked and u got a well deserved sub from me!!!!
you could just use a pine64, it has a pcie slot and is a very affordable mini pc, they cost 20 to 30 dollars
Virtualized firewall is a big nono
Why?
@@DavidManouchehri Because when your Firewall VM or your server is down, you have no more network !
Yeah, but I guess that’s not really too much of an issue if you’re not taking the server down very often. Definitely still a consideration though, and potentially a huge pain in the butt haha
works gj
Hey there, I would ask you for some help. For some apparent reason, when I play games like forza horizon 4 or gta V, my RAM utilisation is really low. There was no game among the tested ones that would use more than 4gb of ram. Ram specs: 16gb 1600mhz ddr3.
One thing that is still tripping me up after watching this. You gave the pfSense VM 2 CPU cores and then gave the Debian VM 4 CPU cores. How is this possible when the J4125 is only a 4 core CPU? Seeing as you're using this for pfSense and Home Assistant which both of these would in theory be active and running 24/7 it doesn't make sense to me how this isn't overloading the CPU.
You can also just ssh into the Proxmox host and use that, because it's basically plain Debian. Be sure to secure the box, however.
True, but I like having things a bit more compartmentalized if that makes sense. Good point though!
@@HardwareHaven Very true point, I'd personally go this route since the Seeed box only has 8GB ram, which runs out quickly if you use ZFS or something RAM intensive.
Anyone else ever try and hit F2 at the intro because you think you are about to enter BIOS? Just me?
Hahahaha
keep both routers, so you won't lose connectivity when one needs servicing
An AIO mini server, hell yeah!
A retired laptop could also work very well as laptops are low powered devices, the performance is still pretty good for these headless tasks(even a 2nd gen mobile i5 is faster than these celeron socs). I think the biggest challenges would be routing all the services together from Proxmox.
Laptops can be a bit finicky, but definitely a cheap alternative. I will probably do a "busted laptop server" video or something at some point haha
Laptops can be cool to use, but it still depends on the generation of the hardware if it is a viable option. I had an old netbook that pulled 30 watts at idle. Right now I'm testing a NUC knockoff and it is pulling 9 watts at full CPU load.
Half of the networking stuff went over my head. What do you suggest so I can learn these?
Check out network chuck’s UA-cam channel maybe. He’s got some good breakdowns of things
Why not you try make steam cache server
If you shutdown the device, do you need to manually reboot the VM?
Not if you set the "auto start" option in the VM's setting
Start 7:01 , You're Welcome.
USB Ethernet for a server seems like a bad idea. Not recommended for critical components of your network. Not likely to be as stable as built-in and could have problems during reboot depending on your host OS.
You must be new to the channel, haha
Joking lol, and yeah definitely not a great long term solution. However that's why I passed thru the onboard NICs to my router which is probably the more "mission critical" service. Granted I didn't have any issues with the USB interface for the few days I was testing. Thanks for the comment!
@@HardwareHaven Yeah, I realized after posting that in the video you actually said you wanted to deal with the “awkward usb Ethernet” thing in a future video.
Thanks for the content.
You could use Vlan.
One port ethernet is enough.
Unless you pay for gigabit Ethernet haha
@@HardwareHaven I doubt that all virtual machines and docker will need the entire 1 Gb channel at the same time. Of course it is possible. But for a home mini server, you can get by with one port, and it will work well
Wouldn’t your connection for the entire local network > WAN be limited by running it on a VLAN?
@@HardwareHaven You’d be receiving 1Gbps from your LAN network, while being able to still transmit 1Gbps to the WAN network at the same time. You’re overlooking that your link is likely full-duplex. 🙂
I personally prefer multiple ports still (I like 2 for bonding and 1 purely for management).
@@DavidManouchehri Ahhh, yeah that makes sense. Thanks!
Should have gone for odroid h3+. two multigig nics, n6005, and 4xPCIE 3.0 for nvme
Maybe someone can send me one of those 😂
@@HardwareHaven If they do tell them I want one too 😄 Want to make a nas out of it.
Great job with the Odyssey though. And it's got a much better looking case than the Odroid, once you attach a few antennas on it it looks like a proper bad-ass router 👌
With what program tested power consumption?
A kill-o-watt meter at the wall plug while running cinebench R15
@@HardwareHaven Thank you i was curious
sbc are getting better - this is a glimpse of future - for now 6/7th gen refurbs are much better value but hang in there for neext gen sbc/arm parts - opnsense is a better idea for much better licensing #forks
Whats your internet speed
1Gb
it's not a good idea to assign more cores than physically available
I don't think that's true... It's a bad idea to allocate more RAM than the host has. It's also a bad idea to assign more cores to a single VM than physically available, but virtualized cpu cores are meant to load balance between multiple VMs
Do not buy a Seeed Odyssey. I purchased one in December 2021 and it began acting up in mid-2022. I would get random crashes which became worse over time. Eventually, the machine became so unstable, it would not boot. I contacted Seeed in August and have been back and forth with them since then. After a number of email exchanges, they told me to log onto their website and fill out a form. They just denied my repair request because I purchased it from Amazon instead of their website. Very, very disappointing. At this point, they will not repair my computer and I'm stuck with a $300 paper weight. If you are considering an X86 single board computer, go with a Lattepande 3 Delta. Seeed customer service is terrible and their equipment is unreliable. I'm very disappointed in Seeed.
192.168.100.x is the subnet most cable modems use (192.168.100.1). Cable modems intercept these packets from the data stream. Of course, since you used this on your router, you won't be able to see your cablemodem's web page anymore.
I’ve never had a need to access my cable modem, so I never knew that haha. I have a combo router/modem from my ISP so I don’t believe that’s of any issue for me at least. Thanks for the heads up though
@@HardwareHaven You can still log in with default user/pass usually. Can reboot the modem and other things. Even put the modem in bridge mode.
@@featherpony Yeah I've definitely made changes to the router/modem, but have only done it when I had a combo modem/router, so it was typically still 192.168.0.1 or 1.1.