Physical or Virtual? A Silent 4x 2.5GbE Proxmox VE pfSense and OPNsense Box

Wonderful to see a video on this, got a J4125 4x i225 to pick up next week and N6005 4x i225 is a few weeks away "reviews seems to be dropping in on the mobile site", both from Topton. Feel somewhat secure in the purchase now.

Just want to say that even a year later this video really help me wrap my head around physical port mappings for virtualized FW/virtualization hosts. Something even nearly all the "tutorial" videos simply gloss over. I really appreciate this!

Nice piece of content! I had virtual servers for networking and always want to consolidate & upgrade them. This shed light on how the set up will go.

WAN port selection really needs to take failure modes into account. If there is some kind of "factory" reset, or if file system corruption deletes your port config file, you don't want your WAN cable going to the port that will ask for a DHCP address and allow logins.

I bought that one after the first video, installed pfSense on it, but I feel it's under utilised. I've been thinking of installing Proxmox on it, so this video is very pertinent

just found your channel, you have the exact approach to computer hardware I've been looking for. so, thanks!

You lay in bed vexing over virtualizing your router or not too???? And here I thought it was just me! 😉

I run OPNsense virtualized under Proxmox, and personally I like it. I went the "one big server that serves all the things" route. Of course, if I need to do maintenance on the machine, all of it goes down during that. It's a reliable machine, though, and while I'm doing maintenance I don't need to be online. I appreciate being able to manage OPNsense as just another VM.
These are interesting little boxes! Within these limitations, many people's needs for a server appliance could be met.

I set up the firewall protecting my Proxmox VM cluster as a VM running on that cluster. I was having second thoughts about that decision because it seemed like I'd run into an issue where I wouldn't be able to manage the cluster remotely if something happened to it because the firewall was one of the VMs on that cluster. However, that decision was reaffirmed a few weeks back when something happened to the host the firewall was living on. I couldn't get into my cluster remotely, and I was like "oh no ... this eventual nightmare has finally come true". But then, about 5 minutes later the firewall came back up because Proxmox migrated it to another host for me. I was pretty impressed and I was happy with my decision to have made it a VM after that.

Bought a machine that looks physically similar to this a couple of years back with a Celeron J1900. It's a great little firewall for home which was very cheap uses hardly any power - but like you, I find the RAM and SSD a bit of a worry (they're branded "Kston"). My decision to put the LAN on interface 0 and the WAN on interface 3 will from now on keep me awake at night.

it always depends.... as long as your virtualization is performant enough, there is no problem with running virtual. but you need to consider, your infrastructure should be solid enough to avoid problems (like multiple hypervisors, vMotion enabled or better yet - a virtual HA with both vFirewalls on different Hypervisors)

I bought one of the 1Gbps variants off of Alibaba, and the SSD died about a year in, so definitely a valid concern to call out.

Very impressive video review,actually this model is our first generation which is stable but big.We have developped this router to the third generation,pocket size with 3*2.5Bge+ dual 10.0Gbe port

I won't go back from virtual... snapshots, simple remote console access, adjusting the hardware on the fly, so many benefits for me!

Very informative like it . Keep doing great videos

FYI- the reason pfsense/opnsense appear to consume all the ram you get it is because BSD doesn't have the qemu-guest-agent driver that reports memory usage back to the hypervisor like most Linux instances do. Proxmox just sees that the OS has reserved all that memory even though it may just be being used for caches or unused inside the instance. Trust what the pfsense ui tells you, not proxmox. It'll run fine on 2-4gb for most use cases

Good review!

To be or not to be [virtual], that is the question. While an older video now, regardless I find myself here.
Excellent video👍, awesome channel, thank you. 17:10 -- STH _unblocked_ on my pihole.
Testing on N100 C[heap]PU, by which I mean fooling/playing around.
Kindest regards, neighbours and friends.

Just bond all the NICs and use VLAN tags for LAN, WAN, etc. When you're virtualizing your firewall anyway, this just works.

sweet. another question in my mind answered. Thx.

Been virtualizing my firewall (OPNsense) on my "main" homelab server for about a year now. I'm pretty happy with it, and the box overall has enough horsepower that I can pretty much dedicate as many resources as I want to the firewall should performance be an issue. My worry is that if anything happens to that server--it is basically a pile of used enterprise parts I got off ebay--all my internet connectivity goes away.

The cooling on this case would probably be able to cool the Intel Core U or AMD U series processors if limited to 15-20w average

I had a problem using proxmox + pfSense and suricata with it. I don't know why but using ESXi solved that issue. Also CPU utalz. is 10% lower when assigning 4 instead of 2 cores.

Awesome videos, buddy i love all of them. Just to say, snapshots are not backups every snapshot will decrease performance, so we use them before changes/upgrades...etc after we know everything works and you can keep them for day / week then we delete them.

My N6005 unit was also taking like a month to be shipped. So I contacted them and they said they couldn't get n6005 atm because of Shanghai lock down. They said they have n5105 in stock. So I changed my order and it shipped same day.

Tiny computers can be addicting, be careful. soon you may have 5 to 6 of the things; justifying your habit by the price/value of small size and power consumption. That said, I have a few. My latest has 6 ETH ports, the N5105 CPU (outperforms the j4125 by a good ways)., and DOES have 2 so-dimm slots. They exist! Shipping seems to be better now... but anything that crosses an ocean is a miracle of tech and you should be happy to get it at all.
Nice review and some good information, many thanks.

Man and I was stressing over going unraid or proxmox/ Truenas for a new board I bought then being like is 2.5 gig going to work since there both 2.5 gig glad this video tells me yes no prob but now I may not have enough 2.5 although this new board was more for doing data log for my fanless pfsense play with vms and serve video backups. And possibly Learn new stuff to get a job I could grow more in.

I am actually watching this vidéo in my bed!😅 Great guide! Thanks

I did buy the barebones version of this on Aliexpress in Black and got Black! It did turn up quite quicky! I did have a 8Gb stick of Memory hanging around and i did purchase a named brand of SSD for install of pfSense for bare metal install. It does seem to be performing well for me, a home user. Does seem to be nice and cool as well. I never even thought of VM the pfsense. I may look into this in the future. Thanks P 🙂

I would love a detailed guide for the network configuration in proxmox for a opnsence vm.

bought one, let's see how well it actually works :)

With a virtualzied firewall, PFSense can use USB based cellular modems, but it requires a virtual switch instead of direct hardware access.

Where can I learn about the use of management port (and how to actually use it in real life situation)? Also, can the lan port for Proxmox be a virtula connection to pfsense rather than using a physical port?

I am working on a virtualized firewall too. I want to virtualize so I can also run my docker swarm manager, reverse proxy and home assistant on that same machine. This will allow me to take all other machines up or down as I wish and know the workloads will remain up. Ran into a few issues: 1) IOMMU on E3-1200 V3 is a disaster, probably will virtualize ports from the i350T4s I installed. 2) I have an early 320GB SLC Fusion IO drive to park my web cache on, but recompiling the drivers for Proxmox 7.1 is proving difficult. 3) I realized four of the SATA ports on my Supermicro X9SCM-F are 3gb after I bought it... and the SSDs for the bulk storage. Fail. I would love to see more details about configuring a virtualized firewall with other VMs on a virtual switch in Proxmox.

good content here - opnsense fork ftw! running a couple of these in HA config makes sense for smb - good mkt opp for small builders! i think that going fwd the prices for these small boxes will plummet - zen4 derivatives and nascent arm devices will exert mkt pressure on intel solutions - these small pc will also present good options for smb sector for scaleable cluster nodes - fast network and nvme will help adoption #netfs #galera

Got my n5105 version on April 1st after your j4125 video and arrival estimates were 17th of May or later. It seemed like the sweet spot to me as it was going for ~215 usd after tax with no ram or ssd. Glad to see you did a review on the 4125 version. I wonder if the 6005 version will be powerful enough to run both a firewall and use the igpu to transcode for services like plex?

You can't possibly expect a software stack to have the throughput of hardware, functionally though it sounds like a good plan.

I'm in this dilemma too. I have a Proxmox already so I could do it. I am getting a new Internet service with just a modem and no router so I need a router. I want to save some money, at least for a month or two. So it looks like I will at least start with a virtual router and maybe get a physical one later.

For flexibility I use all ports in lagg and use vlans for WAN, LAN, DMZ etc
Waiting for 10G/SFP+ version ;)

lol the intro is amazing.
“I’m in bed thinking: ‘Am I doing this right?’“ hehe

Is there a guide on how to set this all up from the beginning?
I have just managed to install proxmox, and enable VT-d on a 4 port Intel i-226 N100 PC.
Patrick mentioned how he prefers the 4 ports to be setup in a virtual environment, but how to actually set these up?
I am new to all this. Any input would be splendid.
Thank you.

Maybe I'm just too inexperienced with Proxmox, or maybe I'm just too dim, but I don't see why one would want to use PCI passthrough for a pfsense or opnsense VM. I've done just fine with both ESXi and Hyper-V without passthrough, plus it allows for migration and HA. Is it for latency? Is there some hardware feature that just works way better with a physical NIC rather than a virtual NIC?

There's also a version with, 2xUSB, 2xUSB3, 1xUSB-C (with 4kx60hz), HDMI2.0, DP1.4, TF-Card reader.

I want to mention that there is also a SIM card slot, I'm going to test to see if I can add my 5G/LTE modem.

Just some stupid idea: I would really love to see a blog post of running a small kolla-ansible deployed OpenStack deployment on TinyMiniMicro. That would be sooo cool and really shouldn't be hard at all, one controller node (no ha to keep it simple), one network node with 2 ports (one port needs to be given to a ovs bridge if you don't want to tinker with Linux bridges and veth pairs) and a couple hypervisors. Oh my I know I'm dreaming but that would be siick

18+ days also waiting for the shipping of my n6005 box! XD

you can add one of those fans we put on a wood stove works with heat ? maybe would improve the cooling ?

I'd love to see at least a basic security assessment - at least it's a *HEAP* unit from *CHINA* supposed to be used as your *FIREWALL* . Other than that - I'm sold to this idea of a virtualised FW.

Nice review. I have a "Parttaker" i5 8350u unit that works really nice. It looks the same but black and with 6 ethernet ports. It has just 1 gbit ethernet ports though. I connected a USB 2,5 gbit adapter as well. It reaches about full speed with a samba share. Also works really well with virtualisation in proxmox. With a 1 tb msata ssd and an option for say a large 2,5 inch ssd it is quite a nice box. The 8350u does get pretty warm when you put it to work. While not really needed I eventually strapped a Noctua fan on top to keep it a bit cooler (so it does not clock down as much)

Hey Patrick, nice one as always ;) BTW have you checked out VyOS, I think it's great and I am pretty close to switching to it fully, but you know how it is to switch firewalls. It ain't done in a couple of minutes...

How well do these boxes do with IDS? Usually a lot slow down with everything running.

Or you could run vlans and have a host with a single nic. ;) In my opinion, its better to have two physical units for failover. If something goes wrong, and you aren't there to fix it, you can always get your SO to pull the power cord on the broken unit. I like to keep the absolutely critical systems isolated from nice-to-have services. I don't want to bring down my internet, DNS or DHCP because I was playing with my docker server and hit the wrong button.
In this firewall's case, you might use virtualisation to isolate your firewall config from the hardware so you can swap hardware without updating the firewall config, rather than for adding more services. Or as mentioned, to have a quick failback without having to find a usb stick and a keyboard / screen to plug into the unit, which is located up in a cupboard...

Hi! Is that right your box has a WLAN module and antennas? I have nearly the same setup as you do, Proxmox VE as hypervisor and a firewall/router VM running Linux, but for sure a different CPU, an Intel i5 (10th Gen). I hit an issue which the WLAN, without lossing signal with client (as seen from client side), but wouldn't able to have purposeful packet traffics (as evident by no ping response to either the VM's IP or external IPs). I have now renice-ed the hostapd to -20 (highest priority as the kernel) and also the VM process at PVE layer reniced to -20 and worked fine so far. I wonder whether you may able to have an experiment as well to verify process scheduling is the real issue? And do you have a better thought as to how to nicely tune it and be able to profile/debug the "dead period"? Thank you in advance!

I'm going to get an alarm clock that wakes me up with "Hey Guys, This is Patrick from STH". I guarantee I'll double my productivity. :)

been virtualizing pfsense and for the past couple years opnsense on proxmox for the past 7 years pcie passthroughing an intel i350-T4v2 into the vm and it has been great much nicer than having a dedicated machine for the sole purpose

Hi! Great video, BTW, very high quality content! Do you have any thoughts on power-failure safety of a bare-metal pfSense vs a virtualized one? UPS-es can only hold up as much and once the power goes off, you want your router to boot up again all the time and every time. With a physical router that's a none-issue. What about pfSense on a bare metal or OPNSense on Proxmox?

Hi Patrick. I have the same one running very well. Got mine faster 😂. Have a awesome 🐣

Patrick, have you come across any mini pc's that have SFP+ or dual 10gbe nics ? I'm looking to buy one for a VERY powerful firewall. Dream would be Xeon-D but the Higher end Atom's or i3's are good too.

I would use pfsense/opnsense more if there is better cloud-init support. Being able to spin them up through terraform would be handy

Hi I have been enjoying your videos. You mention a video that installing Proxmox and pfsense on the tiny 5105 router. I can’t seem to find it.
Thank you. I order one through AliExpress.

I'd imagine it would be pretty easy to get unifi os running on proxmox? I haven't messed around much with proxmox to much since I can do everything I want visualized through arch and vfio passthrough. Does proxmox need dedicated cores? or is pretty flexible. With the j4125 currently I hit about 70% cpu with routing gigabit through wiregaurd. If it is pretty flexible like the KVMs I use on my arch install I think I should be good but reassurance would be nice. Probably will do it regardless because it sounds like fun.

Paying attention. About to replace an Edgerouter. A switch of the product line literally melted.

I would use bare metal for the firewall and virtualize Pi_hole. I make an image of ther drive for DR. The image is small and quick to restore if needed.

Tip: buy a 2TB ssd and use it for a virtual xpenology NAS. It will run like a beast

I saw on the pics it has it showed a sim card slot, can you confirm if that is actually there? I would love to get one of these as a pfsense box with a 4g sim for failover all in one neat bundle.

18:47
what is the "VM3 wifi controller"?
does not pfSense do this already? I just bought a similar unit (shipping on the way) and was planning to add an M2 wifi board (it has two m2 slots both M-key)

what is the maximum routing throughput of the device if all port use to route network packages?

I virtualized pfsense on my 5950x on esxi, it auto starts on boot so no downtime! Setting up the VLANs was kinda pain but everything is set

​ @ServeTheHome Can you please share how you set up the storage of the server for all the vm? thank you very much

Can we directions (or an RPZ file) for unblocking ads on the STH mainsite?

After few years of usage similar router on Celeron J1900, im switching to Dell mini-PC with old i7. No enough power for running few virtual machines working properly.

Been using this for this exact purpose for a few years now. Got a i3-4030U w/ 8GB ram, threw in a good ssd and run pfsense + a few containers.
Never had an issue and get great performance. Also got the unit on amazon for around $250-300

Can you show us how to do these things? Im wanting to learn and setup my own home setup but it sounded like this could also be done for business? Im dreaming of running my websites from my own home server which is why im wanting to learn all of this

a better way to gain throughput is to divide up ports via bonding or bridging - 2 heads is better than 1 but really serious folk will be looking for fw devices with 10g (at least) - 100g potato routers are around the corner and only a couple hundred bucks more per port for 4x perf, the mikrotik 100g 800 buck switch looked sweet and prices on commodity small 100g routers should drop as well going forward #paper launches #paper tiger #sonic #software defined networks #lcd

At 18:49 I think you mean for the graphic to say that you're using ETH2 as your pfSense LAN and ETH3 as WAN. You've reversed them in the graphic.

Looking for an opinion: Would it be worth using a USB gig NIC for management to have the high-speed NICs for LAN and WAN, or is relying on USB asking for trouble?

Do you know if the N6005 version of your case from the same Aliexpress vendor also comes with a single memory slot? I ordered one but its been a month still hasn't shipped, so just wondering about the memory.

How do they do with SQM (Cake) on OpenWRT? I'm currently using an HP T730 with an i350 NIC, but it uses something like 40 watts, so this might be better.
Internet connection is 500 megabits; I doubt we'll get gigabit unless the price goes way down.

4:25 IT usually takes ~3 months for my batteries to get here from AliExpress

so i dont have one of these, never seen inside it or anything...but could there be another sodimm slot on the other side of the mobo, sorta like how some laptops would have one slot on the bottom and one under the keyboard....is that possible? did you take the board out by chance and look on the opposite side of it? either way anything else interesting there?

Those things are cheaper than ever :) N5105 bear bones box under 150€ I would get a reputable SSD localy.

What do you think of the similar Celeron N5095 devices with the i225v3 ports? 15W TDP instead of 10W.

I am virtually running sophos xg on proxmox on a dell R310. What type of limits would I see in using it. I am thinking of adding newer nic's. Right now on my 300 mb cable I generally get 360 mb or better. I have ids running and fiber is potentially coming soon to my address

I am testing out a similar system based on the N5105 processor. Heat is a concern. At idle, the chassis is about 50C (122F) and the CPU core temp is 60C (140F). I am not sure how long these system will last running at these temperature continuously. If you are interested in buy these, I'd look for ones that have extensive fins to keep the system cool or go for ones with a fan.

What node are these network chips on? I know IO doesn't scale as well with smaller nodes, but I still think passive cooling would be more common if these are sub 12nm.

I saw they are selling the new model with Celeron N5105 and Pentium N6005 now. How would you think the performance difference compared to this unit with J4125? In terms of proxmox virtualization.

If you virtualise it in a home network and use it as your router, how do you deal with accessing it if the pfSense or whatever VM crashes or fails to boot/work/etc?

Hi, Im new with the proxmox. Do you have and step by step procedure to install proxmox then install the pfsense?
Can I also access the promox gui thru the lan port of pfsense?
Thank you.

i just got mine the mail two SODIM Slots ,1090NP-12 VER 1.4
not sure if got fooled or got a new iteration my board is blue
and i dont see the intel chips you are talking about
can you help me understand :)

Does this work with a 32GB DIMM installed?

I ended up buying one of these units from Protectli, I'd rather trust them than a no-name Chinese import. One other advantage, at least for me, is that it can come with Coreboot. Pay a bit more for the privilege though.

@6:00 there is a slim card can this be used for data or internet connection?

Speaking of no name storage from China: I would be really hesitant to put ANY software that originated in that part of the world, (or better yet, that I didn't install myself) into production as the firewall in charge of securing and gatekeeping my entire network... I'd also be equally as cautious about checking over any NV storage hardware imported from Asia - simply because I have _personally_ ordered simple, basic, run-of-the-mill USB sticks on Ali, and when they arrived a couple of them were pre-loaded with what appeared to be legit rootkits - AKA free memberships for the whole family - welcome to the BotNet Club! 😅

I might be being stupid, but where is the purchase link?

Can you do 802.3ad link aggregation with these?

I'm curious, is there a rackmount version of something like this?

I got the 4*2.5G ports, Celeron N5105 and tried installing ESXi 7.0.3 but there was an error - No Network Adapters were detected... Is there any solution for this issue?

Is Adguard better than pi hole?

I’m on an iPad and can’t see the notes for this video. I see them fine on my android phone and windows pc but what’s with the iPad UA-cam app? Same thing happens when using UA-cam app on Roku.

I am looking to replace my MicroTik cloud router pro because I can't get a ping time anywhere lower than 80ms when the 100M raw connection gets 20-30s ping to same places. I need it for competitive gaming and streaming, no inbound services, just a simple NAT overload out for 4-5 devices.