Virtual Switch Setup for Pfsense VM

[Tusitala]

Hi all,

This is my first post here. I am a novice home user with a TS853 Pro (8GB RAM) running QTS 4.3.3.0229.

My objective is to use my NAS as a DHCP router and firewall and to convert my existing router into an AP only.

So, I am trying to start the process of installing a VM for Pfsense but due to the lack of comparable online use-cases to refer to, I am having some difficulty setting up the virtual switch side of things. I have attempted to use the following generalized guides but I keep making mistakes and end up losing my connectivity and current ip settings.

https://trainingrevolution.wordpress.co ... ap-ts-251/
https://www.smallnetbuilder.com/nas/nas ... s-as-a-utm

I also tried the following guide on the QNAP website but the options to select "Private Network Mode" or "Switch Mode" are no longer available which makes it rather confusing to someone who is new to this technology. I also note that the current version of Virtual Switch in QTS provides the options of Basic mode and Advanced mode when creating virtual switches.

https://www.qnap.com/en/how-to/tutorial ... ual-switch

My current network configuration consists of a DD-WRT flashed router running DHCP and a dumb 8-port switch. My switch is connected to the router and all 4 NIC ports on my NAS are connected to the switch. I have assigned static IP addresses to the four ports in my NAS. 192.168.8.61 ~ 192.168.8.64 respectively with NIC port 1 (192.168.8.1) set as the default port for access to the NAS. All other network settings are default i.e. obtain from existing default gateway 192.168.8.1.

Could someone please help walk me through what I need to do to get this working? I can upload screenshots of my settings if it helps.

Thanks
~Tala~

[phill_g]

Hi there. Did anyone help in the end? I am keen on doing very much the same as you.

[bekax5]

I had some issues a few months ago with similar setup.
I ended up realising that in the new QTS it's impossible to have dedicated interfaces as opposed to what says in the website and as opposed to previous QTS.
It appears that every interface now must pass through a virtual switch and thus not allowing all traffic to flow into the VM.
What would be needed for that is either a promiscuous mode, or a dedicated NIC for the VM.

Unfortunately even after speaking with one of their senior engineers I don't believe they really understand the repercussions in that.
From my point of view they believe what I complained is just a singular use case, and not every user that wants to have VMs with firewall, routing, switching, pfsense, etc...
I guess more people should complain and ask to add a dedicated NIC option for VMs.

More on that in the previous thread I opened requesting "new features" that are in fact removed features.
viewtopic.php?f=24&t=136288

[justas]

I'm running pfSense on its own hardware box as Router, Firewall, Gateway, DNS-Server, DHCP-Server, VPN-Client and Server, AdBlocker etc.
This is the most important network component. The NAS and AP's are behind the firewall.

I don't think, it would be a good idea to install such component in a VM, behind a low-performance Virtual Switch. You would have a complex dependency chain just for starting up a DHCP server or sending out a http-request. You would first need to start the NAS, then the Virtualization or Container Station, the VM with all its dependent services. Without it you'll not have any network connection. Also, as I figured out, the current version of the QNAP Virtual Switch reduces significantly the network performance.

Ressources are also important for pfSense. It runs in my setup with Quad-Core CPU and 4GB RAM because of caching, network throughput, cipher operations, traffic routing / blocking / filtering etc.
Are you ready to reserve 4GB of you 8GB and 50% of CPU for pfSense?

And one thing, which I generally don't understand. pfSense requires at least two NICs. If it runs in a VM behind a Virtual Switch which resides on one NIC from the NAS, how can it route traffic between two different networks?

I think, you would not be happy with such network architecture even, if you manage to setup it.

[dastrix]

Seriously, QNAP are on drugs. This is such a terrible design, Ive never see anything like it in 20 years of networking. If you have a grunty nas like me, you cannot use its full features like AES-NI for pfsense because of the hack job virtualisation ** QNAP have configure. What a ** around.

[Moogle Stiltzkin]

Brother_Scud Sep 8, 2018, 11:31 PM
@pmk3
So after months of testing with pfsense and fine-tuning. Im please to say that the Ts-677 has minimal issue in running the image of Pfsense provided by Qnap. I am currently running Snort (IPS set to security), pfblockNG, and OpenVPN. I have running speed-tests at various points and I can confirm that it does not affect my gigabit connection at all. I was very surprised that it runs flawlessly on 2GB allocated RAM and not needing SSD drives.

Atop of that I was able to run Plex, syncing services, setting virtual drives. The Ts 677 has no issue what is thrown at it. What I really appreciate of this server is the 4 ports in which 3 ports can be balanced throughout the network (when it comes to accessing the server internally).

Hope that helps

Specs:
Ts-677 8g
4x 10tb raid 5 (took less than a day to raid sync)

sauce
https://forum.netgate.com/topic/131972/ ... qnap-nas/7


and also this
https://forum.netgate.com/topic/95439/v ... n-qnap-nas

whosmatt Feb 14, 2016, 2:24 AM

@Jailer:

Bad idea. You want a firewall at the edge of your connection, not running in a VM on your LAN.

Not at all. We run pfsense in production in VMs all the time. There's two ways to segregate it from your LAN. One is to use VLANs and virtual networking, the other is to dedicate NICs to the pfsense instance(s). Nothing wrong or inappropriate about that.