OpnSense / PFSense (running)


Recommended Posts



Greatly appreciate the insights and expertise on this site. I typically don't post much as I get most of my answers searching but I can't seem to figure this one out. I have an older protectli celeron running PFsense (No AES-NI support). (I'm thinking about switching to OPNsense) I've also set up an independent UNRAID machine.. My thought was to run a VM of OPNsense as I believe my Ryzen 7 2700 has AES-NI - yet I can't seem to install either PFsense or OPNsense natively on AMD so I have to emulate the CPU. (follow spaceinvaders steps - they are great) So I don't think I'd be taking advantage of AES-NI??


So my questions are:

  • Should I run a firewall VM on unraid and have my old Protectli as backup? (I've read about the nightmares of unraid failures and not accessing your VM's)
  • Should I just leave my Protectli as my firewall and not worry about AES-NI (I would like to use VPN via firewall - easier than running on every PC)
  • Should I be hunting for a better firewall that has AES-NI?


Thanks for any and all advise. If this has been hammer out on another post. Please share.


Link to comment

You're able to boot *Sense right without using the "Emulated" mode? What happens when you try the Host passthrough?

UnRAID has had issues booting FreeBSD, if you look at the threads. I recommend a separate box if you can get one. Looks like you have one already. 

I'm using an older Intel CPU 4 core i7, and it used to boot fine until a new upgrade stopped it dead. I've tried a few things, but no go so far.

Link to comment

I do something similar, I have a Dell r210 ii box that is, I run a vm on an unraid box all the time on an i3-8300 and only boot up the dell box to fail over traffic when I need to work on the unraid machine.


this works fine, its alittle tricky for VIP assignments depending on how your ISP handles WAN assignments.  CARP will want 3 IP's, one for each physical, one for the VIP... so you'll have to contend with this.  You probably don't need to worry about state sync either, or you can... but it's kinda a pain since it will throw a bunch of warnings when it cant reach the box that is off...I just turn it on when i boot the other box up, give it a minute and then fail over.


Also, AES-NI is nice and all, for encryption... if you are doing a bunch of this (like vpn) then worry about this... if you are not doing alot of encryption, then don't worry about it.  pfsense dropped the aesni requirement for newer versions, even if they put it back in later, just switch to opnsense.

Link to comment

Doing similar as well, but primary fw is bare metal in an old core 2 duo and failover is vm on unraid. I would not do primary as vm unless you have two saprate physical boxes with VMs on them... Sync and carp work with my single wan, I did it by putting my old consumer router between both pfsense "boxes" and is modem. Set carp ip on the consumer router to be the DMZ and gave each pf box a permanent ip assignment.it is still single point of failure but super easy to replace in an emergency because of so few settings. And since it's not acting as a firewall you have nothing to manage. Dynamic DNS work fine from pf as does all normal port forwarding inbound rules. I've not found any issue at all doing it that way.... Good luck! 

Link to comment

I've been running pfSense in a VM on a Ryzen 1700x for a couple years now. First on Proxmox and then Unraid. I am using host passthrough without issue. To the best of my knowledge it is using AES-NI.


Has been stable. My needs are not much though. Nobody else in the house to complain if things go down. Has went down on me twice over the last year with Unraid. First when I upgraded Unraid and pfSense stopped working. Second when Unraid locked up and I had to resort to the phone to figure out how to fix.


It's a good learning experience. Up to you if it's worth saving the expense of real hardware for pfSense.

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.