Thursday, July 27, 2017

Running ipfire in a Proxmox KVM

Long ago my network equipment at home was simple: just used a Belkin N600 router to connect to my ISP. All my computers and devices, including some raspberry pi, mobile phones and pads will access the internet via the router. As the number of clients increased, I found that the Belkin router did not serve well. Therefore I installed a software firewall, IPFire, on a Raspberry Pi (Model B) and replace the existing router. (I still needed the N600 as a wireless bridge so I switch it to a bridge mode)

IPFire is a great software firewall. You can have a look at the website so see the features. Running IPFire on Raspberry Pi is surprisingly stable too. Everything was fine until I change the ISP plan from 8M (8mbps/1mbps)  to 100M (100mbps/30mbps).

The problem was the hardware limitation of the Raspberry Pi. The builtin LAN and another usb ethernet adapter worked fine when I was using 8M. However after I changed to use the 100M plan I found that the maximum speed was 30M something. In order to utilize my bandwidth I planned to run IPFire on another hardware.

I didn't have a big budget at that time so I wondered if I can make use of my existing hardware. My N54L that is running proxmox seems to be a good choice. So I decided to create a KVM for this.

The config of the IPFire VM is simple:
1. 512M ram
2. 1 CPU
3. 16GB virtual disk (virtio driver)
4. one bridged network (virtio driver)

One tricky thing I have done was to passthrough USB adapter from host to the VM, which should have a better performance.

By running lsusb on host:
# lsusb
...
Bus 003 Device 002: ID 0bca:8133 Realtek Semiconductor Corp. RTL8153 Gigabit Ethernet Adapter
Bus 003 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
...
Then add a line at /etc/pve/qemu-server/.conf
usb0: host=0bca:8133,usb3=yes

note that only use "usb3=yes" if you are using a usb3 device.

When the setting was done, I started the VM, the USB adapter was detected and just followed the instruction to setup. In my case I connected USB adapter to RED (internet), the virtual adapter to GREEN (internal). As I did a IPFire configuration backup from raspberry pi. I just import it back to the VM and everything ran out of the box!

I did a quick test by running the command line version of speedtest (speedtest-cli). the result was 80mpbs/26mbps which is acceptable.

[root@ipfire ~]# ./speedtest-cli
Retrieving speedtest.net configuration...
Testing from XXXXXXX (xxx.xxx.xx.xxx)...
Retrieving speedtest.net server list...
Selecting best server based on ping...
Hosted by xxxxxxxx[22.51 km]: 8.898 ms
Testing download speed................................................................................
Download: 81.54 Mbit/s
Testing upload speed................................................................................................
Upload: 25.93 Mbit/s

In summary IPFire is a good solution if you want to have a software firewall. There are other free firewalls such as pfsense or opnsense. I will try them and compare. But for now, I am happy to use IPFire.