Virtual Environments

Most of the installations of IPFire are done by installing it directly on a piece of hardware. However, virtualization is an alternative where IPFire is sharing hardware with other running instances.

IPFire has been used successfully on all products by VMware, KVM, Xen, Microsoft Hyper-V and VirtualBox.

Virtual environments have many disadvantages when used with IPFire.

Security Considerations

Virtual environments break the security of the firewall. Since resources are being shared between different virtual machines, it is easily possible to break out of one of them into the firewall through the host system. Those attacks are impossible to detect by IPFire and transmitted packets, key material and other sensitive information can be stolen or altered.

Therefore it is not recommended to use IPFire in production in such a virtual environment.

Performance Considerations

IPFire is highly optimised for performance. The firewall needs to forward packets as quickly as possible to avoid adding any additional latency into the packet flow.

Virtual machines compete for CPU time of the hypervisor. Hardware interrupts have to be scheduled and sent to the guest only when time is available and will be processed by the hypervisor's driver first before they are being sent to the virtual network interface of the firewall. This will all cause latency that is many times that of a physical machine that is running IPFire.

Using IPFire in a virtual environment will cause you a much slower and less responsive network than using physical hardware.

Reliability Considerations

A firewall is crucial for operating a network. It provides access to the Internet as well as essential services like DNS and DHCP. If the firewall fails, the whole network will probably cease to function.

Some virtual environments use SANs to store the disk images. Those add complexity to the setup and could cause that the firewall fails because of a network outage.

Why virtualisation is supported

Virtual systems have a significant upside when used for development.

Creating snapshots, observing all network communication from the hypervisor are only a few things that are helpful in a development environment.

The IPFire development team does not recommend using IPFire as a virtual machine in any production environment.

Edit Page ‐ Yes, you can edit!

Older Revisions • May 5 at 9:49 am • Michael Tremer