Wednesday, June 18, 2014

Firewall with Hyper-V Synthetic NIC Support

I've been looking for a while to try and find an Open Source firewall for use in a Hyper-V environment. There's a number out there that will install and work, however trying to find a product with support for the Hyper-V Synthetic NICs instead of just the slower Legacy NICs has been... well... tedious.

I've looked at IPFire before - mainly as it was originally a fork of the IPCop project which is a fork of the SmoothWall project that I was on the development team of for some time. I was re-introduced to IPFire recently on a site visit to try and see if we could find causes for ADSL speed issues and then again at a friend's place last week who was running it in his home office.

So, on a whim, I thought I'd give it another go and see if it supported the Hyper-V Synthetic NICs on Hyper-V 2012 R2 and, well, kinda. During the installation, both the legacy NICs I added to the Hyper-V Guest were detected as was the default installed Synthetic NIC I'd not removed. So, I stopped the install, removed the Legacy NICs, added another Synthetic NIC and restarted the install. During installation, I chose the appropriate NIC for Green and Red, and off we went.

The first boot was great - the IPFire VM came up NICs blazing. :) I fiddled with the web interface a bit then rebooted. That's when it started to look like things weren't quite as I'd hoped - during the boot, I received an error message stating that "Interface green0 doesn't exist", however red0 worked fine. I re-ran "setup" and re-assigned the NICs and rebooted and this time "Interface red0 doesn't exist" was reported. Hhmmm...

So it seemed that Hyper-V Synthetic NICs were kinda supported. I had a look to see if the modules were being loaded properly and noticed a distinct lack of Hyper-V modules in /etc/sysconfig/modules. After a little Googling, I found the found the following information on the IPFire Install Guide:

Hyper-V
IPFire includes the modules required to work properly in a Hyper-V environment, but those modules are not enabled by default. To enable those modules, add the following four lines to the file /etc/sysconfig/modules and reboot:
hv_blkvsc
hv_netvsc
hv_storvsc
hv_vmbus

So, after adding these modules and rebooting a few times to test, all seems fine and IPFire is running with Hyper-V Synthetic NICs. :)

Now, for the speed testing results. I ran this test using 35.0GB of data consisting of some .iso files of around 4GB and also 7.8GB of smaller files of varying sizes (ie, extracted Windows Server 2012 R2 Standard and Windows Server 2012 R2 Essentials ISOs) with the following results.

Test 1 - Legacy NICs, across a 1GbE L3 switch from a physical server's USB-attached drive to this 2012 R2 Hyper-V Guest on a RAID-5 SSD Array on a 2012 R2 Standard server running Hyper-V

Test 2- Synthetic NICs, across a 1GbE L3 switch from a physical server's USB-attached drive to this 2012 R2 Hyper-V Guest on a RAID-5 SSD Array on a 2012 R2 Standard server running Hyper-V

Test 3- Synthetic NICs, across a 1GbE L3 switch from a physical server's SAS RAID-5 HDD Array to this 2012 R2 Hyper-V Guest on a RAID-5 SSD Array on a 2012 R2 Standard server running Hyper-V

Results:

ScenarioNIC TypeSourceSpeedComments
Test 1LegacyRemote USB20.113GB/minYes, Legacy NICs are as slow as this!
Test 2SyntheticRemote USB21.62GB/minuteThis is about the speed expected from USB2
Test 3SyntheticRemote SAS Array4.32GB/minuteThis is much more bearable!

So, it shows that the implementation of the Hyper-V Synthetic NIC drivers in IPFire definitely live up to expectations and provide much better performance than the old Legacy NICs can ever dream of.


Regards,

The Outspoken Wookie

1 comment:

Dave Gordon said...

Thanks for this! I support a local non-profit who NEED a good security appliance but lack the budget. What they do have is a nice Dell Hyper-V server with plenty of spare resources to run IPFIRE. I'm fond of Untangle but the lack of synthetic NIC support precludes it. Cheers, Dave Gordon