Virtualizing Pfsense and PBX

pbxman123

New Member
May 23, 2013
4
0
1
Good Day,

I am new to this forum and I am looking to create a small appliance using Proxmox with a device that has two Ethernet ports. One port is connected to a Pfsense VM (WAN) and a second port (LAN) connects to an Elastix PBX and the Pfsense firewall. The idea is to hide and provide access to the PBX ONLY via IPSec/OpenVPN tunnels and not to pass SIP directly through the firewall ports. I was just wondering if this is something that is best practice. I have seen arguments for and against virtualizing firewalls on your host in case there are vulnerabilities that can be exploited, however is this not mitigated via the setup described? Just a discussion I wanted to get into and to get a feel of what others here have done. Thanks.
 
Ok, so you want to have Proxmox that contains pfsense and elastix virtual machines/containers.

I have a similar setup in a home environment:
proxmox (2 at the moment)
vyatta (router/firewall/ipsec/openvpn server, debian-based, can use virtio)
asterisk kvm machine on debian; freeswitch openvz container (planned replacement for asterisk)

Using containers rather than virtual machines for telephony is generally advised due to better clock performance or some such. However, when starting I just migrated over my existing asterisk physical box to a kvm. If I would do this again, I'd choose openvz.

Performance is ok, but I really only have 1 call going on at the same time.

Having a virtualised firewall is not "best practice" for data centers etc but if you know what you're doing I think it can work ok within proxmox. I edited the network config so it didn't give out an ip address on the WAN bridge; then assigned the bridge to the firewall and set up the IP numbering there, so everything TCP/IP based should be going through the firewall.

You'll see previous posts of mine (both on telephony and firewalls) discuss some more details.
 
As I understood, your main target it's not a playing with PFSence, but provide access to Asterisk through VPN.
In this case your minimal config can looks like this:
1) proxmox host with Asterisk VM inside
2) OpenVPN and Iptables should be installed on proxmox
3) virtual network setting depends from your needs. In case your proxmox connected to Internet, you should create dummy interface, create another bridge, map dummy to this bridge, point VM to this bridge.
4) Asterisk client from Internet will connect to Proxmox via OpenVPN and will get access to VM
5) iptables should be configured to close all ports except openvpn port, so you may get access to proxmox web or ssh only using openvpn.
 
Hi JimBeam and ppo, thank you for replying to my post.

JimBeam, this was a great help. It confirmed what some other posts and a friend of mine said, which is to remove the TCP/IP information and make it manual on the Interface (WAN) that connects to the Internet via the PFsense Firewall making all traffic accessible only via the Pfsense VM. I was thinking about going a step further and using VT-d to map the WAN port directly to the Pfsense VM thereby making it completely isolated.

I was looking into the OpenVZ container which does seem to provide near native performance so I would definitely like to try this and look for some pre-built, hardened appliances. Firewalling the Asterisk and Proxmox (Shorewall?) will also give that extra bit of security. I am looking at your other posts as well.

ppo, just to clarify, the OpenVPN/IPSec is actually built into the Pfsense VM/Container so the VPN Tunneling will be done in there to and from remote clients IP phones. The Pfsense is to completely hide the Asterisk PBX (and Proxmox) so that it is not vulnerable to attack via the Common SIP, HTTP(S), SSH ports and RTP UDP ports and to encrypt the traffic only for VoIP communication. I do not plan on having Proxmox connected directly to the Internet via the WAN port, only through the LAN port on the second Bridged port. The Dummy port does sound interesting though, maybe via another secured VLAN Interface on the the secondary bridge port?

Thank you very much for the information, it is greatly appreciated guys!
 
Why are you worry about Proxmox, that connected to the WAN.
Sounds like there are no Debian or any other linux systems, which are used in production in the Internet.
I love OpenBSD and especially use it for gateways, but I believe that iptables more powerful solution against kiddies or bots.
There is no sense for so little config to add pfsence as separate firewall/vpn server.
Yes pfsence more friendly and you probably don't want to spend time to configure same thing on whole proxmox.
 
we are using pfsense in our datacenter for ipsec and openvpn connections to our customers.

pfsense in a KVM machine works great and is well supported.

we are have been using asterisk with openvz for several years on debian / ubuntu systems, compiling everything from scratch, making our own asterisk openvz templates with freepbx.
The main problem was to get the meetme application running inside the openvz / asterisk container to get music on hold and conferences running.

we compiled a new kernel which was optimized for asterisk and used the sangoma usb stick as the timing source for dahdi / zaptel for all asterisk containers

see http://wiki.sangoma.com/sangoma-wanpipe-voicetime

Many asterisk openvz containers could share one sangoma USB timing sorce for excellent audio & conferences

Openvz is great for these voip systems like asterisk and freeswitch.

To protect our servers and to avoid fraud we prefer pfsense

Regards

Martin
 
Hi all..

ppo:
i made the same question here: http://forum.proxmox.com/threads/14723-Better-way-to-manage-virtual-network
It's also my doubt, yes, it's a simple way to make it work, but in this way you're not respecting IaaS, the harware is no more detached from the virtual infrastructure, if the node goes down... how about networking? If all is on vm you can reimport in une other brand new node without reconfigure all...

this is my doubs...

Stefano
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!