Search results

what kernel are you using? It should be supported by >4.14, and yet some higher kernels have problems with binary firmware for this card (iirc 4.16)...

That is quite logical. You used your only IP to PVE-management, that's right. But how would you like to use NAT for VMs? How should the local IP be "translated"? To what? There is no IP remaining. So you need one more...

It is possible, but I do not recommend it at all. If your VM-firewall goes down (and does not start), you have no way to fix it, except going to your server and using its console (or wipe it out and re-install completely). Bad things do happen sometimes, OPNsense-update can be screwed...

If your server is collocated somewhere remotely, then it is even more important to have remote access configured properly. I'm actually using 3 eth-adapters, as my server has kvm-port too. But KVM & PVE are protected by dedicated hw-firewall. My setup looks like this (simplified):

By "MV" you mean "VM" (virtual machine)? If it is so, then you have (what I consider as) very dangerous configuration. I would never recommend routing access to PVE management interface (web, ssh) over VM (be it pfSense or whatever). It is very bad idea... As a bare minimum, I recommend to have...

Seems to me like your serial-port is not properly configured (speed/flow)...

What have iptables to do with pfSense? If you decided to use pfSense as gateway for your VMs (which imho is the right solution), disable all iptables-rules and let pfSense do the job...

maybe you do not have enough "randomness", in other words your system has low entropy? Check it with: cat /proc/sys/kernel/random/entropy_avail Try to observe this value while writing to disk with if=/dev/urandom It is difficult to find optimum values (except for "the more, the better), but...

Proxmox-firewall is just front-end for iptables. Do not expect too much of it. It is a little better than esxi-firewall, but still very "basic" and some of advanced features are not directly accessible. Anyway, serious filtering should be always offloaded away from proxmox-host. Filtering...

If you want to have a few hosts in cluster, then you have to let pmxcfs running. Devs promised to optimize it, but as it seems, not much has changed. The only thing you can do is to get two very good sata-doms. Hope they hold a little longer than my SLC-based usb-stick (died within a few months)...

I think OPN is reporting only memory used by applications (without buffers/disk-cache). Just log in to OPN-vm, and check "free"...

Your answer was about (sic) "Any firewall". BTW, even if we consider only packet filters, you are still wrong because IPtables can do DPI too (although not so effective as app-firewall due to packet fragmentation). Based on the content of the packet it can decide if it lets packet pass, or not...

My own opition: 1. hw is good, but if you can, get more RAM. 16GB is too little even for all those VMs/containers. 2. forget hw-raid/mdadm/lvm-raid, use zfs-raid (did I say more RAM?). 3. Do not install proxmox on usb/cf/sd (variant 1), not even 2x in raid1. Proxmox is not like ESXi (loads...

Have you ever heard of "application firewall"? If you have, then you know how badly you are wrong...

That might be your problem. How do you want to guarantee your web/ssh-client will use 8006 (or "xxxxx") sorce-port? That's virtually impossible. Source-ports used by web/ssh-clients are random, anything between 1024 and 65k. You might restrict it more tightly (i.e. 10k-65k), but still you do...

Not sure if this is relevant, but unlike Linux, BSD-based OS use 1 core/cpu for routing. Check this throughput-test: on the same hardware IPFire (Linux) si always faster, than pfSense (BSD)...

Small (but important) update for Proxmox (on ZFS) & Docker from STH-folks: https://www.servethehome.com/setup-docker-on-proxmox-ve-using-zfs-storage/ Original guide: https://www.servethehome.com/creating-the-ultimate-virtualization-and-container-setup-with-management-guis/

As with everything, you can achieve it in many ways. For example I'm checking my firewall logs with fail2ban and if it finds pre-defined patterns, it takes care of banning IP with invalid traffic. In case of unfinished 3way handshake there is "connection died" or something like that (don't...

True, but only if those packets come to a few opened ports. I think the more I reduce this chance, the better... Moreover, I do not use icmp at all (very unsecure protocol) and udp is strictly limited to dn-replies only for my clients. Then it is much easier to deal with tcp (i.e. for web)...

Cisco ASA ist much more than "just" a firewall. It is fully-fledged adaptive security appliance. Not the best on the market imho, but still very good. Resources-hungry, expensive, but also very effective (with valid subscription, of course). Using it just for nat/vlan is like using...