[SOLVED] have a firewall in proxmox

[cazz]

I have now a proxmox on a Dell T1700 and it works very well.
I have some VM connect but now I'm a little curious to maybe add a networks card with four ethernet and also use it as a firewall/router.

What are the pros and cons of having a virtual router / firewall in Proxmox to handle internet traffic to my network.

Was thinking maybe use OPNSense.

 

[Dunuin]

As a router for your complete LAN or just for a DMZ where you host your guests?
If you want it for your complete LAN I would run two OPNsenses on 2 different servers and setup HA with pfsync so your complete home isn't offline in case you got a problem with a PVE node. Keep in mind that a server + PVE + guest is way more complicated with much more things that could fail compared to your ISPs router and if you really start with OPNsense and create stuff like multiple DMZs, VLANs and so on you can't just replace it with a cheap consumer router. So if you get hardware problems with your PVE server and need to buy new hardware, you complete home is maybe offline for weeks.

 

[cazz]

Thanks for the replay
Yes it is for my LAN at home and I was thinking that I still going to have my Mikrotik att backup is something is wrong.
I have also thinking maybe use a Orange Pi R1 Plus LTS and use OpenWrt.
My router at home now is not so advanced setup, most is port forward and block anything else.

 

[Dunuin]

Techno Tim just uploaded a tutorial about homeserver security: https://www.youtube.com/watch?v=Cs8yOmTJNYQ

If you don't make use of DMZs, advanced firewall rules, intrusion prevention and so on you got a long way to go to actually make your home safe.

 

[cazz]

Thanks for the replay, sorry for the delay.

Dunuin:
I have look at it and was very nice to see and I have now setup a reverse proxy at cloudflare and change a little


I was thinking this weekend setup a firewall on my proxmox with pfSense and going to follow this guide
https://youtu.be/hdoBQNI_Ab8
Just to see if I can get it to work.

My DELL T1700 have already a NIC and I have at home another NIC card with one ethernet port.
But I wonder if that is ok that I use the NIC I going to install as WAN and the NIC I already use for my VM as LAN?
If not I have a home USB3.0 to Giga ethernet adapter and server does have USB3.0 so I can use that to LAN
Not sure what is the best with that I have at home

 

[Dunuin]

In general you don't want your VMs be part of your LAN but want them instead in a dedicated DMZ subnet that is isolated by your pfsense firewall so in case one of your VMs gets hacked the hacker gets no access to computers in your LAN. But if you don't want other physical hosts be part of the DMZ too, two physical NICs should be fine. Then you can create a new bridge for your DMZ, don't connect it to any physical NIC (so just virtual NICs of your VMs and pfsense connected to it) and let pfsense do the routing between DMZ and WAN, LAN and WAN as well as DMZ and LAN.

So WAN can access nothing except for some ports of VMs in your DMZ.
DMZ can access WAN but not LAN.
LAN can access WAN and DMZ.

But then you possibly want a Wifi AP in your LAN because your ISPs routers Wifi will be part of your WAN subnet so everything that connects to that wifi will be on the unsecure WAN side of your firewall.

 

[cazz]

ok so what I have at home and that I can use is to use a NIC card that I can install but it have one ethernet port (WAN) and add a USB 3.0 to Ethernet to LAN.

I have two USB 3.0 Giga Ethernet adapter at home but is maybe not so good idea to use both, one for WAN and one for LAN.

 

[cazz]

A little update, I have install pfsense and use two USB 3.0 Ethernet adapter.
It did work nice and easy to setup.
But the speed was very bad so I did try the adapter on a another computer and the test was ok.
Not sure why I did get so bad speed but going to try some more
Maybe is the speed of the hardd drive or is not so good to use two USB 3.0 Ethernet adapter.