well first of all you don't.
the proper setup would be :
1. your pfSense machine will have 2 network interfaces. i.e. eth0 , eth1
lets say you decide to dedicate eth0 as WAN and eth1 as LAN
Well no.
This is only one possibilits, PF sense will then be no router but will NAT and Masquerade the traffic.
There 3 Basic options to configure a seperate Firewall, however you could have done this with a VM too that makes it 4
)
Option one - Virtual only
You setup another bridge (vmbr1 for example) and put all regular vms on this ip range
you use vmbr0 only for your pfsense wmhost
pfsense has a second nic on vmbr1
define vmbr0 as wan abd br1 as lan
voila all vms have now to go trough pfsense
however you still need to convince promox to live on br1 too
not shure if possible, i just play with promox for a very short time now
Now about very basic hardware pfsense setup
you have 3 choices
- masquerade / portforward
- masquerade / nat
- routed
the first 2 are with lan and wan, mainly having a private iprange in at your server
has advantages but also major drawbacks.
at the forward option your vms wont have public ips
so vor every vm you wanna reach from outside you need to create a nat/or portforward on pf sense and point it to your private vm ip
this sounds not so bad - well it get messy quick and you drown in rules
also private ips are now a criticla factor on vm side.
at nat you will have kinda external ips but your voms wont know that.
get messy quick with ssl and dns (you will have to run split dns and stuff and even then it can get messy)
3rd one routed
thats the best option for vms that serve the big old dump we call internet
if your provider gives you a subnet to your ip then its super easy
wan interface gets primary ip
"LAN" Interface will be the dedicaded subnet you recieved
every vm can have their public ips without any nat
in all cases you can set your firewall rules
however be aware
pfsense is for beginners counter intuitve (and in that regard a PIA)
it requires friendly rules because every interface is considered incomming
that means you cannot define a rule to deny certain traffic into a subnet
for exmaple you cant say no port 80 ON LAN interface
you must set no port 80 TO LAN interface ON WAN interface
so every restrictions you do in the lan interface means lan cannot do rule a-x
and yes this can get messy quick on a bigger wall (and headaches)
however there also floating rules but they apply to all interfaces same time
so floating rule no port 80 to ip x means no interface can commincate with that ip on port 80
this is good for some rules but not all, also they aply always first
alternative solution:
on a single promox server
iptable all incomming traffic to no thanks
setup an openvpn server to login
to your promox over openvpn
honestly never let a interface like promox open in the net. hypervisors shoudl always drop all incomming except maybe an deicaded vpn
if you have someting like rescue service at your hosters site, dont even open ssh in the open.
nothing but pure openvpn (individucal certs, tls key, hmac and so on the full program)
only serving the net vms get a whole in your hypervisor firewall nobody else
at the end for one hpv pf sense as an external solution wont make much sense (but at least neat openvpn server on it
)
