internal FW vs external Firewalls

[pille99]

hello all
as the subject already tells: what are the considerations for the proxmox Firewall (with the rules almost everything like a external firewall can be archived) vs an external firewall (right now i have opnsense, its a brilliant peace of software). please let me know your thoughts. everything can be done with proxmox but is it recommended ? is it any good or better ?

i want in firewall country restrictions (can be done with both, IDS (can be archived with both), logging (can be archived with both), lookup subnets (i guess can be done with both as well, with opnsense for sure),
thx

 

[LnxBil]

is it any good or better ?

It serves another purpose. The internal PVE firewall can firewall EACH VM individually, whereare *sense can monitor your network (or alle attached nics). Unless you have each VM with their own vlan run through your *sense device, you will not have the same level of firewalling.

We have security groups for VMs that are in a DMZ, so that the VM itself cannot do anything besides the things we allowed (e.g. outgoing dns to our dns server, getting os updates through mirrors, etc.) this can be set at VM level and via groups applied to multiple VMs.

 

[pille99]

the only advantages i see right now is SSL Offloading everything else i can do with the Onboard Firewall.
dont get me wrong - i love opnsense. its a very good peace of software but if is not needed it would be much better. right now i have 5 opnsense running, which costs performance and resources. and i like the lifeviewer, very easy to get the overview.

my network:
4 Nodes, 5 SDN, each SDN has up to 10 Subnets with VLAN_ID (containing 2-4 servers per subnet), only 5 Servers are allowed to get internet traffic like email, web, rdp (IN/OUT), the Windows Subnet is completly forbidden any traffic to and from Internet, country restrictions.

for the sake of performance how can i configure an forwarder from vmbr0 to a virtual NIC of opnsense, port 443 and 9999 ?