Network setup - help

[imthiazaar]

Dear Admin,

I am trying to setup below and struggling around the network configuration.

1. Setup Sohpos XG Firewall with WAN and LAN
2. PiHole DNS
3. Extend the LAN Network to Wifi Router for DHCP

Hardware Specs - i7 Mini PC, 2.5G Dual port NIC, Deco X60 Wifi Router, Internet Modem

How to access the Proxmos VE once I connect it to Internet modem and the network configuration for vmbr0 and vmbr1. Please advise.

 

[Dunuin]

You could give your PVE a IP in your LAN subnet (vmbr1) and set your Sophos LAN IP as the gateway and your PiHole as the DNS. In that case your PVE would also be protected by your Sophos Firewall but your PVE also will only be able to access the internet if your Sophos VM is running.
Other option would be to give your PVE a IP on the LAN (vmbr1) and WAN side (vmbr0) and set your ISPs router as the gateway and DNS. Then PVE wouldn't be protected by the Sophos VM but could still be updated in case there is a problem and your Sophos VM refuses to start. And you still could access your PVE webUI using the IP on the LAN side. But in that case I would block port 22 and 8006 on the WAN side.

 

[imthiazaar]

Thanks for assisting me here.. Appreciate it.

I started with a basic setup, by connecting my Proxmos NIC-1 to Deco Router's LAN port.

Proxmos > Deco LAN(was assinged an IP - 192.168.18.10)

Below is my /etc/network/interfaces output.

auto lo iface lo inet loopback iface eno2 inet manual iface enp174s0 inet manual iface enx606d3c6bdc6a inet manual iface wlo1 inet manual auto eno2 iface eno2 inet static address 192.168.18.10/24 gateway 192.168.18.1 post-up echo 1 > /proc/sys/net/ipv4/ip_forward post-up echo 1 > /proc/sys/net/ipv4/conf/eno2/proxy_arp auto vmbr0 iface vmbr0 inet static address 172.16.16.2/24 bridge-ports none bridge-stp off bridge-fd 0 auto vmbr1 iface vmbr1 inet static address 172.16.17.2/24 bridge-ports enp174s0 bridge-stp off bridge-fd 0 auto vmbr2 iface vmbr2 inet static address 172.16.18.2/24 bridge-ports enx606d3c6bdc6a bridge-stp off bridge-fd 0

I created Windows10 VM, assigned vmbr0 and allocated a static IP from vmbr0 segment but the internet is not working on my Windows VM.

Please advise how this VM can have internet access.

 

[Dunuin]

I thought you want to use the sophos VM? Right now you set that guest with your PVE server as your gateway. Setup your sophos VM as the DHCP/gateway/DNS for each local subnet.

 

[imthiazaar]

Thanks @Dunuin , I configured the Sopohs with DHCP and tried to ping google.com which is failing.

Sohpos
WAN - 192.168.18.31
LAN - 172.16.16.5

Also unable to ping WAN IP from LAN segment.

 

[Dunuin]

How do you run sophos? Bare metal, LXC, VM?
From where did you try to ping google?
Which IPs did you gave Sophos if you already gave 172.16.X.1 to PVE? Not that this wouldn't work, its just unusual not to give your router the first IP of a subnet.

 

[imthiazaar]

I am running Sophos as a VM inside the Proxmos.

I tried pinging the google from the Sophos diagnostic.

Sohpos-WAN - 192.168.18.31
Sohpos-LAN - 172.16.16.5
PVE - 192.168.18.10


My PVE IP is from Deco Wifi Router - which is currently 192.168.18.0/24

Below is the current PVE IP and how I access it.

Interent > Deco(192.168.18.0/24) > PVE(192.168.18.10)

 

[imthiazaar]

@Dunuin Attached N/w config fixed the issue and windows VM is able to access internet.

I am moving to the second part of my setup.
Please advise - how to extend the Sophos LAN Network to Deco wifi router(this wifi router is dhcp source for my endpoint devices(phones, laptop).

Should I change the Deco Wifi router from Router Mode to Access point mode ?

 

[Dunuin]

Should I change the Deco Wifi router from Router Mode to Access point mode ?

Jup. It should just work as a Wifi AP and let Sophos do everything else (DHCP and so on).

 

[imthiazaar]

@Dunuin - Thanks for the guidance.. its working.. and this is my final config..
However need your suggestion to secure the PVE host as its currently accessible over the internet.. making it vulnerable..

How to secure port 8006,22 and other mgmt ports of PVE host from internet ? Any thoughts

 

[imthiazaar]

I am able to secure my Proxmos VE at WAN end by adding few iptables rule.

I have another issue. As stated in earlier threads, My setup is as below.

Intel i7, 2 * 25Gpbs NIC, 16Gbps RAM 256 SSD, PVE(pve-manager/7.1-7/df5740ad), Deco X60 router as access point.

Internet <> Modem <> PVE <> Sophos XGFW <> Deco X60 Access Point mode(3 * Deco X60 in Mesh) <> Devices( phones, ipad, apple tv).

Speed test results are less than 10mbps now.

Previously before the PVE setup, speed result results was 500mbps. Below is my earlier setup.

Internet <> Modem <> Deco X60 in Router mode (3 * Deco X60 in Mesh) <> Devices( phones, ipad, apple tv).

Please suggest on improving the speed.

 

[Dunuin]

In case you don't need to migrate that Sophos VM to other nodes I would set the CPU type from "kvm64" to "host" so your VM can make use off all features and inscruction sets your physical CPU offers. Because when routing 25Gbit your CPUs single threaded performance should be the first bottleneck. And best performance a virtio NIC should give, if you now use the default E1000.

For securing the WAN side:
PVE got alot of hidden anti-lockout rules that are in use but not shown in the PVE webUI. You need to close those ports on the WAN side by create a rules that explicitly drops packages on these incoming ports even if the default action for incoming packets is already set to "drop". Here you can see the anti-lockout-rules: https://pve.proxmox.com/wiki/Firewall#pve_firewall_default_rules

 

[imthiazaar]

I changed the settings as suggested above, still its slow.
After disabling the IPS, DOS protection on Sophos speed has improved. But is there a way to achieve best throughput with these features enabled ?