Hello all! In short, I want to open up one of my pfSense VMs or NICs to the public. I have a static block of 5 IP addresses, and can also pass through my upstream gateways public IP address. I know how to set up both the IP passthrough option (aka bridged mode) and set up the public subnets in pfSense. However, proxmox adds a ton of variation and I am sure these extra layers of complexity are their own field of study entirely.
On one pfSense VM, currently, I have two virtual intel e1000 interfaces set up for LAN and WAN (I assumed that because I am using an Intel NIC I should use intel e1000), with no CIDR designated in proxmox, which attach themselves to the NIC in question. And it seems to work for connectivity with pfSense and my upstream BGW fiber ONT gateway; the pfSense VM gets a public IP address, and I can NAT to my devices accordingly. However, I am not 100% confident in allowing public access (a convenient BGW router feature which allows incoming connections from anywhere, basically setting a pinhole for every single TCP/UDP port, and probably every other protocol out there).
My questions are all in regards to inherent optimal security and firewall hardening and are as follows:
1. Should I use a virtual interface for this or should I use PCIe passthrough and IOMMU for the NICS to pfSense?
My other NIC has my default gateway set to a LAN address and is providing the proxmox itself an internet connection behind the AT&T BGW firewall. I'd like to prevent any and all access on the interfaces with public IPs to the proxmox server itself.
2. Should I double up my SANs audit firewall rules in both proxmox AND pfSense?
https://www.sans.org/media/score/checklists/FirewallChecklist.pdf
3. The proxmox firewall offers more protocol options than pfSense, so I'd like to know which protocols would be best to allow, and which would be best to drop entirely. Also, which protocols when blocking would/could break the pfSense connection to the upstream gateway and AT&T servers entirely?
I queried ChatGPT for a quick rundown of all of the protocols and attached the conversation. hardening the pfSense by blocking extra protocols would be awesome. Even if I don't need to because AT&T upstream servers do already, having the rules there couldn't hurt. Also, AT&T advised me that they block absolutely nothing when I open my Static IPs to the public
4. I also have a Sentinel CINS Army active intelligence IPset that I have imported into proxmox, which I would like to use as an extra layer of security to prevent hacking.
THIS IS A DOWNLOAD LINK:
https://cinsarmy.com/cinsarmy_lists/?t=d44c75c4be6301619a446f85e5bd72e5
The cins IP set is also attached.
If I block in and out connections to this IP set, does proxmox by default assume on all NICs and virtual interfaces or must I specifically designate the interface in the node and datacenter firewall rules?
Additionally: I tried setting my public IP CIDR and default gateway on the virtual interfaces themselves, thinking it would pass the info along to pfSense, but proxmox returned the error:
Parameter verification failed. (400)
gateway: Default gateway already exists on interface 'vmbr0'
My static Public IPs default gateway is different than the AT&T NAT gateway. Even though they all go through the same device. I don't get any double NAT issues when using either bridge mode or public IPs on regular bare metal pfSense hardware behind the gateway, but I am certain the upstream gateway's NAT table reflects both my static IPs and my home IP's connections with some Voodoo invisible double NAT magic. Does anyone know what protocol this function uses particularly so I don't block it in proxmox?
Unfortunately getting true bridged mode setup with this AT&T fiber gateway requires tons of hacking the hardware because of authentication protocols, heartbeats and authentication certificates. (FTTH in an apartment complex)
Knowing the optimal and most secure way to setup these public IPs will safely let me host some websites online, and play videogames with an open NAT.
Here is an extra question: previously, I had pinholes set up in the upstream gateway for one of my public IPs on UDP ports 1024-65535. If I have a device plugged in directly to the gateway with that IP address, like my PS5, I have incredible connection speeds and downloads and I don't think there are any security concerns outside of that device itself and maybe through an HDMI connection to the TV via DDC/CI or something. However, I set up a bare metal pfSense behind the gateway, and forwarded the same ports to my PS5. The next day my smart TV bugged out and had to be replaced. Should I have set up pinholes AND forwarded the ports to my pfSense and THEN forwarded the ports to my PS5, rather than letting the upstream just have some open ports and choose to go to router or not? It is very confusing. Also, are there options for blocking DDC/CI frames or packets in any of these firewalls?
Thanks for any and all help! I am kind of new to networking, but I am thankful I don't have to set up PPPoe or any other complicated DHCP stuff to use any of my public IPs for connectivity.
On one pfSense VM, currently, I have two virtual intel e1000 interfaces set up for LAN and WAN (I assumed that because I am using an Intel NIC I should use intel e1000), with no CIDR designated in proxmox, which attach themselves to the NIC in question. And it seems to work for connectivity with pfSense and my upstream BGW fiber ONT gateway; the pfSense VM gets a public IP address, and I can NAT to my devices accordingly. However, I am not 100% confident in allowing public access (a convenient BGW router feature which allows incoming connections from anywhere, basically setting a pinhole for every single TCP/UDP port, and probably every other protocol out there).
My questions are all in regards to inherent optimal security and firewall hardening and are as follows:
1. Should I use a virtual interface for this or should I use PCIe passthrough and IOMMU for the NICS to pfSense?
My other NIC has my default gateway set to a LAN address and is providing the proxmox itself an internet connection behind the AT&T BGW firewall. I'd like to prevent any and all access on the interfaces with public IPs to the proxmox server itself.
2. Should I double up my SANs audit firewall rules in both proxmox AND pfSense?
https://www.sans.org/media/score/checklists/FirewallChecklist.pdf
3. The proxmox firewall offers more protocol options than pfSense, so I'd like to know which protocols would be best to allow, and which would be best to drop entirely. Also, which protocols when blocking would/could break the pfSense connection to the upstream gateway and AT&T servers entirely?
I queried ChatGPT for a quick rundown of all of the protocols and attached the conversation. hardening the pfSense by blocking extra protocols would be awesome. Even if I don't need to because AT&T upstream servers do already, having the rules there couldn't hurt. Also, AT&T advised me that they block absolutely nothing when I open my Static IPs to the public
4. I also have a Sentinel CINS Army active intelligence IPset that I have imported into proxmox, which I would like to use as an extra layer of security to prevent hacking.
THIS IS A DOWNLOAD LINK:
https://cinsarmy.com/cinsarmy_lists/?t=d44c75c4be6301619a446f85e5bd72e5
The cins IP set is also attached.
If I block in and out connections to this IP set, does proxmox by default assume on all NICs and virtual interfaces or must I specifically designate the interface in the node and datacenter firewall rules?
Additionally: I tried setting my public IP CIDR and default gateway on the virtual interfaces themselves, thinking it would pass the info along to pfSense, but proxmox returned the error:
Parameter verification failed. (400)
gateway: Default gateway already exists on interface 'vmbr0'
My static Public IPs default gateway is different than the AT&T NAT gateway. Even though they all go through the same device. I don't get any double NAT issues when using either bridge mode or public IPs on regular bare metal pfSense hardware behind the gateway, but I am certain the upstream gateway's NAT table reflects both my static IPs and my home IP's connections with some Voodoo invisible double NAT magic. Does anyone know what protocol this function uses particularly so I don't block it in proxmox?
Unfortunately getting true bridged mode setup with this AT&T fiber gateway requires tons of hacking the hardware because of authentication protocols, heartbeats and authentication certificates. (FTTH in an apartment complex)
Knowing the optimal and most secure way to setup these public IPs will safely let me host some websites online, and play videogames with an open NAT.
Here is an extra question: previously, I had pinholes set up in the upstream gateway for one of my public IPs on UDP ports 1024-65535. If I have a device plugged in directly to the gateway with that IP address, like my PS5, I have incredible connection speeds and downloads and I don't think there are any security concerns outside of that device itself and maybe through an HDMI connection to the TV via DDC/CI or something. However, I set up a bare metal pfSense behind the gateway, and forwarded the same ports to my PS5. The next day my smart TV bugged out and had to be replaced. Should I have set up pinholes AND forwarded the ports to my pfSense and THEN forwarded the ports to my PS5, rather than letting the upstream just have some open ports and choose to go to router or not? It is very confusing. Also, are there options for blocking DDC/CI frames or packets in any of these firewalls?
Thanks for any and all help! I am kind of new to networking, but I am thankful I don't have to set up PPPoe or any other complicated DHCP stuff to use any of my public IPs for connectivity.
Last edited: