pfsense behind router vs other solutions

[scottybeam]

Hi folks, longtime lurker, I appreciate all the guidance through the years! Wealth of knowledge to be sure.

I wanted to see if anyone had suggestions for alternative setups from the one I'm proposing, or seeing any pitfalls with this plan: I have my router and networking stuff geographically isolated from my homelab, just the way my house and separate office are. So, I bring in the connection behind the router to my vm's which are getting assigned ip's etc.

However, I want to set up some extra security on the ve side -- my initial thought was to set up pfsense without dhcp to isolate the vm network. That way I get the firewall, etc. But I wonder if this is less than optimal. Is there a better way to isolate and secure this ? No advantage over sticking with proxmox default firewall ?

 

[ph0x]

Could you elaborate a bit more which segment is where and what you want to isolate? It's hard following your thoughts. Maybe you can add a little sketch.

 

[scottybeam]

My bad, undercaffeinated stream of consciousness this morning. Sketch included. I guess what I was trying to convey is that I can't physically replace my router in the main house, otherwise I might have already opted to use pfsense. But now that I've had some time to think about it, probably the best thing to do is just lean on the proxmox firewall. Unless there's an even better solution out there to secure traffic in and around the server (red star in the sketch).

 

[ph0x]

If your router and switch support VLANs, you could separate the PCs from the VMs and have the traffic go through your router, which basically is a firewall. If not, I would also probably go with the Proxmox firewall. Having another VM which acts as the gateway for Proxmox itself can be a bit of a hassle in terms of connectivity after bootup. But apart from that, absolutely feasible.

 

[scottybeam]

Appreciate the feedback !