PFsense on Proxmox, bridged networking

R

reynard80

New Member
Apr 19, 2018
4
0
1
44
I'm thinking of running a PFsense virtual machine on my Proxmox server. This PFsense VM would have two bridged network connections, one for WAN access, and one for LAN access. My Proxmox server already has an Intel network card with multiple network ports.

The WAN port would have no public IP on configured on Proxmox, whereas the LAN port would have a fixed IP configured, so that the Proxmox configuration can be reached via this LAN IP.

I have found various tutorials about these kind of setups, but what I'm really wondering whether this is a safe setup. Is the bridged network port for WAN completely safe and can it not be compromised by a hacker to get access to the Proxmox OS?

P.S.: I understand that in case a hacker would compromise the PFsense VM, he might get access to the network. But my question is really about the bridged network connection being safe.

P.S.2.: I'm not using regular Linux network bridges, but OVS ports and bridges. I'm not sure if that makes a difference, but it might be good to know.
 
Well, I'm sorry if there was no clear question in the post;

My question is whether pfsense on proxmox is a safe solution regarding the bridged networking connections? Could a hacker gain access to proxmox via the bridged network connection that will serve as the WAN connection for pfSense?
 
I have a similar setup in use. I do not know of any security problems with bridged networking in such a configuration, but I'm not a bridging expert.

My setup has 3 NICs on Proxmox, using Linux Bridges:
- Both WAN and LAN are (separately) bridged to individual NICs, with no IP configuration done on the Proxmox side (they are both fully handled by pfSense).
- The 3rd NIC is configured as management, and does have an IP address configured in Proxmox.

Not sure if this helps you at all, but it has been working well for me for a while now.
 
JTownBrewer said:
I have a similar setup in use. I do not know of any security problems with bridged networking in such a configuration, but I'm not a bridging expert.

My setup has 3 NICs on Proxmox, using Linux Bridges:
- Both WAN and LAN are (separately) bridged to individual NICs, with no IP configuration done on the Proxmox side (they are both fully handled by pfSense).
- The 3rd NIC is configured as management, and does have an IP address configured in Proxmox.

Not sure if this helps you at all, but it has been working well for me for a while now.
Click to expand...

Well, thanks for your reply. I have tested my setup with two ports and that did work as well. But about the bridging, are you running any firewall configuration on the network ports on Proxmox itself?
 
No, not using any firewall on Proxmox itself, just in pfSense.

I never played with isolation on the bridges, but it sounds like that's what you're looking for.

Since I hardly ever post here, I can't include a link. But check out https colon slash slash vincent.bernat.im/en/blog/2017-linux-bridge-isolation

I know you're not using linux bridging, but maybe that's helpful?
 
  • Like
Reactions: reynard80
Thanks, that link seems helpful indeed! I'll look into it. It actually describes what I was worrying about:
An interface doesn’t need an IP address to process incoming IP traffic. Additionally, by default, Linux accepts to answer ARP requests independently from the incoming interface.
Click to expand...
So that, at leas in theory, it seems possible to attack the Proxmox host without it having an IP address on the bridged public network port.

I take it you are running some other VM's besides pfsense as well? But I guess they are running on the LAN bridge (which is actually different from the diagram on your link; I think you are using eth1 to configure your proxmox)?
 
Last edited:
I am running some other VMs, yes. I have a ZFS array configured as a NAS and being served to the LAN from a samba container, and a container for plex. I also have several desktop VMs on the machine that I launch as needed.

The samba server does join the LAN bridge, so that it can be on the same subnet as regular workstations. All other containers & VMs use a node-specific virtual bridge for networking (different subnet). I do this because I get a 10x speed boost for network connections that never leave the node (the virtual bridge is a 10G connection, whereas my physical NICs are 1G).
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back