Proxmox behind Virtual-FW and DMZ-Zone

R

randomguy

New Member
Oct 13, 2019
3
0
1
31
Hi all,

As of today I'm running some Raspberry Pi's at home providing some services (nextcloud, mailserver etc.) for me and a few friends(we're running a "art/draw club"). Since I was able to get an old workstation from work and I didn't really cared about security back when I was setting the services up, I would like to run proxmox on the workstation, run the services within vm's on proxmox and establish a secure setup. I'm working as a sysadmin, therefore setting up proxmox isn't a problem at all (working with vmware at work) but my security/networking knowledge aren't as good as they should be. I would like to realize the following setup (based on the various posts within this thread https://forum.proxmox.com/threads/how-to-protect-proxmox-with-a-virtual-virewall.31414/):

- Running a proxmox host behind a virtual pfSense firewall (all traffic from and to the proxmox-host should be routed via the firewall --> except access to proxmox within the lan-zone(see below) )
- Setup a virtual "DMZ" for the services and connect them to the internet via the virtual firewall
- Setup a virtual/physical "LAN" for my private equipment and connect them to the internet via the virtual firewall (and perhaps some internal vm's which shouldn't be accessible from internet)

Below you can find a drawing(much love for https://draw.io ) of what I've got in my mind. I just would like to hear if I'm missing something basically or if I'm on the right way from a theoretical perspective. I know that I would have to do "a lot" of configuration within pfSense (Configure FW-Rules/Port-Forwarding and so on for all services within dmz, setup dhcp/dns for each zone, setup routing between the zones and so on).
netzwerk.png

A special thing to note is that the router of my isp isn't supporting a "real bridged"-mode(they say it will be available with one of the next firmware-releases...), instead I can configure a "dmz-ip"(which would be 192.16.1.10 in the above setup). The ISP-Router will then forward all traffic to a client with the configured ip without considering any defined fw-rules/filtering and so on(sounds a bit like ip-passthrough). I know from others that they've got HW-Firewalls to work behind the isp-router like that(including services like voip, so this shouldn't be a problem at all).

There is one more thing which I'm curious about if i look into the future(but I'm quite sure this is not related to proxmox and therefore the worng place to ask but maybe....): I'm thinking about enabling/configuring vpn on the VM0/pfSense instance for remote administration of proxmox and all the vm's. Would i habe to add a new zone (vmbr3, 10.10.30.0/24 for example) within proxmox/pfSense in which the vpn-clients whould live or what is the best way to go ?

Thanks already for any hints/alternative suggestions :)
 
Last edited:
Up first thanks for your fast reply, and also thanks for the hint with pfSense/vpn-interface, really appreciate it.

If I got it right, my /etc/network/interfaces for the dmz would look something like below ?
Code: 
auto vmbr2
iface vmbr2 inet manual
        bridge-ports none
        bridge-stp off
        bridge-fd 0
#dmz, 10.10.20.0/24

At least the bridge seems to work within a ubuntu-vm attached to it through pfSense. Since I was curious if I could add a second "virtual network" like the dmz above, I've added a second bridge(vmbr3) without anny physical nic attached to it. The second one is not working at all. After a quick search I've found the following thread (https://forum.proxmox.com/threads/2-port-nic-with-pfsense.58824/#post-271815) which implicates that there is a bug with proxmox:
Proxmox adds 'bridge-ports none' to a bridge where you don't set a bridgeport for. And if you add multiple like that, if updown complains about none not there or only can be used once.

ifreload works when the birdge-ports are not set, otherwise it errors and the tapinterfaces are not attached anymore

So actually this is a proxmox-bug, just don't add the bridge-ports line at all when you set nothing there!
Click to expand...

As mentioned I've removed the "bridge-ports none" part within /etc/network/interfaces and did a reboot(I know this wouldn't be needed). The second bridge still didn't worked. The only thing I was able to notice was that ifup vmbr2 and ifup vmbr3 mentioned that the interface exists and are already configured. Before I've removed the bridge-ports none part, ifup vmbr3 mentioned that the interface does not exists(unknown interface). I've tried to follow the various suggestions within the thread, but I'm not quite sure if I got it right and those changes look quite complicate. Before getting crazy I would like to know if this bug still exists or if I'm doing totally the wrong thing :)
 
randomguy said:
Before getting crazy I would like to know if this bug still exists or if I'm doing totally the wrong thing
Click to expand...
I'm not aware of any bug, and I use the "bridge-ports none" quite extensive.
At reloading the network, the tap devices are not newly created.
This ends in connection lost for the guest if you restart the vmbr.
But this is not a Bug.
 
Ok nevermind. Don't know what I've done during my late night tests. It works as expected. Thanks again for your help.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back