Proxmox FW needed or not with an OPNsense VM?

[_BaK_]

Hello everyone,

I'm trying to make my own router/firewall with OPNsense as a VM in Proxmox.

What's not clear to me is if I can let OPNsense connect to the internet directly, or if that put Proxmox at risk and thus I should add the Proxmox Firewall to be safe?
In both cases Proxmox will be managed from the LAN.

Option A, OPNsense vtnet0 NIC is bridged with Proxmox vmbr1 NIC, the latter without any IP address set:



Option B, Proxmox iptables will deny ports 22 and 8006 from the internet to prevent any access to Proxmox itself:



What is the right way to go?

 

[Richard]

Hello everyone,

I'm trying to make my own router/firewall with OPNsense as a VM in Proxmox.

What's not clear to me is if I can let OPNsense connect to the internet directly, or if that put Proxmox at risk and thus I should add the Proxmox Firewall to be safe?
In both cases Proxmox will be managed from the LAN.

Option A, OPNsense vtnet0 NIC is bridged with Proxmox vmbr1 NIC, the latter without any IP address set:
View attachment 46453


Option B, Proxmox iptables will deny ports 22 and 8006 from the internet to prevent any access to Proxmox itself:
View attachment 46454


What is the right way to go?

There is no "right way", both is possible. However, in case of having more or less two firewalls understanding and maintaining configuration would be more complex and IMO, whenever possible use OPNsense or Proxmox Firewall, just in cases when some needs are not well supported by one of them use both.

 

[spirit]

if you have a ddos, it's better to block before the packet is going inside the vm. (like a synflood for example, it can use a lot of cpu inside your vm because of the virtualization overhead on small packets)

 

[_BaK_]

Thank you very much guys for your inputs, really appreciate it!

if you have a ddos, it's better to block before the packet is going inside the vm. (like a synflood for example, it can use a lot of cpu inside your vm because of the virtualization overhead on small packets)

Wouldn't a DDOS be too much for a firewall to handle anyway? Ending in a saturated incoming connection, either on Proxmox or on OPNsense?

My concern is more about a break through into my network.
For information, I don't have any WiFi access and I don't plan to have a need of accessing a local server from the internet.

There is no "right way", both is possible. However, in case of having more or less two firewalls understanding and maintaining configuration would be more complex and IMO, whenever possible use OPNsense or Proxmox Firewall, just in cases when some needs are not well supported by one of them use both.

All my 'firewall' needs should be covered with OPNsense, I just want to be sure I'm not putting my whole setup at risk having Proxmox in the front.

Like does the vmbr1 NIC having no IP address mean this NIC is safe or could it still be reach at another network level?
Or any specific Proxmox settings I should look at?

 

[spirit]

Wouldn't a DDOS be too much for a firewall to handle anyway? Ending in a saturated incoming connection, either on Proxmox or on OPNsense?

For bandwidth ddos, yes of course, you can't do nothing (you need a ddos upstream on your provider or a cdn ...)

But for small packet ddos (synflood for exemple, with 64bytes packets) it can be easy. 2millions pps with 64bytes is around 800-900mbit/s.

You need to enable more queues on the vm nic, to scale with more core. (each core around 1-2millions pps).

But doing it at proxmox level, you can easily each 6-7millions pps with 1 core.

 

[guletz]

Hi,

Also think that any software, at some point could be broken..... a bad update, a faulty setup, what-ever. If this happend, with only VM firewall(broken for what-ever reason) you will have NO-firewall at all !!!!

Good luck / Bafta!