Security risk when running router in Proxmox connected directly to the internet?

PonyoHam

Member
May 23, 2018
20
1
8
39
Hi,

I'm running Pfsense inside proxmox and I was wondering if it would make sense/is secure to cut out my modem and instead have pfsense connect directly to my isp.

Current setup:

ISP modem
|
Router
|
Intel NUC
|
LAN

The NUC has a USB to ethernet adapter for WAN, and is using the internal NIC for LAN. I don't remember setting up hardware passthrough for the USB adapter, instead the pfsense vm uses both as virtio networks.

New setup:

ISP modem
|
Intel NUC
|
LAN

Would there be any real security risks or other potential pitfalls?
 
The NUC has a USB to ethernet adapter for WAN, and is using the internal NIC for LAN. I don't remember setting up hardware passthrough for the USB adapter, instead the pfsense vm uses both as virtio networks.

So you have a second Linux Bridge where the USB NIC is connected too and the pfSense VM has two virtion NICs one on the external bridge, one on the LAN one? The single possible issue with this is that the whole external bridge is unprotected to the internet (as long as you do not have firewall enabled and specific rules on it). Biggest issue with this could be accidentially using it for another VM as bridge. If you pass the USB NIC directly through to the pfSense VM this cannot happen. But that just as a note, normally it's not a real concern, or do you have the outside IP setup on the PVE host itself?

With your desired change your setup would be as secure as the pfSense is configured too be. Meaning, if now the pfSense has a sensible firewall setup you do not get any increased security risk. But, if now the router does the whole Firewalling, and your pfSense just does NAT+DHCP then yes, you would need to setup the pfSense with some basic firewalling to (i.e., deny all incomming besides tracked connections), else yes it would be less secure.
 
I am running just the same setup.
I gave an Lenovo sff pc with 3 NICs.


1. Is connected to my ISP modem.
2 others are to main switch.

I have setup proxmox host with 3 Bridges.
Vmbr0,vmbr1 and vmbr1
Vmbr1 is on wan. Connected to nic linked to the ISP modem

Vmbr2 is lan . Vmbr0 is lan and management.

I setup pfsence vm.
Assigned vmbr1 as wan. Vmbr2 as lan.
Works well so far.
 
Hi,

It is better to have 2 different firewalls (one hardware and one software) and this 2 must be configured as the other one is not exist. Even better at least one of them could be like a transparent bridge (no ip on it, so nobody can access it and change his firewall rules)


And use some kind of integrity check for at least your setup.


Good luck!
 
So you have a second Linux Bridge where the USB NIC is connected too and the pfSense VM has two virtion NICs one on the external bridge, one on the LAN one? The single possible issue with this is that the whole external bridge is unprotected to the internet (as long as you do not have firewall enabled and specific rules on it). Biggest issue with this could be accidentially using it for another VM as bridge. If you pass the USB NIC directly through to the pfSense VM this cannot happen. But that just as a note, normally it's not a real concern, or do you have the outside IP setup on the PVE host itself?

With your desired change your setup would be as secure as the pfSense is configured too be. Meaning, if now the pfSense has a sensible firewall setup you do not get any increased security risk. But, if now the router does the whole Firewalling, and your pfSense just does NAT+DHCP then yes, you would need to setup the pfSense with some basic firewalling to (i.e., deny all incomming besides tracked connections), else yes it would be less secure.

Thanks for the reply. I finally have some time to get started on this. Yes, the goal is to hardware passthrough the adapter to pfSense to avoid any potential issues. I did a quick test but pfsense isn't accepting the adapter when passing it through. Passthrough works on other VM's and pfSense also recognized the adapter when running on bare metal so I need to look into this further.

Currently the adapter is indeed configured as a bridge inside Proxmox. As long as I don't assign a IP to it or use it for another VM, this shouldn't be a risk?
 
I got similar question to this thread but mine is slightly different:

is this secure:

1. Fibre (ONT) Optical Network Terminal
|
2. NUC with proxmox on it
|
3. Pfsense installed in proxmox as vm
|
4. Pfsenes wan port to ISP / USB LAN port to internal.

So as above we are kind a exposing PROXMOX NUC TO ISP hence it picksup the DHCP?

Wondering if the above is secure anyone can advise please?

I can see some features in proxmox regarding firewall maybe that is required to be configured, excuse my knowledge am new to proxmox after so long been in esxi, and i like proxmox for what i need?
 
Last edited:
Thanks for the reply. I finally have some time to get started on this. Yes, the goal is to hardware passthrough the adapter to pfSense to avoid any potential issues. I did a quick test but pfsense isn't accepting the adapter when passing it through. Passthrough works on other VM's and pfSense also recognized the adapter when running on bare metal so I need to look into this further.

Currently the adapter is indeed configured as a bridge inside Proxmox. As long as I don't assign a IP to it or use it for another VM, this shouldn't be a risk?

@PonyoHam do you ever get this sorted ?
Your 'new' setup is just like what I want to do but with a 6 port passive box instead of the NUC for proxmox.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!