I have a server with prox mox installed and a virtual machine of pfSense.
I am using the pfsense vm as the firewall for my entire home.
what I am curious to know is what is the best way to configure the proxmox fire walls? should i just enable the “datacenter” firewall? or just the fire wall on the “node” or just the firewall on the VM? or all? or none?
would i be correct in thinking that it’s redundant and unnecessary to enable any of the proxmox firewalls since my WAN comes in through the NIC to the pfsense VM?
Well, if you want to do that, Serve The Home did a video about it:
at about 9:10 in there is where the background and setup is done. Part of it is deciding whether to do PCI pass-through for your NIC(s). They made a setup guide for it too:
I’m not recommending virtualizing either pfSense or OPNsense, just pointing you to resources if that’s what you decided to do. We run OPNsense natively on its own hardware (Protectli FW4B with CoreBoot).
Depends on your setup. As Buffy said, virtualizing your router ain’t that great, especially if you plan for maintenance on your hypervisor - your whole network will go down, as opposed to just specifically when you do a maintenance on your router = more downtime. It also matters in a home environment, because you may still want to access the internet if your hypervisor doesn’t boot and you need to find some documentation on what’s wrong and how to fix it.
But, since you mentioned Proxmox firewall - don’t use it, unless you have a very specific need. For pfSense, if your NIC is passed through, it likely won’t work, as pfSense has full control of the NIC. But if you are giving pfSense a virtual NIC, then Proxmox is controlling it, but it’s still a bit redundant. It makes for easier live migration if you have multiple connections to the WAN (like a switch vlan connected to multiple servers), but it’s even less recommended you virtualize the NIC.
In any case, the proxmox firewall is usually there to control traffic going in and out of your VMs without interacting with the VMs themselves and centralizing your firewall rules a bit for easier management. I believe that feature can be used to restrict VMs talking to each other even when they are on the same LAN, which is pretty neat for security, but a bit harder to maintain than simply putting VMs on different VLANs IMO.
tl;dr don’t use Proxmox firewall unless you have a very specific need for it. Know your problem that you are trying to solve.
So just to be clear…
If you run your networks firewall in proxmox as a VM (w/ virt IO Nic) you still need to fire up the proxmox firewall so that you so not expose your proxmox to the world, right?
Depends how you do it. If you pass the entire physical network interface to the VM, then no. Otherwise, with just the virtio NIC, yes. But you don’t need to add any fancy rules, just block everything inbound in proxmox and allow all forward to pfSense.
Better yet, if your network/WAN is bridged to the VM and proxmox has no IP address, then you can ignore the firewall rules.
You can do:
eth0 = WAN, no IP address
vmbr0 = bridge to eth0
pfsense eth0 = interface bridged to vmbr0 = pfsense WAN
pfsense eth1 = interface bridged to vmbr1 = pfsense LAN
vmbr1 = just a floating bridge, can have an IP so you can access proxmox from the VMs inside.
Now, depends how many interfaces you have and how you are going to connect them. If you have two interfaces, you can use vlans on the LAN side (both in proxmox, pfsense and on the switch).
I would suggest opening a new thread and presenting the setup.