Prox Mox and pfSense firewalls

I have a server with prox mox installed and a virtual machine of pfSense.

I am using the pfsense vm as the firewall for my entire home.

what I am curious to know is what is the best way to configure the proxmox fire walls? should i just enable the “datacenter” firewall? or just the fire wall on the “node” or just the firewall on the VM? or all? or none?

would i be correct in thinking that it’s redundant and unnecessary to enable any of the proxmox firewalls since my WAN comes in through the NIC to the pfsense VM?

thanks

Well, if you want to do that, Serve The Home did a video about it:

at about 9:10 in there is where the background and setup is done. Part of it is deciding whether to do PCI pass-through for your NIC(s). They made a setup guide for it too:

I’m not recommending virtualizing either pfSense or OPNsense, just pointing you to resources if that’s what you decided to do. We run OPNsense natively on its own hardware (Protectli FW4B with CoreBoot).

1 Like

Depends on your setup. As Buffy said, virtualizing your router ain’t that great, especially if you plan for maintenance on your hypervisor - your whole network will go down, as opposed to just specifically when you do a maintenance on your router = more downtime. It also matters in a home environment, because you may still want to access the internet if your hypervisor doesn’t boot and you need to find some documentation on what’s wrong and how to fix it.

But, since you mentioned Proxmox firewall - don’t use it, unless you have a very specific need. For pfSense, if your NIC is passed through, it likely won’t work, as pfSense has full control of the NIC. But if you are giving pfSense a virtual NIC, then Proxmox is controlling it, but it’s still a bit redundant. It makes for easier live migration if you have multiple connections to the WAN (like a switch vlan connected to multiple servers), but it’s even less recommended you virtualize the NIC.

In any case, the proxmox firewall is usually there to control traffic going in and out of your VMs without interacting with the VMs themselves and centralizing your firewall rules a bit for easier management. I believe that feature can be used to restrict VMs talking to each other even when they are on the same LAN, which is pretty neat for security, but a bit harder to maintain than simply putting VMs on different VLANs IMO.

tl;dr don’t use Proxmox firewall unless you have a very specific need for it. Know your problem that you are trying to solve.

1 Like