Hello,
I have the following working setup:
ISP - ISP modem/router - OPNsense - Switch - Clients
OPNsense is actually a VM in Proxmox, so if we look at the 'WAN' part closely, we have:
ISP - ISP modem/router - Proxmox vmbr1 NIC -bridge- OPNsense vtnet0 NIC - Switch - Clients
Proxmox management is stricly done from the LAN, the vmbr1 NIC has no IP address.
Proxmox being behind the ISP router, I think the above configuration i quite safe for now.
But thinking of putting the ISP router in Modem mode, will then Proxmox or OPNsense be at risk, as in a (A) setup below?
(https://i.imgur.com/mtVVcJO.png)
Do I better have the Proxmox IPtables set to block ports 22 and 8006 as in setup (B)?
(https://i.imgur.com/XqnWtt1.png)
Trying to do it the proper way, any tips are welcomed! :)
I don't see why you would use a firewall to protect a firewall.
Lol, indeed...
That's the access to Proxmox that I'm much concerned with.
Plus I'm seeing people activating Proxmox IPtables in similar situations, like https://schroederdennis.de/wp-content/uploads/2020/06/proxmox-root-server-architektur-1024x595.png (https://schroederdennis.de/wp-content/uploads/2020/06/proxmox-root-server-architektur-1024x595.png) or https://blog.zwindler.fr/2017/07/proxmox-install_simple-infra-map.jpg (https://blog.zwindler.fr/2017/07/proxmox-install_simple-infra-map.jpg), thus my question.
It can be argued that this is a good idea, because of additional security, but I don't think it's necessary. In that case however I would not want a direct link to the VMs from the proxmox firewall.
Moreover I would argue that virtualizing your firewall may be a bad idea for stability reasons if things go wrong.
Thanks a lot @bimbar for helping me out here!
I should have precised that this is the first time I try to make my own router/firewall and while I already learnt a lot, I didn't imagine falling in such a rabbit hole. That's why I kind of stress out now in fear of missing something that would let someone break through into my network.
Quote
Moreover I would argue that virtualizing your firewall may be a bad idea for stability reasons if things go wrong.
The decision to use an hypervisor was taken because I also want to block advertisments with AdGuardHome and manage my IP phones with freePBX, all that on the same hardware box.
The linux container of AdGuardHome has been now replaced with the AdGuardHome plugin for OPNsense, but I still run freePBX on another VM.
Fingers crossed Proxmox is going to handle all that well!
I'm not quite sure to understand the following related to my B setup:
Quote
In that case however I would not want a direct link to the VMs from the proxmox firewall.
Can you please elaborate?
Anyway, I think I'm overthinking all this and if you say the Proxmox firewall is not necessary, I will then go with setup A!
Right now I'm still having my ISP router inbetween the internet and the enp1s0 NIC in setup A, but I plan to set it in modem mode once I'll be ready with Proxmox/OPNsense.
OPNsense vtnet0 NIC is getting an IP from the DHCP of the ISP router, let's say 192.168.1.100.
There is a free NIC on the ISP router where I can attach a laptop to, it also gets an IP in the 192.168.1.x range.
From that laptop, I'm not able to ping the 192.168.1.100 address.
Same with nmap -Pn, no result.
I guess it's a good sign?
Are there any other things/tools that are worth a check?