OPNsense Forum
English Forums => General Discussion => Topic started by: temporaryuser on March 08, 2016, 11:31:48 am
-
Hi everyone,
I want to install a virtualization OS (host) on a bare metal server, which is going to run a couple of virtual machines (VMs) which are going to function as server services (e.g. webservers, fileservers, etc.).
Now, since I would like to protect those VMs and be able to regulate the traffic from and to them, reach them via VPN, etc. I would like to have a firewall set between them and the internet, i.e. OPNsense.
But: Since I have only this one bare metal server at my disposal, I was thinking about installing OPNsense as a VM, too, instead of placing a second bare metal server with OPNsense between the host server and the internet.
Yes, I know, a virtualized firewall based on virtual NICs and VLANs is not as secure as a bare metal one, no doubt about that. But since I do not have the option for a bare metal server in this particular case, I am trying to at least improve security, instead of just having the host and it's VMs being totally exposed to the internet.
My questions: Is it possible and practically manageable to install OPNsense as a VM of the host and:
a) have the OPNsense handle/route all the traffic to and from the other VMs?
b) receive and manage all traffic from the internet coming to the host solely with the OPNsense VM, without touching the host first?
I would be happy about any feedback, thoughts and ideas about this! Has anybody done something similar?
Bye,
temporaryuser
-
I don't have any problem running OPNsense in a VM on my ESXi server, why do you think a virtualized firewall is not secure?
-
Hi Bill,
I don't have any problem running OPNsense in a VM on my ESXi server
Ok, and do you use this OPNsense VM to route/handle all traffic from/to the other VMs on that particular ESXi server? If yes: is that easy to set up and manage or what is your experience with such a setup?
why do you think a virtualized firewall is not secure?
I did not say that it is "not secure", but "not as secure" as a bare metal installation. The reason for this is IMHO that virtualization adds additional layers to the stack, i.e. the virtualization host, the virtualized NIC, the VLANs, etc. which add possibilities for additional vectors of attack (e.g. bugs/exploits in the VLAN stack) and / or configuration errors (e.g. getting overwhelmed with VLAN complexity), etc.
Cheers,
temporaryuser
-
Yes, I use OPNsense VM for all the VMs on my host and all the other machines in my LAN.
IMO, there's no such thing as "not as secure as" - that means not secure to me. Security is a multi-layered approach and relying on a firewall or one single point of protection is self defeating - if the firewall is breached then you have problems. I do as much as I can on the firewall with IDS/IPS etc., etc. and add additional security measures on the machines in my LAN
-
Yes, I use OPNsense VM for all the VMs on my host and all the other machines in my LAN.
Great! Maybe you can help me out with those questions:
- Is the logic of setting up all those virtual NICs on the host and then having the VM with the firewall handle all the traffic from and to the other virtual NICs/ the virtual bridges of the other VMs something difficult to set up or was it pretty straight forward for you?
- Are your other VMs totally isolated from the internet having the firewall VM handle all the routing?
- Is your host totally isolated from the internet having the firewall VM handle all the routing from and to it, or does your host continue to be reachable from the outside?
IMO, there's no such thing as "not as secure as" - that means not secure to me.
I disagree about that. Since there is nothing as 100,00% security, there must be gradients of security between 0% and 100%...
Security is a multi-layered approach and relying on a firewall or one single point of protection is self defeating - if the firewall is breached then you have problems. I do as much as I can on the firewall with IDS/IPS etc., etc. and add additional security measures on the machines in my LAN
I fully agree!
Cheers,
temporaryuser
-
Assuming you don't have an Exterprise Plus licence then you're left with using the standard vSwitch. Create two of those and attach your NICs to them - if this is a home LAN then one NIC on each of the switches should do. Create the OPNsense VM with two NICs, connect one of those NICs to the 'WAN' vSwitch and the other to the 'LAN' vSwitch. Install OPNsense and configure it to your requirements, when it's up and running you should have a working firewall and LAN connection.
Nothing in my environment is directly connected to the internet (excpet the ESXi NICs) and everything (including the ESXi host) is routed throiugh OPNsense. Create any required VMs with single NICs (you don't really need more) and connect them to the LAN vSwitch and that should give you a quick and simple set-up, the beauty is you can rearrange things later should you desire to do so.
-
Great, phoenix, thank you very much for your help! Sounds pretty much straight forward and a solid solution. I will do it as you told me. Thank you!
Cheers
temporaryuser
-
You're welcome. :)
If you don't have much experience with ESXi then I'd suggest you be prepared to make mistakes, it is straight forward but it's still a pain when things don't work out as you expected. If you're using the free (or even a paid-for) version then you might find this little tool a boon for managing your ESXi host from a browser: https://labs.vmware.com/flings/esxi-embedded-host-client
What that fling does is install a web browser on the host and all the management functions are written in html and you don't even need a windows machine to run the VMware client.
-
If you don't have much experience with ESXi then.. <snip>
Thank you very much for your additional help on ESXi, but we use a different, free (https://en.wikipedia.org/wiki/Free_software (https://en.wikipedia.org/wiki/Free_software)) virtualization operating system (which, by the way, comes with a web interface right out of the box).
The hints that you had given me before concerned ESXi, but this was not a problem for me since I understood the steps that you outlined and I know how to perform them in the virtualization environment that we use!
Please don't worry, I am sure, that your additional kind help for ESXi's web interface was not wasted since someone else using ESXi and reading this post will surely benefit from it!
Thank you very much for your help and time!
Cheers
temporaryuser
-
If you are using proxmox, it has a small built in firewall which will be OK for most simple tasks.
-
Hi Zeitkind,
If you are using proxmox, it has a small built in firewall which will be OK for most simple tasks.
Thank you very much for this information!
Cheers
temporaryuser
-
OR why not have opnsense act as the hypervisor? :)
-
Because OPNsense is a firewall/router and not a hypervisor?
-
Are you asking me or informing me of that :)
Imagine, maybe it can be a hypervisor with a extremely cool firewall. The performance is definitely there for BSD's new virtulization software:
https://b3n.org/vmware-vs-bhyve-performance-comparison/
I get your point, truly I do. Everyone will say, NO, you can't do that! A firewall should never take these types of roles. However, they are being sold as routers and switches with layer 1,2,3,4 and more of the OSI everyday being jammed into residential and commercial products everyday. So the tradition is fading a bit. Haha, lets do it man.
-
bhyve is in FreeBDS 10.x and available in OPNsense since its first version. If users want to use it it can make sense. The firewall runs the bare minimum config, namely the VMs with the services and the firewall rules between them plus connectivity to clients. In these setups the firewall doesn't run anything it doesn't strictly need so the VMs are safe to be extended in any possible way (risky services included). Good thing is the firewall itself isn't compromised by a bad exposed service this way.
I heard that this will also be part of pfSense 2.3 when it comes out. Can't have been wrong to ship it back in 2015 as there seems to be more demand for it than expected. :)
-
@cdburgess75, it was a rhetorical question.
I don't like the idea of a hypervisor so close to the firewall/router.
And maybe having the hypervisor on a network right behind said firewall/router is just the same, I would like to keep it more separated.
Maybe for a home/hobby setup like this could be interesting for testing purposes, but that should be it.
-
For all of you who suggest keeping an virtualization environment metal apart from the firewall metal: I totally agree - in general. And anyone who has 2 metals, should do so.
But there is one case of which I am favoring to put the firewall and the virtualization on one metal together:
The case where you have a metal hosted (and only one metal!) at some web host. There you can either chose just to run the virtualization environment on the metal without a firewall - or to compromise and put both, the virtualization environment AND the firewall onto the same metal, and have some increased security and/ or functionality.
Now, if it is better to run an virtualization environment of your choice and then have the firewall run in a virtual machine - or to install the firewall bare metal and use it's built in virtualization capabilities... well, I guess there are advantages and disadvantages to both solutions. But I cannot really imagine, that e.g. OPNsense's virtualization capabilities can seriously be compared with some dedicated solutions such as the above-mentioned VMWare ESXi, Proxmox VE, etc.
I guess the also above-mentioned way to use the basic firewall functionalities of e.g. Proxmox for basic defense of the Virtualization Environment and then have a full-fledged firewall solution such as OPNsense to separate and protect the virtual machines, makes more sense, doesn't it?
Cheers
-
I enjoy this topic. I see a lot of people say they hate the idea actually. Hate and fear mostly. However, I think it's a cool idea and could be a natural fit for services such as spam filters, etc. In fact, IDS/IPS, proxy, routing, VPN with AD auth, are are separate services that this firewall is capable of. Even the LDAP integration to Directory services (like AD) are available on firewalls. So we are ok with these features being on our favorite firewall right?
The real question is, where does the fear stem from? Don't let the systemic change confuse our judgements. Is it security and reliability or both maybe? I can see a case for all 3 sides, but my views and thoughts are not strong enough to justify dropping the idea all together. We all have opinions, but there are reasons for there existence. Anyone interested in exploring, I'm up for it.
That said, I'm a veteran at this stuff too, I remember a day when all these services were on separate metal devices in Lans and DMZs. There can be a strange comparison to component stereo systems and compact ghetto blasters :) one last point, small biz cannot afford component stereo systems, they buy the compact ones.