Messages

Hi Maciej,

I have now several times experienced a situation where the firewall crashes and becomes a simple router.
<snip> the result should be no traffic passing instead of all traffic passing.
<snip> After this happens the firewall keep acting as a simple router even after a reboot, only restoring earlier configuration may fix the problem.

Wow. If that turns out to be true, it would be really shocking. The whole intranet with all its network segments wide open and fully exposed to the internet, just because the firewall crashed...  :o

Could you please specify what you mean with "when the firewall crashes"? Do you mean that the whole operating system (OS) hangs/reboots/freezes, etc. or do you mean that the packet filter of the OS goes crazy while the OS continues to run normally?

Sincerely worried
temporaryuser

If you don't have much experience with ESXi then.. <snip>

Thank you very much for your additional help on ESXi, but we use a different, free (https://en.wikipedia.org/wiki/Free_software) virtualization operating system (which, by the way, comes with a web interface right out of the box).
The hints that you had given me before concerned ESXi, but this was not a problem for me since I understood the steps that you outlined and I know how to perform them in the virtualization environment that we use!

Please don't worry, I am sure, that your additional kind help for ESXi's web interface was not wasted since someone else using ESXi and reading this post will surely benefit from it!

Thank you very much for your help and time!
Cheers
temporaryuser

Great, phoenix, thank you very much for your help! Sounds pretty much straight forward and a solid solution. I will do it as you told me. Thank you!

Cheers
temporaryuser

Yes, I use OPNsense VM for all the VMs on my host and all the other machines in my LAN.

Great! Maybe you can help me out with those questions:

• Is the logic of setting up all those virtual NICs on the host and then having the VM with the firewall handle all the traffic from and to the other virtual NICs/ the virtual bridges of the other VMs something difficult to set up or was it pretty straight forward for you?
• Are your other VMs totally isolated from the internet having the firewall VM handle all the routing?
• Is your host totally isolated from the internet having the firewall VM handle all the routing from and to it, or does your host continue to be reachable from the outside?

IMO, there's no such thing as "not as secure as" - that means not secure to me.

I disagree about that. Since there is nothing as 100,00% security, there must be gradients of security between 0% and 100%...

Security is a multi-layered approach and relying on a firewall or one single point of protection is self defeating - if the firewall is breached then you have problems. I do as much as I can on the firewall with IDS/IPS etc., etc. and add additional security measures on the machines in my LAN

I fully agree!

Cheers,
temporaryuser

Hi Jos,

Thanks for your compliment!

You are welcome :)

Currently we don't offer the option to download the docs

BTW: For anybody reading this and not knowing what we are talking about - here is an example:
https://virtualenvwrapper-bitbucket.readthedocs.org/en/stable/
-> If you click on the "v:stable" link at the bottom of the menu on the left side, you will get a menu with the export/download options.

as they change a lot (very frequent updates and new chapters) and some pages don't export very well to different formats.

I see. Nevertheless me as a consumer of this documentation I would prefer having the freedom of the export and then deal with the downsides you mentioned, since I love reading offline / on paper / as EPUB and make notes, etc. Maybe adding a short warning such as "Beware when exporting: Please come back regularly since this documentation is under active and heavy development" would solve the issue?

I would say keep a close eye on the project and you never know your wish might be granted at a later time.

Yes, of course, I will keep a close eye on the project in any case, since I am very positive about your reasons to fork pfSense, and I will be a happy new user of OPNsense, soon.
But I also keep my fingers crossed that you will grant me the freedom and openness to read the documentation as I prefer, soon, too.. ;-)

Cheers,
temporaryuser

Hi Bill,

I don't have any problem running OPNsense in a VM on my ESXi server

Ok, and do you use this OPNsense VM to route/handle all traffic from/to the other VMs on that particular ESXi server? If yes: is that easy to set up and manage or what is your experience with such a setup?

why do you think a virtualized firewall is not secure?

I did not say that it is "not secure", but "not as secure" as a bare metal installation. The reason for this is IMHO that virtualization adds additional layers to the stack, i.e. the virtualization host, the virtualized NIC, the VLANs, etc. which add possibilities for additional vectors of attack (e.g. bugs/exploits in the VLAN stack) and / or configuration errors (e.g. getting overwhelmed with VLAN complexity), etc.

Cheers,
temporaryuser

Hi everyone,

I want to install a virtualization OS (host) on a bare metal server, which is going to run a couple of virtual machines (VMs) which are going to function as server services (e.g. webservers, fileservers, etc.).

Now, since I would like to protect those VMs and be able to regulate the traffic from and to them, reach them via VPN, etc. I would like to have a firewall set between them and the internet, i.e. OPNsense.
But: Since I have only this one bare metal server at my disposal, I was thinking about installing OPNsense as a VM, too, instead of placing a second bare metal server with OPNsense between the host server and the internet.

Yes, I know, a virtualized firewall based on virtual NICs and VLANs is not as secure as a bare metal one, no doubt about that. But since I do not have the option for a bare metal server in this particular case, I am trying to at least improve security, instead of just having the host and it's VMs being totally exposed to the internet.

My questions: Is it possible and practically manageable to install OPNsense as a VM of the host and:
a) have the OPNsense handle/route all the traffic to and from the other VMs?
b) receive and manage all traffic from the internet coming to the host solely with the OPNsense VM, without touching the host first?

I would be happy about any feedback, thoughts and ideas about this! Has anybody done something similar?

Bye,
temporaryuser

Hi there!

Thank you very much for providing such a beautiful documentation using Sphinx with the "Read the Docs" theme.

One of the great features of Sphinx is: "Output formats: HTML (including Windows HTML Help), LaTeX (for printable PDF versions), ePub, Texinfo, manual pages, plain text".

Unfortunately I have not found the option for that in your documentation. Did you disable that feature in purpose, or is there any possibility for you implementing it / turning it on? It is very convenient for reading the documentation as EPUB on a tablet or to print it out as PDF.

Thank you & all the best for your young project!

Yours,
temporaryuser