Run OPNsense virtualized and handle all traffic for the host and it's VMs?

[weust]

@cdburgess75, it was a rhetorical question.

I don't like the idea of a hypervisor so close to the firewall/router.
And maybe having the hypervisor on a network right behind said firewall/router is just the same, I would like to keep it more separated.

Maybe for a home/hobby setup like this could be interesting for testing purposes, but that should be it.

[temporaryuser]

For all of you who suggest keeping an virtualization environment metal apart from the firewall metal: I totally agree - in general. And anyone who has 2 metals, should do so.

But there is one case of which I am favoring to put the firewall and the virtualization on one metal together:

The case where you have a metal hosted (and only one metal!) at some web host. There you can either chose just to run the virtualization environment on the metal without a firewall - or to compromise and put both, the virtualization environment AND the firewall onto the same metal, and have some increased security and/ or functionality.

Now, if it is better to run an virtualization environment of your choice and then have the firewall run in a virtual machine - or to install the firewall bare metal and use it's built in virtualization capabilities... well, I guess there are advantages and disadvantages to both solutions. But I cannot really imagine, that e.g. OPNsense's virtualization capabilities can seriously be compared with some dedicated solutions such as the above-mentioned VMWare ESXi, Proxmox VE, etc.
I guess the also above-mentioned way to use the basic firewall functionalities of e.g. Proxmox for basic defense of the Virtualization Environment and then have a full-fledged firewall solution such as OPNsense to separate and protect the virtual machines, makes more sense, doesn't it?

Cheers

[cdburgess75]

I enjoy this topic. I see a lot of people say they hate the idea actually. Hate and fear mostly. However, I think it's a cool idea and could be a natural fit for services such as spam filters, etc. In fact, IDS/IPS, proxy, routing, VPN with AD auth, are are separate services that this firewall is capable of. Even the LDAP integration to Directory services (like AD) are available on firewalls. So we are ok with these features being on our favorite firewall right?

The real question is, where does the fear stem from?  Don't let the systemic change confuse our judgements. Is it security and reliability or both maybe? I can see a case for all 3 sides, but my views and thoughts are not strong enough to justify dropping the idea all together. We all have opinions, but there are reasons for there existence. Anyone interested in exploring, I'm up for it.

That said, I'm a veteran at this stuff too, I remember a day when all these services were on separate metal devices in Lans and DMZs. There can be a strange comparison to component stereo systems and compact ghetto blasters one last point, small biz cannot afford component stereo systems, they buy the compact ones.