Run OPNsense virtualized and handle all traffic for the host and it's VMs?

Started by temporaryuser, March 08, 2016, 11:31:48 AM

Previous topic - Next topic
Print
Go Down Pages1 2
User actions
March 08, 2016, 11:31:48 AM Last Edit: March 08, 2016, 11:40:39 AM by temporaryuser
Hi everyone,

I want to install a virtualization OS (host) on a bare metal server, which is going to run a couple of virtual machines (VMs) which are going to function as server services (e.g. webservers, fileservers, etc.).

Now, since I would like to protect those VMs and be able to regulate the traffic from and to them, reach them via VPN, etc. I would like to have a firewall set between them and the internet, i.e. OPNsense.
But: Since I have only this one bare metal server at my disposal, I was thinking about installing OPNsense as a VM, too, instead of placing a second bare metal server with OPNsense between the host server and the internet.

Yes, I know, a virtualized firewall based on virtual NICs and VLANs is not as secure as a bare metal one, no doubt about that. But since I do not have the option for a bare metal server in this particular case, I am trying to at least improve security, instead of just having the host and it's VMs being totally exposed to the internet.

My questions: Is it possible and practically manageable to install OPNsense as a VM of the host and:
a) have the OPNsense handle/route all the traffic to and from the other VMs?
b) receive and manage all traffic from the internet coming to the host solely with the OPNsense VM, without touching the host first?

I would be happy about any feedback, thoughts and ideas about this! Has anybody done something similar?

Bye,
temporaryuser
March 08, 2016, 11:34:40 AM #1
I don't have any problem running OPNsense in a VM on my ESXi server, why do you think a virtualized firewall is not secure?
Regards


Bill
March 08, 2016, 11:50:14 AM #2
Hi Bill,

Quote from: phoenix on March 08, 2016, 11:34:40 AM
I don't have any problem running OPNsense in a VM on my ESXi server

Ok, and do you use this OPNsense VM to route/handle all traffic from/to the other VMs on that particular ESXi server? If yes: is that easy to set up and manage or what is your experience with such a setup?

Quote from: phoenix on March 08, 2016, 11:34:40 AM
why do you think a virtualized firewall is not secure?

I did not say that it is "not secure", but "not as secure" as a bare metal installation. The reason for this is IMHO that virtualization adds additional layers to the stack, i.e. the virtualization host, the virtualized NIC, the VLANs, etc. which add possibilities for additional vectors of attack (e.g. bugs/exploits in the VLAN stack) and / or configuration errors (e.g. getting overwhelmed with VLAN complexity), etc.

Cheers,
temporaryuser
March 08, 2016, 11:57:01 AM #3
Yes, I use OPNsense VM for all the VMs on my host and all the other machines in my LAN.

IMO, there's no such thing as "not as secure as" - that means not secure to me. Security is a multi-layered approach and relying on a firewall or one single point of protection is self defeating - if the firewall is breached then you have problems. I do as much as I can on the firewall with IDS/IPS etc., etc. and add additional security measures on the machines in my LAN
Regards


Bill
March 08, 2016, 12:44:10 PM #4
Quote from: phoenix on March 08, 2016, 11:57:01 AM
Yes, I use OPNsense VM for all the VMs on my host and all the other machines in my LAN.

Great! Maybe you can help me out with those questions:

  • Is the logic of setting up all those virtual NICs on the host and then having the VM with the firewall handle all the traffic from and to the other virtual NICs/ the virtual bridges of the other VMs something difficult to set up or was it pretty straight forward for you?
  • Are your other VMs totally isolated from the internet having the firewall VM handle all the routing?
  • Is your host totally isolated from the internet having the firewall VM handle all the routing from and to it, or does your host continue to be reachable from the outside?

Quote from: phoenix on March 08, 2016, 11:57:01 AM
IMO, there's no such thing as "not as secure as" - that means not secure to me.

I disagree about that. Since there is nothing as 100,00% security, there must be gradients of security between 0% and 100%...

Quote from: phoenix on March 08, 2016, 11:57:01 AM
Security is a multi-layered approach and relying on a firewall or one single point of protection is self defeating - if the firewall is breached then you have problems. I do as much as I can on the firewall with IDS/IPS etc., etc. and add additional security measures on the machines in my LAN

I fully agree!

Cheers,
temporaryuser
March 08, 2016, 12:56:20 PM #5
Assuming you don't have an Exterprise Plus licence then you're left with using the standard vSwitch. Create two of those and attach your NICs to them - if this is a home LAN then one NIC on each of the switches should do. Create the OPNsense VM with two NICs, connect one of those NICs to the 'WAN' vSwitch and the other to the 'LAN' vSwitch. Install OPNsense and configure it to your requirements, when it's up and running you should have a working firewall and LAN connection.

Nothing in my environment is directly connected to the internet (excpet the ESXi NICs) and everything (including the ESXi host) is routed throiugh OPNsense. Create any required VMs with single NICs (you don't really need more) and connect them to the LAN vSwitch and that should give you a quick and simple set-up, the beauty is you can rearrange things later should you desire to do so.
Regards


Bill
March 08, 2016, 03:10:09 PM #6
Great, phoenix, thank you very much for your help! Sounds pretty much straight forward and a solid solution. I will do it as you told me. Thank you!

Cheers
temporaryuser
March 08, 2016, 03:51:58 PM #7
You're welcome. :)

If you don't have much experience with ESXi then I'd suggest you be prepared to make mistakes, it is straight forward but it's still a pain when things don't work out as you expected. If you're using the free (or even a paid-for) version then you might find this little tool a boon for managing your ESXi host from a browser: https://labs.vmware.com/flings/esxi-embedded-host-client

What that fling does is install a web browser on the host and all the management functions are written in html and you don't even need a windows machine to run the VMware client.
Regards


Bill
March 08, 2016, 05:04:24 PM #8 Last Edit: March 08, 2016, 05:09:41 PM by temporaryuser
Quote from: phoenix on March 08, 2016, 03:51:58 PM
If you don't have much experience with ESXi then.. <snip>

Thank you very much for your additional help on ESXi, but we use a different, free (https://en.wikipedia.org/wiki/Free_software) virtualization operating system (which, by the way, comes with a web interface right out of the box).
The hints that you had given me before concerned ESXi, but this was not a problem for me since I understood the steps that you outlined and I know how to perform them in the virtualization environment that we use!

Please don't worry, I am sure, that your additional kind help for ESXi's web interface was not wasted since someone else using ESXi and reading this post will surely benefit from it!

Thank you very much for your help and time!
Cheers
temporaryuser
March 09, 2016, 10:33:42 PM #9
If you are using proxmox, it has a small built in firewall which will be OK for most simple tasks.
March 10, 2016, 11:22:22 AM #10
Hi Zeitkind,

Quote from: Zeitkind on March 09, 2016, 10:33:42 PM
If you are using proxmox, it has a small built in firewall which will be OK for most simple tasks.

Thank you very much for this information!

Cheers
temporaryuser
March 19, 2016, 07:06:36 PM #11
OR why not have opnsense act as the hypervisor? :) 
March 19, 2016, 07:24:05 PM #12
Because OPNsense is a firewall/router and not a hypervisor?
Hobbyist at home, sysadmin at work. Sometimes the first is mixed with the second.
March 19, 2016, 07:53:58 PM #13
Are you asking me or informing me of that :)

Imagine, maybe it can be a hypervisor with a extremely cool firewall.  The performance is definitely there for BSD's new virtulization software:

https://b3n.org/vmware-vs-bhyve-performance-comparison/


I get your point, truly I do.  Everyone will say, NO, you can't do that!  A firewall should never take these types of roles.  However, they are being sold as routers and switches with layer 1,2,3,4 and more of the OSI everyday being jammed into residential and commercial products everyday. So the tradition is fading a bit.  Haha,  lets do it man. 
March 20, 2016, 10:37:32 AM #14
bhyve is in FreeBDS 10.x and available in OPNsense since its first version. If users want to use it it can make sense. The firewall runs the bare minimum config, namely the VMs with the services and the firewall rules between them plus connectivity to clients. In these setups the firewall doesn't run anything it doesn't strictly need so the VMs are safe to be extended in any possible way (risky services included). Good thing is the firewall itself isn't compromised by a bad exposed service this way.

I heard that this will also be part of pfSense 2.3 when it comes out. Can't have been wrong to ship it back in 2015 as there seems to be more demand for it than expected. :)
Print
Go Up Pages1 2
User actions