Pfsense - ESXi - DMZ - LAMP
-
Hello,
for my personal home server connected directly to the internet I am using ESXi for virtualization and pfsense as VM. Pfsense takes the rule as router and firewall for my LAN as well for the VMs. The home server does have two physical NICs where one is connected to the WAN and one to the LAN. (I know it is not the recommended way and a firewall on a dedicated hardware is preferred, but for home use it is good enough.)
My intention is to use one VM as groupware server ("sogo") including webserver, SQL and mail server. The webserver should be assessable from WAN for webmail and the mail server should be accusable from LAN. I know that from security point of view it would be the best to separate the different services to different VMs and using pfsense to control the traffic. But this would excite the physical limit of my small home server. So am thinking about three different scenarios to secure my network:
-
Set up a DMZ and connect the VM by one NIC. I this case I have to take care about VM client firewall rules as both traffic will come through the same NIC and same IP.
-
Set up an DMZ and connect the VM by two NIC. I this case I can bind apache to one NIC of the VM and connect it to the DMZ. The second NIC of the VM I can connect to the LAN. In this case pfsense could control inside and outside traffic by the two networks DMZ and LAN. The disadvantage is, that in case the VM is getting attacked there would be a bypass inside the VM directly to the LAN.
-
A combination of 1 and 2: Set-up two DMZ and connecting one NIC of the VM to the "internal DMZ" and one NIC of the "external DMZ". Doing so I can use different networks inside the VM to separate external and internal traffic and pfsense I can use to setup clear rules for the different DMZ.
Any recommendation?
Or any better idea?I hope my verbal explanation was good enough.
-
-
"I know it is not the recommended way and a firewall on a dedicated hardware is preferred"
Says who?? There are many many advantages to running your router/firewall as VM.. If it can provide you with the performance you need, then I would say its the preferred option ;)
Hard time following your one nic two nic thing – are you talking of adding a nic to your esxi host?
If your esxi host does not have enough oomph to add the VMs you want - get more oomph ;) Or add a 3 nic to the host so that you can then have your other servers(s) in a dmz both in the vm world and the physical world. Pfsense would still be used to control access between your lan and dmz be it virtual or physical.
If your switch does not support vlans, then jut get one that does or just another dumb switch and connect this to your dmz nic in your esxi host - which will keep it isolated from your lan.
-
Hard time following your one nic two nic thing – are you talking of adding a nic to your esxi host?
Ok. I thought so.
The ESXi host does have two physical NIC. One physically connected to the WAN and one physically connected to the LAN. Inside ESXi both NIC are connected to the VM pfsense acting as a router and firewall. So far nothing special.
Now I will add a virtual ESXi NIC and set up a DMZ in pfsense for it. To this DMZ I want to connect a groupware server VM accessible from LAN and WAN. But by standard configuration the VM does have one NIC only. Now I am thinking if I could get any benefit by adding a second virtual NIC to the VM.
1)
192.168.2.0/24
WAN –-pfsense------DMZ ---------------VM
|
LAN
192.168.1.0/24192.168.2.0/24
WAN ---pfsense------DMZ ----------------|
| VM
| |
LAN-----------------------------
192.168.1.0/24192.168.2.0/24
----------DMZ1 -------------- |
| VM
WAN ---pfsense------DMZ2 ---------------|
| 192.168.3.0/24
LAN
192.168.1.0/24 -
Ok so your only talking of VMs - then what is the point of this statement?
"But this would excite the physical limit of my small home server. "
1 is the correct solution your looking for, 2 does what? Other then compromise the idea of a dmz. And 3 what?? Pointlesss!
-
"But this would excite the physical limit of my small home server. "
The VM is a groupserver including Apache, MySQL, Postfix, Cyrus and LDAP. The webserver is accessible from WAN. It is hosting a public home page and webmail access to the mailserver. And the system needs to get access from the LAN (IMAP, SMTP and apache with Webmin). In a professional environment you would separate these services to different VMs. But I only can bundle all services in one VM.
1 is the correct solution your looking for, 2 does what? Other then compromise the idea of a dmz. And 3 what?? Pointlesss!
If I use configuration 1 the security of the VM is defined only by the client firewall settings inside the VM. pfsense I only can use to isolate the VM in the DMZ and secure my LAN.
When I use two NICs inside the VM I do have more possibilities of client security. I can bind all services with access from LAN to one NIC and subnet and I can bind all services with access from outside to the other NIV with a separate subnet.
The question I do have is this configuration with two subnets in the VM will help me to increase security?
-
"If I use configuration 1 the security of the VM is defined only by the client firewall settings inside the VM"
Says who?? Your still behind pfsense, only the ports you allow would be sent to the VM. Your not doing a 1:1 nat are you with any any rules?
Your calling it DMZ - its just another network segement connected to your firewall - you have full control of what ports are allowed through the firewall to IPs on the DMZ. You have full control of which ports are allowed from the lan to the dmz, or from the dmz to the lan, etc. etc.
-
"If I use configuration 1 the security of the VM is defined only by the client firewall settings inside the VM"
Says who?? Your still behind pfsense, only the ports you allow would be sent to the VM. Your not doing a 1:1 nat are you with any any rules?
Yes, by pfsense I can control traffic from WAN and LAN to the VM inside the DMZ. But to make the client side more secure, inside the VM I carefully have to take care to define what port is from outside and what port is from inside. Having two networks inside the VM would help a lot to separate inside the VM.
Your calling it DMZ - its just another network segement connected to your firewall - you have full control of what ports are allowed through the firewall to IPs on the DMZ. You have full control of which ports are allowed from the lan to the dmz, or from the dmz to the lan, etc. etc.
This is why for security reason you often can find separate management networks. The separation is not done by port control but by having separate NIC with separate networks. In the same way I want to separate services inside the VM: Some to get access to from LAN only and some to get access from WAN. The question from my side is how to connect these two networks to the pfsense system.
But after using my brains a little bit again there is no reason not to use option 2 with one DMZ. Two NIC with two IP I can connect. This will allow me to separate both networks inside the client VM.
Many thanks for your help and being patient.
