PfSense in VirtualBox on FreeBSD Host
-
Hi, guys.
I'm after some advice and, if possible, guides/howtos to achieve implementing said advice.
My home network is really simple, and likely really insecure. I have a DSL modem/router, 2 x Win7 notebooks, 1 x FreeBSD
notebook, and a couple android devices (phones & tablets). Currently, all devices connect, via wifi, to the router. There is a built-in firewall on the router, and all notebooks run software firewalls (Win firewall on the Win boxes, PF on the BSD box).The two Win7 boxes are for general use – they do nothing special. The FreeBSD box runs an apache web server inside a jail. I set this up to run ownCloud instead of Dropbox for myself and my family. I intend to run more services (my own mail and DNS servers) from inside jails on this box, but at the moment these objectives are outside of my skill level. So, apart from hosting my own web and cloud server on this box with my registered domain name, my mail service is ran by a company.
What I would like to do, is setup the FreeBSD notebook as a server and firewall for the whole network (2 x Win7 boxes, and,
if possible, the android devices). I.e.:
All notebooks have both an ethernet card (not used), and a wifi card (used). From the research I've conducted, I was thinking that running pfSense inside VirtualBox on the FreeBSD box is what I should do. However, I'm not sure how to do this. I mean, I know I need to install virtualbox-ose, grab a pfSense image and install it into vbox. Beyond that, I'm lost; which physical NIC to use, for what, on all devies (FreeBSD server and Win7 notebooks), what virtual NIC(s) to setup in pfSense, etc.
Alternatively – likely much easier too -- I would be satisfied with running pfSense inside VirtualBox just for its hosts connectivity. That is, the host OS (FreeBSD) tunnels all transmissions (in + out) through its virtual guest (pfSense). This way, the Apache server is at least secure, so my ownCloud server, and future web developments will be safe(r).
In fact, the latter is probably best. It would be an unacceptable inconvenience to have too much downtime on the Win7 notebooks as this is what the family use every day. We can suffer some downtime on the FreeBSD box to get it setup and troubleshoot any problems that arise. Plus, I am extremely novice so the simpler the better. As my skill level increases I can attempt more complex missions.
Thanks for reading, I appreciate any help at all!
-
This might be a better explanation (an expansion of the host/virtual guest configuration):
-
Why run freebsd with virtualbox on top and then pfsense?
Just run a type 1 hypervisor (bare metal), lots to choose from. Then run pfsense as vm, your webserver as vm, any other things you want as vms.
Running OS, then your virtual hosting software, then your vms just complicates the whole thing and leaves less resources for your vms.
I run exsi on a n40L with 4 nics and 8gb of ram. It is my pfsense router/firewall and then also my NAS, my linux server, my all around any time I need to fire up a vm box. The multiple physical nics in the host allow me to connect to multiple physical networks so I have a lan, and wlan and dmz, etc.
-
Why run freebsd with virtualbox on top and then pfsense?
Hi, john. Thanks for posting.
I already had FreeBSD on this (old) notebook, which I sometimes use for miscellaneous projects. Backing it up and uninstalling is not something feasible right now. Plus, I think it's more efficient to run most things in jails as opposed to having VMs for each service. I can make a new jail with its own local IP and complete ports tree and get to a command line inside it in literally 5 seconds and 3 commands. I then have, essentially, a brand new FreeBSD OS ready to go. You cannot do this with VMs. Also, as I am more experienced with using this method, I would prefer to keep this setup while I gain experience running services in VMs and networking things this way.
Just run a type 1 hypervisor (bare metal), lots to choose from. Then run pfsense as vm, your webserver as vm, any other things you want as vms.
I'm not sure of any real benefit doing it as you suggest as opposed to running each service in its own jail with just pfSense in its own VM. It's quicker, requires less resources, and is no more or no less secure. Essentially, a cheaper VM.
Running OS, then your virtual hosting software, then your vms just complicates the whole thing and leaves less resources for your vms.
I don't really know if it is more or less complicated, I don't know enough to comment. However, it is certainly less resource intensive with jails vice virtual machines.
I run exsi on a n40L with 4 nics and 8gb of ram. It is my pfsense router/firewall and then also my NAS, my linux server, my all around any time I need to fire up a vm box. The multiple physical nics in the host allow me to connect to multiple physical networks so I have a lan, and wlan and dmz, etc.
I would not run exsi, I prefer open source. This notebook only has 2 GB RAM, 2 x 50 GB HDD and the 2 NICS. So disk space and memory aren't in abundance, hence jails are much more preferable. My FreeBSD install is only the base system, no DKE (no GUI at all), so it may even take less resources than a Type 1 Hypervisor. And, I would only install FreeBSD into one of the VMs, if I were to run a Type 1 Hypervisor, to run my services on anyway.
I did a test on one of the Win boxes: I installed pfSense into a VM and managed to tunnel connections from the router to pfSense (guest VM) to the Win7 (host OS) thanks to this tutorial. I just need to figure out how to do it in FreeBSD now.
-
Ok – vs running other vms, run 2 your pfsense and then freebsd with your jails for your webserver, etc.
This removes the complexity of running virtualbox on top of your OS. If you don't like esxi then use xen, like I said there are plenty of hypervisors out there to pick from. Xen, Proxmox
This is how I would do it - virtualbox is ok, and have it on my workstation but the port to freebsd is not really all that hot is it?
-
Ok – vs running other vms, run 2 your pfsense and then freebsd with your jails for your webserver, etc.
This removes the complexity of running virtualbox on top of your OS. If you don't like esxi then use xen, like I said there are plenty of hypervisors out there to pick from. Xen, Proxmox
This is how I would do it - virtualbox is ok, and have it on my workstation but the port to freebsd is not really all that hot is it?
Is your suggestion based on the premise that networking will be much easier between VMs opposed to between host OS and VMs? If so, can you provide some assistance in the networking that will take place using your suggestion (Type 1 with multiple VMs)?
-
Well all I can tell you is how easy networking is with esxi, since this where I have the most experience. But yes in general networking should be simpler in type 1
With esxi you create virtual switches and then either connect those to physical interfaces or dont. But any vms can be tied to any vswitch or number of virtual switches with virtual interfaces. With esxi it is very simple to create port groups with vlan tagging or not, etc.
http://wiki.xen.org/wiki/Xen_Networking
http://pve.proxmox.com/wiki/Network_ModelSo for example in my setup if you just look at internet access and my lan - leave out my other networking segments. I have a physical nic connected to vswitch WAN, and physical nic connected to vswitch LAN.
the wan vswitch is connected to my cable modem.
the lan vswitch is connected to my physical lan switch.I create a vm, give it a virtual nic and that is connected to whatever vswitch I want. If connected to my lan vswitch it is like any physical box on my network, has its own mac, and to my physical network it is no different than if the device was physically connected to a switch.
Another option for you from opensource for type 1 would be smartos - someone was asking if anyone was interested in a guide on getting pfsense up and running on that, etc. I don't think he saw enough interest to move forward with his guide though.
To me a type 1 is much easier to work with and removes any sort of management of the host OS
type 1 you have
hardware - vmhost os - vms
type 2 you have
hardware - OS - vmhost os - vms
With type 1 your working with an OS that really only thing to do is manage the vms use of the hardware - which is was designed to do.. Not provide all the features that a normal OS does, etc.
Type 2 you have your OS that manages your vmhost OS use of the hardware, and then vms on top of that. If anything outside of extra complexity, and management of that hardware OS lets call it. You have reduced your vm's resources available since your running a full OS, however little those resources are - it takes away from what the vms can use.
Since you mention your working with a limited sort of hardware, I would think anything that reduces overhead would be good. Like removing the OS that your virtual software has to run on top of.
Your solution can and does work - I just don't see the point of it, unless you plan on using the box your planing on doing this on as a normal workstation at the same time your running your VM(s) on it.