pfSense on VPS - Setup issue

Derelict

I would just use the firewall on the VPS host itself (think iptables) or whatever the VPS provider has available in front of it.

sensori

@Derelict : Interesting!
My VPS provider doesn't provide a firewall.
It's clear that pfSense would increase the security. So why I shouldn't use it?

johnpoz

Pfsense is installed as the OS.. its not a server, its a router/firewall distro designed to do that firewall/route.. Unless you have multiple devices behind it, you wouldn't use it on a single VPS.. So as Derelict stated - just use the firewall that comes with whatever OS your VPS is running.. If its a vps running OS XYZ.. just use the host firewall that you can run on that xyz OS to protect it.

What OS is your VPS running?

NollipfSense

@sensori said in pfSense on VPS - Setup issue:

I want to protect at least one VPS with a Web Server and one with a DB.

So, you already have an OS with stuff and service...the link I provided assumed VPS is an empty hard drive with no OS. Are you running CentOS? It seems that to do what you want to do a virtual pfSense machine may work if you have the memory...adds complexity though.

sensori

I would like to use pfSense in front of a Web Server - with it come some other components like nginx (Load Balancer, Reverse Proxy), a VCS (GitLab), 2 DBMSs and some other stuff. I assume, I could put all in one big machine but I thought it is better to have several small machines instead and separate them. With the current VPS provider I can create subnets. So the idea is to have a subnet where all machines can communicate with each other easily and pfSense in front of them as firewall to protect them. Of course only the Web Server would be open to the public, access to all other machines is meant only for me. Maybe it is better to put the Web Server in front of pfSense, I'm not sure.

At the moment I'm just experimenting with pfSense to see how I can achieve what I want. I created only 2 machines, on one of them I've installed pfSense and on the other one (Ubuntu) I haven't installed nothing so far. This is only for testing purposes only. In the final architecture I would like to use CentOS on all machines if I can (I don't have any experience with CentOS).

stephenw10

Just add firewall rules to allow the access you need (to the webgui, to ssh etc) on the WAN before you enable another interface. Doing that moves the default allow rule to LAN and blocks any traffic you have not explicitly allowed on WAN.#

Steve

Derelict

Sounds like a VPC not a VPS.

sensori

Sorry for the late response.

@stephenw10 : that helped. Thanks!

@Derelict : after a more thorough research I found that the VPSs are separated in the network layer, so it's not a VPC. The VPS provider recommends to encrypt the connection between VPSs.

The root of my issues is probably because of the VPS nature e.g. routing, which I haven't encountered before when using pfSense in my LAN - so it's not a pfSense issue. However, if someone has link(s) to good guides, it would be helpful.

Derelict

No help to offer without a better description of what you actually have. Doesn't sound like an environment where pfSense will do you any good.

Snuggly

This post is deleted!