PFsense on VM with 4 Port PCI LAN card Secure?

RavenReign

Hello Everyone,

I'm in the research/planning stages of gutting and rebuilding my home network with a PFsense box for firewall and network management. Also I want to implement a home email/media server with some network storage.

At first I was thinking of separate machines for this. But after I'm thinking,

If I build one machine with say a quad core and one 4 port and one 1 port PCI NICs. I could dedicate the PCI NICs for use by only the PFsence VM. Then I could create other VMs for the email server and W.E else using the motherboard NIC [or other PCI NICs (or could I virtually connect them?)]

The 4 Port NIC would end up being my router, connected to my switch and the 1 port NIC the connection to my ISP

This seemed like a good idea to me, but after searching around I've seen some people caution about using PFsense in a VM because its possible to brake ESX host security and well defeat the purpose of the firewall.

is this still a risk if the PFsence has dedicated NICs?

KOM

(or could I virtually connect them?)

You don't use real NICs to connect a VM to the network.  They connect to vSwitches.

I've seen some people caution about using PFsense in a VM because its possible to brake ESX host security and well defeat the purpose of the firewall.

Unless they can point to something specific, it's FUD.

RavenReign

Thanks for the reply!  :D

Vswitch that's great! I wasn't sure if that was a thing, I haven't done much VMing. Figured this would be a great learning experience.

Then I can focus my 4 port NIC for the rest of my network.

andipandi

Everyone in this part of the forum runs virtualized. :)

Of course, you need to also patch and watch the host.

I am really happy with my (virtualized) setup so far: great flexibility, very fast hardware (that just idles around, but has good capacity), less hardware, easy to create a new system or snapshot.

Just the extra layer with the virtual switches adds some complexity each time you need to look into it, though that just takes a few minutes initially (which physical NIC is which virtual switch is which NIC in pfSense?).

You also get benefits, like if you totally misconfigure pfSense, you can still access the console via the host.

Also, typically several single or dual port NICs are cheaper than quads, and also watch out for used Intel ones which can come really cheap for good value and reliability.

johnpoz

"PFsense in a VM because its possible to brake ESX host security and well defeat the purpose of the firewall."

How would they have access to the esxi managment.. You wouldn't expose esxi to the internet - but sure ok if they compromise your host then yeah every vm on the host would be open..  But the internet is only connected to pfsense WAN.  esxi management should be on a different physical interface all together, etc.  So how would they even get to esxi to compromise its security?

With Kom - can you point out these things sayings its not secure so we can take a look..  There is a lot of FUD out there.. And then again your not running a DOD facility are you?  You stated its for your home use, etc.. So as long as you don't put your vmkern exposed to the public side there shouldn't be any issues at all.