Secondary (virtual) firewall for other services

  • I recently got an awesome server upgrade, and I now have the power to actually run virtual machines, so I wanted to setup a secondary firewall.  I have some questions that I couldn't really find answers too though, so I thought I'd ask.

    I am currently using an SG-1000 for my firewall, and it's a great little thing and low power, but it just gets chocked up with everything I want it to do, and it's not even capable of using suricata at all.
    So what I would like to do is setup a 2nd firewall in a virtual machine on my server (running unraid).  The server has an additional 2 ethernet ports to use for this.

    What I'd like to do is use the SG-1000 inline with my modem like it currently is, then have the traffic pass through the 2nd firewall (or bypass it if it's down, or not, I'm not sure yet).  Then I'd like to consider moving pfblockerng onto the virtual machine or not, the extra power would be great, but then if it's down there's no adblocking and whatnot, although I suppose I would survive.  Not that my server should be down, but the other major consideration would be that if my server does go down currently, I can VPN into my network on my phone and reboot the server (idrac is awesome!), but if it can't bypass the 2nd firewall if it's down then I can't get to idrac to reboot it and will need to get home to do it.  It does run OK with pfblockerng currently, maybe the webgui is just horrendously slow normally on it.

    What I want to do for sure with it is run suricata on it since I can give it cores and RAM and it won't crash the sg-1000 or bring down the network.  Possibly run a freeradius server on it as well since I have the power but don't need a separate AD server.

    So is this possible?  Would it be dumb even if it is possible?  Or would it actually work like I hope?
    I don't really need a redundant setup since I don't have a backup connection or a 2nd port out of my modem or anything.

  • I guess no one has attempted to set anything like this up before?  I have some time this week so I may attempt it, but I am not sure I'll have any idea what I'm doing.

Log in to reply