Virtualized pfSense behind Physical pfSense



  • I have an environment with 2 WAN coming into a physical pfSense which serves few physical servers and virtual machines. Attached is a picture of 2 possible scenarios. First one All VMs connects to internet via physical pfSense acting as Gateway. 2nd scenario a pfSense VM acting as gateway. The requirement is each subnet should not be able to see each other at all should somebody in any subnet VM break out of the VM. Any suggestions/comments which one would be better all around?



  • As much as I prefer to run pfSense virtualized, I see no reason why you need a double-NAT configuration just for subnet isolation.



  • @KOM:

    As much as I prefer to run pfSense virtualized, I see no reason why you need a double-NAT configuration just for subnet isolation.

    Maybe I am over thinking this. But my thinking was to hide the actual IP info of the VMs from the edge firewall. I can port forward from the physical to virtual firewall WAN interface and from VM pfsense LAN to VMs. That way if the physical internet facing pfsense gets compromised they won't know the IPs of any VMs. Being too paranoid?



  • Being too paranoid?

    If they've already cracked your network by taking over a forwarded host, it's game over for that network.  They can easily discover other clients via probes.  If you have a front-facing server, put it on its own interface or VLAN and isolate it via firewall rules.  This is very easy to do virtualized.



  • I should have made it a little clearer in my earlier explanation. You just mentioned what I am really trying to achieve. I do use vLAN extensively. There are 7 vLANs right now on the network and physical pfsense is aware of all of them. So my thinking process was put all the vLAN interfaces on virtual pfsense and have physical pfsense only talk to the vm pfsense over a single LAN. That way physical pfsense has no info on any vLANs on the network. Am I thinking right?



  • @symmcom:

    Being too paranoid?

    Yes. The RFC1918 space isn't very large and can be scanned in a matter of minutes, so you can't really hide anything here.

    @symmcom:

    That way physical pfsense has no info on any vLANs on the network.

    And what is that supposed to do? If someone can take over the first pfSense instance then the second one won't be a problem either.



  • Looks like my plan not gaining any points here.  :D

    That's why I am asking the community. So if I am understanding it right, by creating a VM pfsense behind a physical one, I am only creating extra unnecessary micromanagement work. The physical pfsense will provide the same level of isolation whether it is with VLAN or not.
    So I should focus 100% on the physical pfsense and load up with packages such as pfblocker, suricata etc etc and pay very close attention to the rules. Correct?



  • by creating a VM pfsense behind a physical one, I am only creating extra unnecessary micromanagement work

    Yes.

    So I should focus 100% on the physical pfsense and load up with packages such as pfblocker, suricata etc etc and pay very close attention to the rules. Correct?

    That will work.  I still prefer a virtualized instance.  Snapshots can be a life-saver if an upgrade or package install goes wrong.



  • @KOM:

    I see no reason why you need a double-NAT configuration just for subnet isolation.

    I Do

    Scenario:- DMZ with public facing servers and a IPS/IDS solution integrated inside the DMZ to catch/block inbound connections before reaching the internal firewall

    :)



  • That's not double-NAT.  A double-NAT is two routers in a row that each perform address translation.


 

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy