Using a PFsense VM in cloud to manage Internet traffic of another VM in cloud



  • I have 2 hosted vm's in the cloud. Would it be possible for the PFsense vm to filter all internet traffic to and from the second vm? Sorry for the newb question, quite new to this. Both VM's are on same ip range and subnet, as i host them both at the same provider. Both have only one ethernet adaptor .


  • Netgate Administrator

    Yes but it would be ugly and not very secure.

    Where are they hosted that only allows one NIC?

    Steve



  • Well, it is a project in the making. I can add multiple nic's if the need arises. I just have no idea where to start or if the scenario is possible and effective.


  • Netgate Administrator

    OK, well in general it can work and be effective. Hard to get more specific without more info.

    You really want to have two subnets though with the pfSense VM having a NIC in both and routing/filtering traffic between them.

    Steve



  • I do this with great success at OVH.  I have 6 Dedicated server with 3-10 VM's sitting behind virtual pfsense.  I use Hyper-V and have no issues.  I even use it to host the domain controllers and file servers for several companies with point to point ipsec to the remote offices for access.  The only issue I have run into is I sometimes have to rebuild the firewall rather than doing an upgrade but then I easily just restore the config.  OVH is the best location for this!

    If you want to take it to the next level you can installpfsense directly on the host machine and then use the vrack to connect the VM Host machine to the firewall for access to the internet via the dedicated pfSense machine!



  • Very interesting discussion here, I ready to learn!



  • What is also very cool is you can take snapshot of the firewall and upgrade and in the event of failure you can just revert.

    In some instances I replicate the firewall VM and the other VM's to another host (5 minute interval of replication.  In OVH because Failover IP's can be moved between systems it just requires a few tweaks to get it operational again.

    (Make sure your vswitches in the other host match the original host before beginning)

    1. Fail machines over to other host.
    2. Remove MAC addresses from FO ip's
    3. Move FO ip's to new host. 
    4. Generate new MAC for FO ip's
    5. Wan adapter in pfsense on new host manually assign FO ip MAC address to NIC (This is the pfsense WAN IP
    6. modify shellcmd's to use new gateway IP assigned to host network adapter.

    I think that is it though you may need to go into routing.  WAN IP stays the same and all my VPN's come back up.



  • Thanks for all the info! Guess im going on a steep learning curve here ;D ;D ;D



  • hi kapara
    could you be more specific for your statement : If you want to take it to the next level you can installpfsense directly on the host machine....
    Do you mean instaling pfsense directly on a physical machine ? Is this feasable when using OVH vrack ?

    thanks

    Stephane