DMZ for VMs with VM pfSense



  • Hello,

    First of all I'm using CentOS 7 as Host of the VMs.

    I struggling on how to configure the 3rd network-interface (virtual?) for the VM pfSense and for the VM's to put in the DMZ.

    My server have 2 physical NIC, here my setup for now:

    Internet - ISP router with NAT ON - 192.168../24 WAN - NIC1 passthrough(macvtap) - VM-pfSense - NIC2 bridge(br0) - LAN - 10.... - VM's + Desktop + other devices OK

    What I wanted for, secure reasons, is to NAT (http / https / other services) in the ISP router -> VM pfSense -> DMZ

    My issue is to configure the network-interface between the VM-pfSense and DMZ so I can add the same network-interface to the VMs I want to the DMZ zone.

    I've tried to create a virtual-network with NAT to all devices, It worked but the VM in the DMZ zone "talked" with the VM in LAN(no rules/nat in the DMZ). I don't want that.

    Can anyone help me or give me other opinions (how to do it or if I really need to do it, for home server use)

    Thanks in advance
    Ivan


  • Rebel Alliance Global Moderator

    @luckyzor said in DMZ for VMs with VM pfSense:

    What I wanted for, secure reasons, is to NAT (http / https / other services) in the ISP router -> VM pfSense -> DMZ

    Huh??

    Your isp is already natting... So using pfsense behind this is a double nat.. That is not any more secure than your first nat.. You want to put your "dmz" stuff behind pfsense and prevent it from talking to your normal network is my guess..

    Why do you need this 3rd network? You want something like this right?

    0_1541588894241_setup.png

    Where your VMs running on your host can not talk to 192.168.1/24 and you forward traffic on your isp router to 192.168.1.100 (pf wan IP) and then forward to 192.168.2.X your different vms on pfsense.

    If not then please draw up what your wanting to accomplish.

    BTW I would NOT do it that way... I would put everything behind pfsense both your physical network and your vm network(s) but hey thats just me..



  • @johnpoz said in DMZ for VMs with VM pfSense:

    I would put everything behind pfsense both your physical network and your vm network(s) but hey thats just me..

    Nope it's me too. ;-)

    -Rico



  • @luckyzor said in DMZ for VMs with VM pfSense:

    I've tried to create a virtual-network with NAT to all devices

    You have to create an isolated network instead. The NAT network bypasses your DMZ devices to the LAN.



  • @johnpoz

    This is what I have for now:

    0_1541594905584_f45fdf7d-91e9-48d6-8c10-f6b741d34f9d-image.png

    And I wanted to isolate the VM-http, something like that:

    0_1541595196154_92f62cbd-cff4-4a74-ba30-69e9194ceba4-image.png

    About the NAT is not better NAT in the ISP router then only in the VM-pfSense?

    thanks for your help


  • Rebel Alliance Global Moderator

    Well then your just creating another network and or vlan in pfsense on your vm host, its going to nat that auto just like it does for your 192.168.2 network. There is not reason for a another nic - a vnic sure, connect it to your vswitch in your vm software. Can connect your VMs to that vswitch.



  • @johnpoz said in DMZ for VMs with VM pfSense:

    Well then your just creating another network and or vlan in pfsense on your vm host, its going to nat that auto just like it does for your 192.168.2 network. There is not reason for a another nic - a vnic sure, connect it to your vswitch in your vm software. Can connect your VMs to that vswitch.

    My question is that, what network should I create?
    Should I create in Virt-manager? if yes what? virtual network (which?)? network interface(wich?)?
    Should I create a Vlan in pfSense? (any tips on how to do it?)

    Which is better?

    Can you give your personal opinion about my diagram? Just to know if something should change.

    Thanks


  • Rebel Alliance Global Moderator

    What are you using for VM software - saying you use centos doesn't tell me what your running for VM.. Is it Virtualbox, OpenVZ, Xen, KVM, Linux-Vserver, Bochs? UML?

    If you want a vm host - I for starters if you want a vmhost would just be using type 1 vs 2.. Say Esxi



  • @johnpoz said in DMZ for VMs with VM pfSense:

    What are you using for VM software - saying you use centos doesn't tell me what your running for VM.. Is it Virtualbox, OpenVZ, Xen, KVM, Linux-Vserver, Bochs? UML?

    If you want a vm host - I for starters if you want a vmhost would just be using type 1 vs 2.. Say Esxi

    I'm using KVM/QEMU.


  • Rebel Alliance Global Moderator

    Well then RTFM on how to create vm network and attach it to a VM... That has zero to do with pfsense at all..

    If I used KVM than I would be happy to point you how to do it - but other than maybe on some vps I have never used it.. I could fire it up I guess but have zero need currently.. Sorry.

    If you switch over to say type one running esxi than be happy to help. Or running Virtual Machines on Synology NAS could point out exactly how to do it, which is what I am currently using and playing with.



  • @luckyzor
    I've already tried to tell you to add an "isolated network".
    Add a new virtual network in the VMM, enter DMZ in the network name box, no DHCP (if needed, this can be done by pfSense), no routes, check "isolated virtual network".

    Then add a NIC to pfSense and connect it this network and configure it in pfSense. Also connect the virtual NICs of the other DMZ VMs to it.



  • @viragomann I've done that but no internet access with the VM in the DMZ.

    Maybe this need more configuration in pfSense... Can you give me some clue? Thanks alot

    @johnpoz I've already thought to change to Exsi but I need to buy a license, and I have already all my VM in KVM. One day maybe :)



  • @luckyzor said in DMZ for VMs with VM pfSense:

    I've already thought to change to Exsi but I need to buy a license

    Depends on your Feature needs, there is a free ESXi License. You can't run vCenter with the Free and some other stuff is missing, you just need to check.

    -Rico



  • @luckyzor said in DMZ for VMs with VM pfSense:

    Maybe this need more configuration in pfSense... Can you give me some clue? Thanks alot

    https://www.netgate.com/docs/pfsense/routing/connectivity-troubleshooting.html I guess you forgot to add rules to your new interface in pfSense. Hard to say unless you provide some more details.



  • @luckyzor said in DMZ for VMs with VM pfSense:

    Maybe this need more configuration in pfSense... Can you give me some clue?

    pfSense only permits access on LAN devices by default, on other interfaces added by yourself you have also to add filter rules to permit access to connected devices.

    Go to Firewall > rules > DMZ and add a pass rule and allow any from any source to any for testing. Restrict access later.



  • @grimson said in DMZ for VMs with VM pfSense:

    @luckyzor said in DMZ for VMs with VM pfSense:

    Maybe this need more configuration in pfSense... Can you give me some clue? Thanks alot

    https://www.netgate.com/docs/pfsense/routing/connectivity-troubleshooting.html I guess you forgot to add rules to your new interface in pfSense. Hard to say unless you provide some more details.

    I've added the network interfaces, created the DMZ interface:
    0_1541602797254_e575f400-3c42-40ec-aecb-a695af0e17b0-image.png

    Now my VM in the DMZ can ping my lan but can't ping my wan.
    I tried to block from dmz to lan and it doesn't work:
    0_1541603039683_378b0848-c61d-4aae-88b4-7e1362477d2c-image.png

    What I want:
    DMZ can't see Lan devices
    Lan devices can see DMZ

    DMZ can see and be seen by WAN

    Can I access DMZ by hostname in the Lan interface?

    thanks for your help. I really appreciate.



  • Start reading here: https://www.netgate.com/docs/pfsense/book/firewall/index.html the rule you posted above shows pretty clearly that you lack the basics on how a firewall works.



  • @viragomann said in DMZ for VMs with VM pfSense:

    @luckyzor said in DMZ for VMs with VM pfSense:

    Maybe this need more configuration in pfSense... Can you give me some clue?

    pfSense only permits access on LAN devices by default, on other interfaces added by yourself you have also to add filter rules to permit access to connected devices.

    Go to Firewall > rules > DMZ and add a pass rule and allow any from any source to any for testing. Restrict access later.

    Can't access internet with that rule:
    0_1541603339877_f4987f98-56de-4a11-903c-0009bc4881a6-image.png
    0_1541603402207_5dad9b9a-94d7-4490-9958-dcc2f461b7e8-image.png



  • Your rule allows TCP only! Ping needs ICMP.



  • @viragomann said in DMZ for VMs with VM pfSense:

    Your rule allows TCP only! Ping needs ICMP.

    0_1541663321652_589b3071-c434-4d90-86dd-0f11bb31fc67-image.png

    Still the same.

    @Grimson I will read what you send me and try to understand this.

    I'm facing a problem more "urgent" and I hope do be guide on how to troubleshoot this so I can try to fix it.
    everything works (not the DMZ, but that is not urgent) as expected with my host and other VMs in the LAN side.
    For the first time I plugged-in a switch in the LAN physical interface and my desktop to the switch.
    Unfortunately, I can't get IP from the DHCP, tried to put a ip manually and nothing.
    I don't know where to start to check where is the problem.

    I really need some help for this. Hope you can help me. Thanks in advance


  • Rebel Alliance Global Moderator

    @luckyzor said in DMZ for VMs with VM pfSense:

    Unfortunately, I can't get IP from the DHCP

    Then you have a layer 2 problem.. Or you did not enable dhcp on that interface..



  • @johnpoz said in DMZ for VMs with VM pfSense:

    @luckyzor said in DMZ for VMs with VM pfSense:

    Unfortunately, I can't get IP from the DHCP

    Then you have a layer 2 problem.. Or you did not enable dhcp on that interface..

    I found the problem. I don't know why but my configuration file for the 2nd NIC disappeared.
    I created a new one. restart network solved.

    Now I'm back to the DMZ zone:
    I create the isolate VN as @viragomann said.
    When add this interface as OPT in pfSense with no rules, I have access to LAN net.
    I started to go to rules -> DMZ -> Create Rule.
    Created a rule to block everything. surprise, I still have access from LAN net to DMZ and vice-versa. is it normal?

    Thanks for your help



  • No, an isolated network has no connection to anywhere as long as there is no device connected to it which passes the traffic.

    If you can't find the leak use traeceroute to investigate which node let the packets pass to LAN.



  • @viragomann said in DMZ for VMs with VM pfSense:

    No, an isolated network has no connection to anywhere as long as there is no device connected to it which passes the traffic.

    If you can't find the leak use traeceroute to investigate which node let the packets pass to LAN.

    @viragomann I created the vDMZ (isolated / no DHCP / ip 192.168.2.0/24)

    Attached this network to the VM-http and the VM-pfSense.

    Created the DMZ interface with the vDMZ.

    Until here is like that I need to do in KVM?



  • The vDMZ must also have no static routes activated. Apart from that, it should be fine.



  • @viragomann said in DMZ for VMs with VM pfSense:

    The vDMZ must also have no static routes activated. Apart from that, it should be fine.

    I've just added the vDMZ to the VM-http and I can ping the host and the host can ping the VM. how can I block this?



  • Can you also ping the host if you disconnect the pfSense from vDMZ in VMM?



  • @viragomann said in DMZ for VMs with VM pfSense:

    Can you also ping the host if you disconnect the pfSense from vDMZ in VMM?

    Yes. the vDMZ is not added to the VM-pfSense.
    So the problem is in the Host machine I guess, but don't know what to do.



  • @luckyzor said in DMZ for VMs with VM pfSense:

    @viragomann said in DMZ for VMs with VM pfSense:

    Can you also ping the host if you disconnect the pfSense from vDMZ in VMM?

    Yes. the vDMZ is not added to the VM-pfSense.
    So the problem is in the Host machine I guess, but don't know what to do.

    I found this route in the Host :
    192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 virbr0

    I deleted and now ping doens't work anymore. Is this the solution? thanks for the help



  • That route should have no effect, since there is no router specified. It only defines the network on vibr0 (vDMZ?).



  • @viragomann said in DMZ for VMs with VM pfSense:

    That route should have no effect, since there is no router specified. It only defines the network on vibr0 (vDMZ?).

    Yes vibr0 is the vDMZ, apparently this route is automatically created when creating the vDMZ with virt-manager.

    After deleting this rule. everything works perfectly.

    One last question about rules in pfSense:
    Is this a good way to configure the rules?
    0_1541685047279_232516f5-d609-42d2-9e75-065bff1d234a-image.png

    thanks a lot for your help



  • If you enter a network when creating a virtual isolated network in VMM, the host gets automatically the first IP out of it. So if you want it to isolate the vNet also from the host, don't set a network.

    I use to add an alias included all RFC1918 networks to block devices from any internal access.
    Consider that you will need an additional pass rule to allow access to pfSense itself if you use it as DNS server for the DMZ.