PfSense in VirtualBox



  • Hi.
    I'm thinking to run the PfSense on a VirtualBox inside Debian 9.
    It will function as the main firewall for the home network.
    The machine has an i5-7500 and Debian9 will be used to host PfSense as well as run multimedia stuff and serve files on the local network.
    There's a realtek NIC integrated on the motherboard that will be used by debian only. There's also an i350 4 NIC card. Out of those 4 NICs 2 will be assigned to PfSense as bridged interfaces, one for WAN, one for LAN.
    LAN interface will connect to a 16 port unmanaged switch and will provide DHCP services for the home network. WAN interface will connect to cable modem and VPN service.
    Would this configuration work? Are there any security concerns with this configuration?
    I tried to run both PfSense and Debian9 as VMs on ESXi but I can't seem to be able to perform a proper GPU passthrough on this machine so that is a no go due to multimedia stuff I need to run on it.



  • Hi,

    The scenario will work. Maybe is not recommended if you think about your security, because the virtualization add an additional layers, so this will be a vector attack. Additionally, virtualbox is designed for testing and some local develop, not for use on production (but some people use it on production environments).

    So: if the security is a priority, use a psychical device. If just need "manage a friendly firewall", virtualbox can be an option.

    I personally use pfsense in some specific scenarios with KVM.

    regards.



  • How big of a security concern will this be compared to a bare metal install?
    Debian used is the stable version but there will be some packages that might present a risk; I will be running SMB shares, media server as well as acestream on it.
    I could run the virtual box containing PfSense under a different user than all the other stuff.



  • You are connecting your computer to the wild-west Internet, and then counting on Debian to not be vulnerable before it even gets to pfSense. Basically, you're introducing a HUGE attack vector by running it under a consumer OS. Just buy a cheap used PC or minipc and run it on that.



  • That's what I was afraid of.
    Is there a way to do PCI passthrough in VirtualBox like ESXi has? Is there another virtualization option in debian that can do NIC passthrough? If there is, would it help to passthrough the 4 nics directly to PfSense? I am currently under the understanding that a NIC passthrough situation is identical security wise to a bare metal install.
    This is not about trying to skimp on hardware, it's about consolidating things into one unit as to cut down on clutter and number of units running continuously.



  • No idea. While I use VB at home, it's just a simple pfSense test lab. I don't bother with passthrough for that role.


  • Banned

    @veriqster said in PfSense in VirtualBox:

    This is not about trying to skimp on hardware, it's about consolidating things into one unit as to cut down on clutter and number of units running continuously.

    Then use a type 1 hypervisor like Proxmox or ESXi.



  • Tried using both ESXi and ProxMox. Both present the problem of not being able to properly passthrough the integrated GPU, sound and such for using the debian as a multimedia center. Hense asking if the passthrough can be done under debian itself.



  • @veriqster said in PfSense in VirtualBox:

    Is there another virtualization option in debian that can do NIC passthrough?

    Why not using KVM??

    @veriqster said in PfSense in VirtualBox:

    Both present the problem of not being able to properly passthrough the integrated GPU

    I'm not sure if that would work basically.



  • Maybe I did not express myself correctly so let me dwell on it a little.

    Goal: running as many as possible services one device.

    Options:
    Separate hardware: SMB server, Rsync server to backup SMB files, PfSense Box, Multimedia Box to watch acestreams on TV - basically the oposite of what I'm trying to achieve.

    VM: One unit running everything other than Rsync as to create hardware redundancy in order to prevent data loss while consolidating hardware usage.

    VM option 1: level 1 hypervisor with guest VM machines for SMB, Debian, PfSense - problem with passing through the integrated GPU to Debian in order to maintain hardware accelerated video decoding; could not find a solution for this, supposedly unRaid can do it but I'm not willing to spend the money just to give it a try.
    VM option 2: some other hypervisor that could run on/inside Debian and VM for SMB and PfSense inside it - challenge is finding a hypervisor that would to the NIC PCIe passthrough as to avoid exposing the host debian to the internet and have the PfSense filter everything first. Also, not being an expert on these matters, assuming I can find somehting that will do NIC passthrough, would that from a security point of view be identical or at least close to running bare metal?



  • So I managed to do a NIC card passthrough, the card is showing as using vfio-pci module as driver in Debian. Assuming I start using it as the main firewall, how larger of an exposed footprint do I have compared to a bare metal install?



  • how larger of an exposed footprint do I have compared to a bare metal install?

    How is anybody supposed to answer such a question? How would you even quantify that? Your attack surface needs to be as small as possible because you're trying to guard against unknown vulnerabilities in your platform. The more complex & comprehensive the platform, the more likely a vulnerability exists.



  • Good morning, all. I hope this isn't considered "hijacking" this thread, as this post is intended as a continuation of the existing discussion.

    I'm doing something similar to veriqster; running pfSense as a VirtualBox VM on (in my case) Kubuntu 19.04 as the VirtualBox host. I understand at least some of the security concerns with doing this, so consider this:

    The host machine (Kubuntu 19.04) gets its IP address via DHCP in the range 10.1.10.0/24 from a Comcast cable modem / router.

    The WAN side of the pfSense VM also gets its IP address via DHCP (same range, same source).

    The only static, publicly-visible IPs are on the LAN side of the firewall, accessed via IP Aliasing and port forwarding (which I'm having a huge amount of trouble and basically zero success getting to work, but that's a different thread in a different subforum on this forum).

    Since neither the host machine nor the WAN side of the firewall are publicly visible, do I still have security concerns including what has been mentioned in this thread, concerns that wouldn't be present if I ran ipSense on a separate box?



  • Most likely not. If you're just playing around in a test lab then I wouldn't worry about it at all. If you're trying to run pfSense as your fulltime firewall via Vbox VM then your exposure increases.



  • So I tried both Debian and ESXI6.7.
    On both it is possible to do a PCI Passthrough on of the network cards.
    Both run pretty much the same, I don't think there's much of a difference in the resources they use.
    Using Debian I can still use my PC as a media station / media server on the LAN. I could also install a few other things and have some LAN or WAN servers on it but I've never got to it.
    Running ESXI I can have a web server, a file server and my own mail server (a long time obsession of mine) but I cannot use the unit for displaying any media to a TV / Monitor.

    The issue with Debian is that it is set for automatic security updates (normal in my mind) and a couple of times already it rebooted on it's own and the VM does not come back up due to various issues, last incident it was something related to the display adapter for the VM.

    ESXI on the other hand comes back up reliably, autostarts the VMs just fine but I loose the GPU basically.

    Bottom line, there's no happy medium.

    In another order of ideas, what is the difference security wise in running a bare metal hypervisor like ESXI compared to libvirt in Debian; all under the assumption that the network cards are being passed through and not bridged. It is my understanding that in a PCI passthrough situation the hardware is passed through with not underlying hypervisor interaction so in order to compromise anything one would have to exploit a firmware vulnerability in the NIC or a software vulnerability in the PfSense / OPNSense itself before getting to the host in any way.


Log in to reply