PfSense in VirtualBox



  • Hi.
    I'm thinking to run the PfSense on a VirtualBox inside Debian 9.
    It will function as the main firewall for the home network.
    The machine has an i5-7500 and Debian9 will be used to host PfSense as well as run multimedia stuff and serve files on the local network.
    There's a realtek NIC integrated on the motherboard that will be used by debian only. There's also an i350 4 NIC card. Out of those 4 NICs 2 will be assigned to PfSense as bridged interfaces, one for WAN, one for LAN.
    LAN interface will connect to a 16 port unmanaged switch and will provide DHCP services for the home network. WAN interface will connect to cable modem and VPN service.
    Would this configuration work? Are there any security concerns with this configuration?
    I tried to run both PfSense and Debian9 as VMs on ESXi but I can't seem to be able to perform a proper GPU passthrough on this machine so that is a no go due to multimedia stuff I need to run on it.



  • Hi,

    The scenario will work. Maybe is not recommended if you think about your security, because the virtualization add an additional layers, so this will be a vector attack. Additionally, virtualbox is designed for testing and some local develop, not for use on production (but some people use it on production environments).

    So: if the security is a priority, use a psychical device. If just need "manage a friendly firewall", virtualbox can be an option.

    I personally use pfsense in some specific scenarios with KVM.

    regards.



  • How big of a security concern will this be compared to a bare metal install?
    Debian used is the stable version but there will be some packages that might present a risk; I will be running SMB shares, media server as well as acestream on it.
    I could run the virtual box containing PfSense under a different user than all the other stuff.



  • You are connecting your computer to the wild-west Internet, and then counting on Debian to not be vulnerable before it even gets to pfSense. Basically, you're introducing a HUGE attack vector by running it under a consumer OS. Just buy a cheap used PC or minipc and run it on that.



  • That's what I was afraid of.
    Is there a way to do PCI passthrough in VirtualBox like ESXi has? Is there another virtualization option in debian that can do NIC passthrough? If there is, would it help to passthrough the 4 nics directly to PfSense? I am currently under the understanding that a NIC passthrough situation is identical security wise to a bare metal install.
    This is not about trying to skimp on hardware, it's about consolidating things into one unit as to cut down on clutter and number of units running continuously.



  • No idea. While I use VB at home, it's just a simple pfSense test lab. I don't bother with passthrough for that role.



  • @veriqster said in PfSense in VirtualBox:

    This is not about trying to skimp on hardware, it's about consolidating things into one unit as to cut down on clutter and number of units running continuously.

    Then use a type 1 hypervisor like Proxmox or ESXi.



  • Tried using both ESXi and ProxMox. Both present the problem of not being able to properly passthrough the integrated GPU, sound and such for using the debian as a multimedia center. Hense asking if the passthrough can be done under debian itself.



  • @veriqster said in PfSense in VirtualBox:

    Is there another virtualization option in debian that can do NIC passthrough?

    Why not using KVM??

    @veriqster said in PfSense in VirtualBox:

    Both present the problem of not being able to properly passthrough the integrated GPU

    I'm not sure if that would work basically.



  • Maybe I did not express myself correctly so let me dwell on it a little.

    Goal: running as many as possible services one device.

    Options:
    Separate hardware: SMB server, Rsync server to backup SMB files, PfSense Box, Multimedia Box to watch acestreams on TV - basically the oposite of what I'm trying to achieve.

    VM: One unit running everything other than Rsync as to create hardware redundancy in order to prevent data loss while consolidating hardware usage.

    VM option 1: level 1 hypervisor with guest VM machines for SMB, Debian, PfSense - problem with passing through the integrated GPU to Debian in order to maintain hardware accelerated video decoding; could not find a solution for this, supposedly unRaid can do it but I'm not willing to spend the money just to give it a try.
    VM option 2: some other hypervisor that could run on/inside Debian and VM for SMB and PfSense inside it - challenge is finding a hypervisor that would to the NIC PCIe passthrough as to avoid exposing the host debian to the internet and have the PfSense filter everything first. Also, not being an expert on these matters, assuming I can find somehting that will do NIC passthrough, would that from a security point of view be identical or at least close to running bare metal?



  • So I managed to do a NIC card passthrough, the card is showing as using vfio-pci module as driver in Debian. Assuming I start using it as the main firewall, how larger of an exposed footprint do I have compared to a bare metal install?



  • how larger of an exposed footprint do I have compared to a bare metal install?

    How is anybody supposed to answer such a question? How would you even quantify that? Your attack surface needs to be as small as possible because you're trying to guard against unknown vulnerabilities in your platform. The more complex & comprehensive the platform, the more likely a vulnerability exists.


Log in to reply