Use a public virtual IP for a second test pfSense firewall instance virtually
-
I’m running physical pfSense 2.7.2 I have multiple public IPs. I want to set up another pfSense firewall in VMware for testing useing one of those public / virtual IPs on an interface or rather a VLAN if possible and use it as if it’s passing through the virtual IP as it’s it’s the ISP not passing through any rules, my first pfSense firewall How can I set this up? Is it best to go with? Is it best to use a physical port out of my original router? if there are suggestions on how to set this up another way, that would be easier. Please let me know. Any help suggestions are definitely greatly appreciate
-
-
Basically you have two options.
Forward traffic from a VIP on the physical box WAN interface to some internal IP that the test VM is using. You can use a 1:1 NAT rule and a pass all firewall rule to pass all traffic to it. The same way a DMZ or forwarding mode works on SOHO routers.
Bridge the WAN to a VLAN that the test VM is on such that it's in the same layer 2. Then you can use the public IP directly on the test VM WAN interface. However bridging is a relatively advanced setup that can introduce other issues.
If you're lucky you might have a third option. If the ISP is routing the additional public IPs to you via a separate WAN in a different subnet you can just route that traffic to the VLAN interface directly.
https://docs.netgate.com/pfsense/en/latest/firewall/additional-ip-addresses.html
Steve
-
I do not have my virtualip's setup from a cider block. They are individually each put in as a virtual ip. What risks do i take bridging WAN to VLAN. Does this introduce any new vulnerabilities? Would it be better using a DMZ however then I would be double natted ? Is that correct? I what to avoid that.
-
So the IPs are not in a single subnet?
The pfSense VM would be single NAT'd. Other VMs behind it would be double NAT'd. That's not normally an issue though. Almost everything works fine through double NAT. UPnP will fail but I'd argue that shouldn't be used any way.
The biggest risk in bridging is setting it up wrong and getting locked out in my opinion. It's very easy to do. But I've setup bridging like that many times without issues.
It does expose the VLAN, and anything on it, to layer 2 stuff that would otherwise never get past the router. As long as the bridge filtering is setup correctly though it should be fine. -
I think I am going to try bridging it and blocking layer2 with rules. Suggestions on rules please? I also do not at all lwhjat it to talk to my other interfaces at all other then WAN for acces out. I what it to be it own world alone.
-
You don't need to block layer2 traffic and in fact you need it to pass for the test VM to be able to use the IP dircetly. The risk sis low since only your provider should be on the same layer 2 as you.
pfSense still protects everything behind it. I would start out using pass all rules and make sure it works before adding tighter rules.
https://docs.netgate.com/pfsense/en/latest/bridges/firewall.html
Be sure to have a backup to roll back to if/when the setup starts to block everything!
-
Great I’ll Implement it this evening in my environment and see what results I experience. I’ll use the links you provided for bridging WAN to VLAN.