PfSense VM in Windows 7…security issues?
-
I now plan to migrate my pfSense box, which is running natively on a PC, to Windows 7, and run pfSense as a VM.
Here are the specs:
Intel E2140 dual core
4GB PC2-3200 RAM
160GB WD hard drive
Intel EXPI9301CT PCI-E NIC
Intel PWLA8391GT PRO/1000 GT PCI NICHere is the configuration I am planning:
WAN > NIC 1 (no Windows services applied except VMWare bridge) > VM > NIC 2 (LAN) > switch
I plan to install Windows 7 Ultimate as the base since I would like to use the computer as a file server, which I cannot do with pfSense as the native install. I will then install pfSense in a VM and configure it for use as my firewall/router, and dedicate one NIC to WAN, the other to LAN. Also, I will have the VM start automatically when the computer starts, so if the computer were to restart for any reason, routing would come back as soon as the computer booted.
The question is, does this concept pose any potential exposure to security issues? I know as long as the pfSense VM is configured correctly (such as in this guide http://forum.pfsense.org/index.php/topic,42205.0.html) that it shouldn't be an issue, as the network adapter that is going to be dedicated to WAN won't be using any Windows services, but only dedicated to the VM itself. Am I missing anything, or is my thinking flawed by doing this? What security issues would I be introducing with this planned architecture?
I'd appreciate any input. Thanks!
-
So this box would just be a file server and router in vm?
Why not just go with a type one hypervisor (bare metal) say esxi or ms hyper-v or kvm, etc. Then just run your fileserver (nas) or any other boxes you need other than router as just VM.
-
So this box would just be a file server and router in vm?
Why not just go with a type one hypervisor (bare metal) say esxi or ms hyper-v or kvm, etc. Then just run your fileserver (nas) or any other boxes you need other than router as just VM.
I thought about this, but since I already have Win7, it's easier for me to set up. Hyper-V apparently still has issues with FreeBSD, at least from the research I've done.
-
I just put that there as example of type 1 - I would not use it ;) I run esxi 5.1 and pfsense runs perfect on it.
And what setting up win7 in a vm or freenas, or openfiler or any other OS you want to run in a VM what takes 30 minutes tops… If what you want is a NAS or fileserver, I wouldn't use a desktop OS for one.
-
I am running 2008r2 as a fileserver and using vmware workstation to run Pfsense and a few other vm's. I would have used hyper-v but Pfsense was the deciding choice since it does not work easily in hyper-v (I would rather user hyper-v).
While some people might knock your idea of using windows 7, there is really not much different from your setup as mine. Yours setup should work with no issues. I find it easier to configure a windows machine (especially drivers) and then just share the volume. I also believe familiarity is part of my issue, as setting up a windows machine is easier for me than esxi and something like freenas/openfiler.
Just don't be tempted to install too much on windows 7 (other software). You'll end up with more issues in the long run if you do if you want a stable system.What vm software are you planning to use? Vmware server was easier as a full time server, as workstation requires scripting so that it properly shuts down the clients (just wants to unplug them when you reboot). Downside is vmware server does not supprot win8/2012 guest os.
-
I have a similar setup for one of my box and here are some of my 0.02:
1. You will need more RAM If you plan to use SNORT, squid … etc. I have an odd ball 5G system and memory usage is constantly at 95%+. Pfsense is in a 3G VM together with win7 host they use more then 4G. With SNORT fully loaded pfsense memory load (within the VM) can peak at 80% - SNORTis the memory hog, so if you not plan to use it you will need more host memory.
2. Get a 3rd network card as a management interface to the box. if you are concern, you can assign the 2 NIC to some funky IP address and have a firewall rule to block them off completely.
3. I never able to get VLAN to work in this setup, somehow the 11q tag was lost. Maybe because at the time I was running an older version of workstation or because I have not install vmware tool. VLAN is not important to me in this setup so I never go back to look into it.
