Pfsense unusual application



  • Hardware: a normal IBM laptop (i5 with 8 Gig of Ram) behind a home router connected to a large commercial ISP via their provided modem.  Laptop is only used wireless with 7 Pro running.  Other computers use the network connectivity so the router and modem cannot be changed.  This is MY connection.

    Project History: I want to use pfsense in a VirtualBox VM with the intention of removing all connectivity from the windows 7 host, once pfsense is running properly. Then if successful I will employ linux VM's that will be running and connecting through pfsense's connectivity. Why? We started a project (at Wilder's Security forum) to see if we can use TrueCrypt with a 7 hidden OS running. However; we want to remove 7's ability to communicate with the outside world.  7 will only host the VM's so that we can utilize the hidden OS feature.  That is the goal anyway.

    I have built a basic pfsense VirtualBox VM but I cannot figure out how to proceed.  Before I basically beat myself up trying to learn this software, I wanted to query you advanced folks for feasibility based upon this somewhat unique application.  PfSense appears not too tough to configure if I were using it as a stand alone physical router such as on a spare computer.  I am also pretty confident that by going to one of my desktop computers and dropping in another nic or two I would have an easier time of this.

    I have been reading here for about a week or so now.  I see some of you guys with thousands of posts and you really seem to have this software down cold.  Lets not get too specific out of the chute.

    Simply put; am I wasting my time or can this be done using a decent but normal laptop configuration?  I have lots of experience with all the software, backup protocol, encryption, etc…..  PfSense is the new ingredient for me but I am willing to take it on if the physical hardware can be used.

    I would really love to learn about any configuration ideas and the overall feasibility for this project.  If completed successfully there are several other members that will use the setup.


  • Netgate Administrator

    Seems like it should be possible. It is definitely possible with other Hypervisors.
    Setup your pfSense VM with a bridged adapter for WAN and an internal adapter for LAN. Add other VMs using internal adapters on the same internal network.
    In Windows 7 (and this is what I've never tried in Vbox) remove the IPv4 and IPv6 networking components from the NIC.
    Done.

    If you want connectivity for the host add a 'host only' adapter to the pfSense VM and you can filter it's traffic separately.

    Steve



  • Steve,

    Thank you for those suggestions.  While I am in the learning phase with PfSense, what are the other hypervisors that you would consider using?  I may as well read around.  I do have some time for reading over the next few days.

    Quote: "pfSense VM with a bridged adapter for WAN"

    Other than creating/selecting bridged adapter in the VM settings, how would I do this?

    I am familiar with creating a unique internal network and then how my other VM's will use that internal network as their only adapter.  That part of this is crystal clear.


  • Netgate Administrator

    You could use ESXi bare metal if you're only using Win7 to host the VMs. I'm not sure how well that would run on a laptop though. Mostly it's aimed at server hardware and laptops often have weird things.
    You can use VMware in Windows. VitualBox should be fine though. Have a read through the virtualization subforum:
    https://forum.pfsense.org/index.php/board,37.0.html

    @bermuda:

    Other than creating/selecting bridged adapter in the VM settings, how would I do this?

    Exactly, select adapter type 'bridged network' in the attached to box. This will allow the pfSense WAN interface to talk directly to whatever the NIC is connected to.

    Steve



  • Thanks for the link.  I might "go silent" for a few days but that is because I am going to be reading through this forum and elsewhere.  I am hoping to get to the point where I don't need to be spoonfeed.  We'll see.



  • Could use another steer from someone.  I ended up downloading a mirror pfsense 2.0.3 OVA and its running slick on VirtualBox.  With my 7 host already wirelessly connected, I can easily start my pfsense VM and it establishes a nice connection.  I can access the internet and pull up the configurator for setting the machine up using a Linux VM.  I changed the pfsense LAN so that I can now access my router panel and the pfsense configurator on their respective LAN addresses.  I haven't tried it yet but I am pretty sure that if I physically connected (ethernet) to the router I would have much joy.  Before I spend the time configuring my dns, vpn certs and stuff I still need to find out IF I'll be able to connect to the router wirelessly once I castrate the 7 OS.

    After removing 7's connectivity how do I establish wireless connectivity via the pfsense VM going to my router?


  • Netgate Administrator

    Hmm, slightly complex.  ;)
    The pfSense VM will see the WAN NIC as a a regular ethernet card so you won't be able to any wireless configuration from there. The driver that controls the wireless part of the setup is controlled by Windows so you will have to do all the wifi configuration there. It is independent of the IP config so you should be able to do that. It might object though.  ;)

    Steve



  • The "problem" you presented negates a key aspect of this project's goals.  I realize that a pfsense bare metal approach would make this a no brainer, and I also realize that is not what you just suggested.  Our security project is to eliminate all connectivity from 7 and let it solely host the various VM's.  If we have to "USE" components of the 7 OS to achieve connectivity, then we may as well simply use a linux host with other linux VM's.  We could fully encrypt with DMCrypt/LUKS for security, but then we lose another desired outcome.  That would be the hidden OS feature that only the windows platform allows for.

    I am not convinced that using even limited connectivity from 7 can be a trusted castration of the OS.  We are attempting to make this project work simply for the hidden OS outcome, otherwise we will and have gone to 100% linux solutions.

    I find pfsense to be an amazing piece of software.  It immediately connects while using features of the 7 OS, but I am still researching the "security" of using those features.  If you think of instructional links discussing these connection issues, please feel free to add them to this thread.  For now, I am still reading and assessing whether to pursue pfsense in the context of our project.

    Thank you for your attention to this thread.


  • Netgate Administrator

    Which aspect does it negate? The Windows 7 OS would not have connectivity. You are simply using the Windows driver to establish a layer2 connection via wifi. As long as you've removed IPv4 and IPv6 from the NIC then there will be no layer3 connection. You may want to remove any other layer3 protocols like netbios etc.

    The problem might be that the Windows wireless connection manager tries to establish an IP connection and then freaks out when it can't. You can probably do it manually in the driver properties if that's the case. It shouldn't do though because you can connect to wifi network that doesn't have a DHCP server. In that case you can connect but have no IP connectivity unless you set a static IP.

    Steve


Log in to reply