VMWare as host's own firewall



  • Hey folks,

    I've been using pfSense since 0.9, great product and a life saver in many occasions. Kind of a VMWare newb though, and so I have the following question:
    We're going to host our TS server in colocation, I asked the host about providing a VPN appliance but they want to use ours, and will charge us an extra 25$/month just to connect a small Soekris appliance with pfSense in front of our server.
    No way we're paying that for an extra 4W of power on OUR hardware.

    Here's what I'm wondering. I've read some tutorials and posts on the Wiki about installing pf in VMWare, but they all seem to bridge from host to guest OS. What I had in mind was to put 3 NICs in our server. Network pipe would come in to one of them that feeds it straight to the VMWare image running pfSense as its WAN. pfSense would connect an IPSEC tunnel and apply filters. Then it would serve LAN to the 2nd NIC, which would be connected via patch cable to the 3rd NIC, acting as the host OS's main connection (ie: the TS server would get the connection post-pfSense, and not vice-versa).

    Doable?
    Anyone have experience with it?
    What do I need to look out for?

    Thanks folks!



  • Doable? Yes.
    Recommended? No! (search the forum for additional info why running something like a firewall in a vm is not the best idea).

    I have some funny "modding" solution for you: Get a pcengines alix board pretty small, smaller than a soekris) and try to "hide" it inside your server. You should be even able to power it using the servers internal 12V I think. I guess those might even fit into a 5 1/4" drive bay  ;)

    Oh, and please, if you do/manage to do that I would be happy to see a pic of your work  :D



  • I have some funny "modding" solution for you: Get a pcengines alix board pretty small, smaller than a soekris) and try to "hide" it inside your server. You should be even able to power it using the servers internal 12V I think. I guess those might even fit into a 5 1/4" drive bay  Wink

    Oh, and please, if you do/manage to do that I would be happy to see a pic of your work  Cheesy

    Hide it in a CD Rom Drive  ;)



  • @hoba:

    Doable? Yes.
    Recommended? No! (search the forum for additional info why running something like a firewall in a vm is not the best idea).

    I have some funny "modding" solution for you: Get a pcengines alix board pretty small, smaller than a soekris) and try to "hide" it inside your server. You should be even able to power it using the servers internal 12V I think. I guess those might even fit into a 5 1/4" drive bay  ;)

    Oh, and please, if you do/manage to do that I would be happy to see a pic of your work  :D

    Believe me that was my backup plan already! :)
    I usually use Soekris net5501-60 boards, my only concern was powering the device from the PSU…
    I was thinking of bolting the entire Soekris case on the inside of the server case's removable panel. I'll see about modding the 5V molex to feed the board directly and let you guys know.

    Thanks,



  • I think you will need the 12V. Also make sure the circuit can handle the load a soekris draws. Check the psu specs and the soekris  specs for reference.



  • Yeah it says 6V-25V on the Soekris website.

    • Power using external power supply is 6-25V DC, max 20 Watt, protected with TVS

    • Option for 5V supply using internal connector

    Thanks for the heads up.



  • OK I've made up my mind, will order an Alix 2c2 board (http://pcengines.ch/alix2c2.htm), no case, no AC.
    It's 6" so it wouldn't fit in the 5.25" cage unless I place it diagonally and I can't see doing that in a reliable and delicate manner. I will bolt the board with some ATX spacers under it, directly to the computer case's removable side panel.
    I will make a PCI slot filler with an IBDN connector in it and a cable inside running to the ethernet WAN on the Alix, so as to be able to connect ethernet from outside the case. The LAN cable will be passed through another PCI slot filler to go back to Eth0 on the mainboard.
    I will take one of the molexes from the PSU and connect the 12VDC and 12V ground to power the Alix board.
    I still don't know if I need to buy a connector that fits the Alix board power supply, or if I can easily solder it directly to the board, I guess I'll see when I get the board in stock.

    I'll keep you posted and definitely post pictures when it's done ;)



  • I'm excited and definately want to see some pics  :D



  • Well the server's just about ready for production.
    I opted for a Soekris net4801 afterall, about the same specs as the Alix, and it's smaller than the net5501 I usually take, but I added a HiFn VPN miniPCI card in there because I'm going to have 5 steady IPSEC tunnels pushing 20 Terminal Services connexions and I wanted to make sure my appliance could handle it.

    I bolted the firewall board directly into the inside of the server case, soldered the ATX12V connector to the original firewall's power supply jack to power it, and ran some patch cables from the firewall to the NIC and from the firewall out to an IBDN connector the the host could easily have access to plug their jack in.

    When I power on the computer, the firewall boots up and since it finishes bootup before the server does, I get my connections working flawlessly during testing.

    Will post pictures tomorrow ;)







  • Thanks for the pictures … Great Installation!



  • Sweet  8)



  • wants to start mod his case
    Seriously.
    This would be just nice.
    A server which has per default a pfSense built in.
    As long as the embedded board has power….
    You could even remotly power up the Server (whyever it should be down) via WOL.



  • You could even remotly power up the Server (whyever it should be down) via WOL.

    Excellent idea! I'll have to enable and test it before I move the server to colocation…



  • @stechnique:

    You could even remotly power up the Server (whyever it should be down) via WOL.

    Excellent idea! I'll have to enable and test it before I move the server to colocation…

    Actually not doable, since if the PC is off, the firewall will be too!
    Although my host has a remote reboot port which I guess just shuts off and restores power to the computer. That would work…



  • I was thinking about the Standyby 5V line :)

    @http://www.formfactors.org/developer/specs/ATX12V_PSDG_2_2_public_br2.pdf:

    3.3.3. +5 VSB
    +5 VSB is a standby supply output that is active whenever the AC power is present. It
    provides a power source for circuits that must remain operational when the five main DC
    output rails are in a disabled state. Example uses include soft power control, Wake on
    LAN, wake-on-modem, intrusion detection, or suspend state activities.
    The +5 VSB output should be capable of delivering a minimum of 2.5 A at +5 V ± 5% to
    external circuits. The power supply must be able to provide the required power during a
    "wake up" event. If an external USB device generates the event, there may be peak
    currents as high as 3.5A lasting no more than 3 seconds.
    Overcurrent protection is required on the +5 VSB output regardless of the output current
    rating. This ensures the power supply will not be damaged if external circuits draw more
    current than the supply can provide.

    12.5 watt shoult be enough to run a soekris.
    Maybe check what continuous current your PSU can deliver on the VSB line.



  • Nice setup!  :D



  • VEry nice setup. I would make on suggestion for anyone else who does something similar, grab an internal face lan card (http://www.weirdstuff.com/cgi-bin/item/11508). I used one in my router to go to an wireless access point I had in the same case.



  • Nice card, didn't know they made anything like this.
    In my case though the onboard gigabit NIC is probably much better than this 5$ card, but for lower end server I always take cheap Realtek cards.
    Thanks for the link.


Log in to reply