8

We are currently considering installing an instance of pfSense on our Hyper-V R2 based server to act as a content filter, captive portal and general firewall.

Although it is usually bad practice to virtualise a firewall / gateway.. sometimes you gotta work with what you've got! :)

We've got 2 physical NICs.. 1 Facing the internet (WAN) and 1 facing our internal LAN.

How would one go about making sure all internet access goes through the pfSense VM?

Is there a configuration that eliminates any possibility of traffic coming in on the LAN NIC bypassing the pfSense VM?

Sorry if it's a silly question, I'm a developer by day :D

Daniel Upton
  • 358
  • 2
  • 6
  • 15
  • 1
    "Although it is usually bad practice to virtualise a firewall / gateway" <-- According to who?? – Chris S Apr 17 '12 at 20:02
  • 2
    You're in bad need of a good IT guy/consultant. This stuff isn't difficult at all for someone who knows what they're doing, and it's going to be a world of hurt for someone who doesn't. – Chris S Apr 17 '12 at 20:04
  • Tends to be the first response i've seen on most forums :P This isn't for the company i work for BTW it's something i'm setting up for my church.. trying to expand my skill set :D – Daniel Upton Apr 17 '12 at 20:05
  • 1
    @DanielUpton - When I started putting firewalls inside VM's I copped a lot of flack for it too. Some people (on Server Fault) were down-right rude to me about it. But what you'll find is that people who know what they're doing and do it properly won't make general hand-waving "all is bad" comments like that :) What you have here are two very high-rep users saying "go for it". I'd listen to them over some anonymous forum people. – Mark Henderson Apr 17 '12 at 20:29

2 Answers2

13

What Wesley said... Plus a diagram:

              +----------------------------------+
              |    +----------+   +---------+    |     +----+ +----+ +----+
              |    | pfSense  |   | Host OS |    |     |    | |    | |    |
              |    |          |   |         |    |     | PC | | PC | | PC |
              |    +----------+   +---------+    |     |    | |    | |    |
              |         ^   ^          ^         |     +----+ +----+ +----+
              |         |   +------+   |         |        ^      ^      ^
              |         |          |   |         |        |      |      |
              |         V          V   V         |        V      V      V
+--------+    +---+   +-------+  +-------+   +---+      +-----------------+
|Internet|<-->|WAN|<->|WAN NET|  |LAN NET|<->|LAN|<----+|    LAN SWITCH   |
+--------+    +---+   +-------+  +-------+   +---+      +-----------------+
              |          Hyper-V Host            |
              +----------------------------------+

It's actually possible to use the same NIC on the Hyper-V Host for both WAN and LAN, but you'll need to setup vLANs and need a switch that supports them. It gets messy quickly and NICs are fairly cheap. A note on NIC chips, get a good one, like Intel, Broadcom, etc. Stay away from Realtek, Marvel, and most of the on-board chips on cheaper and DIY motherboards. They're nothing but trouble for virtualized environments.

Also, keep in mind that Hyper-V is a bare-metal Hypervisor. It is NOT a service that runs in Windows. What used to be the Windows installation on the machine becomes a special VM. This will not appear to be the case for simplicity and usability reasons, but comes into play when you do things like setup the Hyper-V Networking.

Chris S
  • 77,337
  • 11
  • 120
  • 212
10

Simply setting all PCs, switches, routers and etcetera network infrastructure to use the pfsense virtual machine as their default gateway will make all traffic flow through the content filter.

Certainly, someone could yank network cables out of the server and plug their PC straight into your WAN. You could set some kind of MAC filtering or 802.1x authentication to enact port level security. Of course, someone could just wire around that as well. The point being: There comes a time when you are merely relying on "I've got the passwords and the keys to the server room and you don't."

Simply setting up your gateway as the default gateway / router and not having any other routing options on the network prevents all outlets with the exception of someone storming your server closet and frobbing with cables.

Wesley
  • 32,320
  • 9
  • 80
  • 116
  • Thanks! So do I set the default gateway of the Hypervisor to the VM too? what if a user on the LAN manually sets their default gateway to the IP of a router behind the VM (on the WAN)? .. you can probably tell this is all new to me! – Daniel Upton Apr 17 '12 at 20:06
  • Yes, in this setup the VM will be Hyper-V's gateway. However, I'm ever so slightly confused about your network design now. If done properly, there will be no router "behind" the VM. The VM is well and truly it's own machine. While, yes, the physical host will have a network cable on the WAN, it won't be a router; it won't have the proper routing tables. It won't respond to attempts at getting it to route packets. – Wesley Apr 17 '12 at 20:17
  • Ah sorry was confusing myself for a moment then, your absolutely right, thanks for your answer! – Daniel Upton Apr 17 '12 at 20:24
  • @DanielUpton I hang my head in defeat to Chris's ASCII art. When you bestow the green checkmark to him, give him this... my only upvote. *dies dramatically* – Wesley Apr 17 '12 at 20:27
  • @WesleyDavid My apologies, I didn't mean to steal your thunder, especially since you've got the right answer (too). – Chris S Apr 18 '12 at 01:40
  • @ChrisS Hush - you're interrupting my dramatic death scene. =) – Wesley Apr 18 '12 at 01:54