Hello from Houston. It has been two and half years since I started my "Home Lab" journey. I am now at the point where I am about to do a major rework (same old tired equip though :( ). I have been going through your playlist for the last week trying to organize my network on paper, and found myself stuck on the foundation...the router/firewall. This video is "on time-on target", Thanks.
I finally got pfSense setup on my ProxMox box with direct hardware pass thru at the front of my network yesterday. Can't wait to setup all the fun stuff next. :D
If you are planning to use OpenVPN in your pfsense/opnsense install, in the VM CPU settings you should set it to host, and turn on the AES flag so OpenVPN can take advantage of that directly in the CPU.
In my business we use PFSense but I would never suggest putting it in a VM. Since this is a business, you want up time to be near 100%. One main reason for NOT putting the router in a VM is if the host needs to be rebooted for patching or becomes unresponsive. By making the router a VM, you will take down an entire network if the host needs to be restarted. Ideally, the router should be on its own hardware. Even if someone is just starting out, production systems should be treated with a very high level of care and security. Just my 2 cents.
Totally understand this thought, and agree with a single install, it may not be ideal, but if we are starting with limited hardware, then it may be the only option too. But, as we grow we can move our learned skills, and use other hardware, or clusters, etc.
Hum, if you have issues with the host you can replicate/make it redundant by having it installed on a nas, the machine will just change host if anything happens. But maybe we can have another excellent video on how to make it work 😉
@@AwesomeOpenSource Not really. With PCI-passthough you bind the physical network port of the host to a specific network port of the guest. Thus, you cannot just migrate or clone the guest to another host. Even worse, if you plan to migrate the guest to target host would have to have the very same physical setup. What would be possible is to setup 2 *sense guests attached to 2 different WAN ports and use *sense builtin HA capability. That way you could at least shutdown one guest without losing routing capabilities. But if you shutdown the host you still will kill your WAN access. The better setup would thus be to setup 2 hosts connected to the WAN with 2 redudant lines, maybe one in standby. Then you could install proxmox on both as host OS and *sense instances as guests. Then you could make use *sense builtin HA capabilties. That way could even shutdown one host and still have routing capability. Would have been better to describe all those possible use cases with respective pitfalls. Not to mention those risks introduced with PCI-passthrough when running several guests on the same machine.
Thank you for the quick walk through. I do have a question for you. Of all the video I came across, everyone of them shows how to install Opnsense on Virtualbox/Vmware Workstation and then create a separate network where the FW talks only to these other virtual machines with that secluded network. My question is what if I want to install Opnsense on a VMWare Workstation/Virtual box and then I want my current physical LAN traffic to be routed through the firewall, is that possible? If yes, what kind of NIC config I need to setup on the VirtuaI instance of Opnsense? I know I can get a physical pc with some additional LAN card on it and then set it up that way. But given the current situation I am in, I do not have a spare machine and can only spin a vm. Thanks in advance.
You can do what you're sugesting, but you need your Modem out (LAN) line to first go into your OPNSense machine. So it may just be a matter of distance from modem to machine.
@@AwesomeOpenSource Thank you for your response. That's how I have it setup now except for the fact that the uplink from the router(lan) interface is connected to a switch and my PC running Opnsense VM is then connected to this switch. So its like router>>switch>>Opnsense host machine. Now the most important question. How should I configure the 2 NIC's on Vmware Workstating/Virtual Box. Should I have them as Bridge for the WAN and NAT for the LAN? Also, how will the other machines on LAN know that traffic needs to filtered via Opnsense VM firewall? Do I update the DHCP default gateway info on the router to match the Opnsense ip? Thanks!
@Awesome Open Source, do you have suggestions for me? I have almost tried everything that I could think of but was not able to get this to work the way I want. Any help is appreciated.
Quick qsn: are u using on board pcie Network card or external pcie card? I tried to use the same method on my Dell r720 with 2 10gb ports or 2 1gb ports. But it failed to passthrough the pcie card. The vm fails to start. As per small info I got after discording proxmox doesn't allow to public addresses to passthrough.
After traking too much with the system. I discovered that i was enabling all functions for the pcie card yet it was not supposed to be enable since the system needs to know that u detaching the ports from eachother.
Yep, as you found the 'all functions' option will enable multiple ports for a single NIC, and if you then try to select each one separately, it can definitely cause issues. Sorry for not clarifying that better in the video.
@@AwesomeOpenSource sorry I didn't mention it i am using hostinger shared web hosting and planing to try Oracle free tier vps, but it has limited resources for free and everything will be managed by me. I wanted control panel but nothing was helpful, all panel were limited to php, node, and no one support docker, rancher so I decided to go from root level deploy but firewall is need for server, then I came accross your video, thank you for your reply but now I have decided to use ufw for firewall install rancher, docker on it run containers Thanks for reply though
So, for instance, Digital Ocean offers a firewall option to put in front of your VPS. Not sure about what Hostinger or Oracle offer. If you want to try DO for free, in the video description I have an affiliate link that will give you $50 US in credit to test out for a couple of months, so you can do a good number of VPS for that amount. If you stay I get a creidit, if you cancel I don't. Simple as that, and no pressure to stay, but might help you see what is out there, and let you compare.
How is the security of the firewall out of the box once installed? Does it need more configuration? Closing comments seem like there is nothing more to do on the firewall.
When I've installed either one, they both have all ports blocked on incoming out of the box. You can of course go in and setup port-forwarding, NAT Reflection, and so many other things in the settings, but out of the box I'd say ready for home use with no self-hosting going on.
@@AwesomeOpenSource thank you for confirming that not much more needs to be done once the initial setup is completed. For someone like me who doesn't know too much about configuring firewalls it's reassuring to hear. However, I do like to tinker and learn.
Not sure I'm following the exact question, so if I'm not, lt meknow, but I didn't because I don't want people following along to use their VirtIO bridge connected directly to their WAN, but instead to make a specific NIC be the WAN for their network. If you mean Linux bridges in a more general sense, I think that the *sense projects are really great for a host of reasons, and that they will likely serve the purpose overall with a lower learning curve.
The target is a clearly defined dmz so you want to route traffic to be able to set rules. In a homelab it doesn´t matter because in most cases you have a (wifi) router instead of a modem so all traffic is behind routers firewall and nat-ed and you just open the ports you need. In a business enviroment it´s more likely that a server is directly connected to the internet. To be honest in a bit larger business enviroment you also don´t use proxmox because there is a pool at least for failover and yeah it´s possible to mange pools with proxmox but there are better solutions with a dedicated managing vm. In most cases there is also san or nas solution. Under these circumstances rhel (KVM), xenserver (XEN) or VMWare (Exsi) is the way to go, ... in my humble opinion.
Hello from Houston.
It has been two and half years since I started my "Home Lab" journey. I am now at the point where I am about to do a major rework (same old tired equip though :( ). I have been going through your playlist for the last week trying to organize my network on paper, and found myself stuck on the foundation...the router/firewall. This video is "on time-on target", Thanks.
Timely and helpful. 2 for 2!
I finally got pfSense setup on my ProxMox box with direct hardware pass thru at the front of my network yesterday. Can't wait to setup all the fun stuff next. :D
It's coming. We are taking this a step at a time so people have plenty of time to work along with us.
This is just the series I need! Thanks a lot, these are really helpful.
Glad to hear it!
If you are planning to use OpenVPN in your pfsense/opnsense install, in the VM CPU settings you should set it to host, and turn on the AES flag so OpenVPN can take advantage of that directly in the CPU.
Great tip! Thank you for that!
I love opnsense. You should make a guide how to set up dmz for self hosting, exposed via internet.
In future videos, we'll be showing how to use pfSense and OPNSense for these types of purposes. This was just step one.
Great information here! Love how you take time to explain everything. Well done 👍
Glad it's helpful.
In my business we use PFSense but I would never suggest putting it in a VM. Since this is a business, you want up time to be near 100%. One main reason for NOT putting the router in a VM is if the host needs to be rebooted for patching or becomes unresponsive. By making the router a VM, you will take down an entire network if the host needs to be restarted. Ideally, the router should be on its own hardware. Even if someone is just starting out, production systems should be treated with a very high level of care and security. Just my 2 cents.
Totally understand this thought, and agree with a single install, it may not be ideal, but if we are starting with limited hardware, then it may be the only option too. But, as we grow we can move our learned skills, and use other hardware, or clusters, etc.
Hum, if you have issues with the host you can replicate/make it redundant by having it installed on a nas, the machine will just change host if anything happens. But maybe we can have another excellent video on how to make it work 😉
@@AwesomeOpenSource Not really. With PCI-passthough you bind the physical network port of the host to a specific network port of the guest. Thus, you cannot just migrate or clone the guest to another host. Even worse, if you plan to migrate the guest to target host would have to have the very same physical setup.
What would be possible is to setup 2 *sense guests attached to 2 different WAN ports and use *sense builtin HA capability. That way you could at least shutdown one guest without losing routing capabilities. But if you shutdown the host you still will kill your WAN access.
The better setup would thus be to setup 2 hosts connected to the WAN with 2 redudant lines, maybe one in standby. Then you could install proxmox on both as host OS and *sense instances as guests. Then you could make use *sense builtin HA capabilties. That way could even shutdown one host and still have routing capability.
Would have been better to describe all those possible use cases with respective pitfalls. Not to mention those risks introduced with PCI-passthrough when running several guests on the same machine.
another awesome video!
Thanks for the visit
Really helpfull tutorials. Helped a lot
Glad it helped
LXC/LXD would be awesome if they could do live migration in clusters.
14:50 You can check the Qemu Agent box then install the plugin after first boot.
Indeed, and great tip on the QEMU agent.
Thank you!
You bet!
The best but I need more ti to make 100% best soft hehehehe thanks for the video bro.
Any time!
Does anyone have suggestions to a good open source Biometric attendance with Payroll ?
I haven't seen anything that advanced, but I'll look around and see what I can find.
@@AwesomeOpenSource thank you, I did a little digging around and found ERPNext has that module in it
Thank you for the quick walk through.
I do have a question for you. Of all the video I came across, everyone of them shows how to install Opnsense on Virtualbox/Vmware Workstation and then create a separate network where the FW talks only to these other virtual machines with that secluded network. My question is what if I want to install Opnsense on a VMWare Workstation/Virtual box and then I want my current physical LAN traffic to be routed through the firewall, is that possible? If yes, what kind of NIC config I need to setup on the VirtuaI instance of Opnsense?
I know I can get a physical pc with some additional LAN card on it and then set it up that way. But given the current situation I am in, I do not have a spare machine and can only spin a vm.
Thanks in advance.
You can do what you're sugesting, but you need your Modem out (LAN) line to first go into your OPNSense machine. So it may just be a matter of distance from modem to machine.
@@AwesomeOpenSource Thank you for your response. That's how I have it setup now except for the fact that the uplink from the router(lan) interface is connected to a switch and my PC running Opnsense VM is then connected to this switch. So its like router>>switch>>Opnsense host machine.
Now the most important question. How should I configure the 2 NIC's on Vmware Workstating/Virtual Box. Should I have them as Bridge for the WAN and NAT for the LAN?
Also, how will the other machines on LAN know that traffic needs to filtered via Opnsense VM firewall? Do I update the DHCP default gateway info on the router to match the Opnsense ip?
Thanks!
@Awesome Open Source, do you have suggestions for me? I have almost tried everything that I could think of but was not able to get this to work the way I want. Any help is appreciated.
Any tips? I’m a newbie learning
Just what's in the video.
Quick qsn: are u using on board pcie Network card or external pcie card? I tried to use the same method on my Dell r720 with 2 10gb ports or 2 1gb ports. But it failed to passthrough the pcie card. The vm fails to start. As per small info I got after discording proxmox doesn't allow to public addresses to passthrough.
After traking too much with the system. I discovered that i was enabling all functions for the pcie card yet it was not supposed to be enable since the system needs to know that u detaching the ports from eachother.
Yep, as you found the 'all functions' option will enable multiple ports for a single NIC, and if you then try to select each one separately, it can definitely cause issues. Sorry for not clarifying that better in the video.
Is it possible to redirect proxmox network through pfsense vm ?? I want the server to get its network from pfsense. As well as the vms.
Can i use it on ubantu vps
I don't htink you'd want to run this on a VPS. Maybe if I understood your goal better.
@@AwesomeOpenSource sorry I didn't mention it i am using hostinger shared web hosting and planing to try Oracle free tier vps, but it has limited resources for free and everything will be managed by me.
I wanted control panel but nothing was helpful, all panel were limited to php, node, and no one support docker, rancher so I decided to go from root level deploy but firewall is need for server, then I came accross your video, thank you for your reply but now I have decided to use ufw for firewall install rancher, docker on it run containers
Thanks for reply though
So, for instance, Digital Ocean offers a firewall option to put in front of your VPS. Not sure about what Hostinger or Oracle offer. If you want to try DO for free, in the video description I have an affiliate link that will give you $50 US in credit to test out for a couple of months, so you can do a good number of VPS for that amount. If you stay I get a creidit, if you cancel I don't. Simple as that, and no pressure to stay, but might help you see what is out there, and let you compare.
@@AwesomeOpenSource ok thanks 😃
How is the security of the firewall out of the box once installed?
Does it need more configuration?
Closing comments seem like there is nothing more to do on the firewall.
When I've installed either one, they both have all ports blocked on incoming out of the box. You can of course go in and setup port-forwarding, NAT Reflection, and so many other things in the settings, but out of the box I'd say ready for home use with no self-hosting going on.
@@AwesomeOpenSource thank you for confirming that not much more needs to be done once the initial setup is completed. For someone like me who doesn't know too much about configuring firewalls it's reassuring to hear.
However, I do like to tinker and learn.
Way to call out.... lol
Any reason for not creating Linux bridges ?
Not sure I'm following the exact question, so if I'm not, lt meknow, but I didn't because I don't want people following along to use their VirtIO bridge connected directly to their WAN, but instead to make a specific NIC be the WAN for their network. If you mean Linux bridges in a more general sense, I think that the *sense projects are really great for a host of reasons, and that they will likely serve the purpose overall with a lower learning curve.
Bridge is typical for VMs to share network resources. For firewall you're better off having dedicated NICs for it.
The target is a clearly defined dmz so you want to route traffic to be able to set rules. In a homelab it doesn´t matter because in most cases you have a (wifi) router instead of a modem so all traffic is behind routers firewall and nat-ed and you just open the ports you need. In a business enviroment it´s more likely that a server is directly connected to the internet. To be honest in a bit larger business enviroment you also don´t use proxmox because there is a pool at least for failover and yeah it´s possible to mange pools with proxmox but there are better solutions with a dedicated managing vm. In most cases there is also san or nas solution. Under these circumstances rhel (KVM), xenserver (XEN) or VMWare (Exsi) is the way to go, ... in my humble opinion.
First