After watching the video series on setting up a PfSense router, I wanted to incorporate one into my personal environment. While I am sure that I could find some adequate hardware at the local thrift store, I thought it might score more cool points if I set it up as a virtual machine on my system.
My Ethernet port is set up in its own IOMMU group so I could pass it through Fedora to the PfSense virtual machine. If I set up this physical Ethernet port as the uplink; would virtual NICs suffice as connections to the host operating system and other virtual machines? This article suggests that such a configuration may not be possible, but is sparse on detail.
If such a configuration is possible; would it effectively segregate the other virtual machines from the uplink? Any exposition on security concerns, or lack thereof, introduced by virtualizing a PfSense router in this sort of way would also be appreciated. The thrift store is still an option if the cool points are out of reach.
Sincerely,
StableOrbital
P.S. Little did Dr Seuss know that green eggs and ham are both penguin derived cusine.
pfsense can run fine as a VM, however your appetite for risk vs. comfort with VM isolation is the big question, as well as your competence in ensuring that it is situated properly logically in path.
i run pfsense every day in this sort of scenario to host a lab environment on my Linux desktop for multiple simualated AD sites. (PFsense “wan” port is NAT sharing my workstation’s card on the LAN, multiple play networks behind it using vmware workstation network segments).
if it’s facing the internet directly (mine isn’t) i’d personally use a physical box. You can pick up a physical pfsense (Netgate) appliance for under $200 or build your own from parts etc.
The good thing about the netgate small boxes is that they’re ARM - so every script kiddie and his dog can’t just launch (more) easily available x86 shellcode exploits at it. The barrier to entry for hacking it is a little bit higher. First they need to find a hole, and then they may require FreeBSD ARM shellcode which is less available.
And of course no VM = nothing else on the host to get at via a hypervisor escape (if it was a VM).
If it’s for splitting out networks on a local lan, i’d happily run pfsense (in a vm) as its in a bit of a lower risk environment. If you have people likely to run hypervisor escapes against your gear from inside your LAN, you’re already pretty fucked… imho.
My hope is to use a pfsense VM as the only VM with physical access to a NIC, then let it manage the internal QEMU network so that a Windows 10 VM will already have filtered output going out the physical NIC. Waiting for a Threadripper system to go on this endeavor.
Blocking Windows telemetry is one of the goals of my effort, futile as it may be. I sort of think of it as picking the wrench, Good Will Hunting style.
I ran pfsense as a home router for a couple years inside a vm, main reason i did it back then was because most consumer routers were shit and i was tired of it. Later i switched it to a Supermicro Atom D510 based board because it was simpler and more secure.
Another big factor was when the host went down and you needed internet access to fix it, not a big problem but annoying having to switch things around
