So I am no expert at anything ok. I jusy wanna use the machine I have for what I eanna use it for. Its doing nothing else, fuck it.
As some may know I have macs aplenty. One such mac I was going to use as a firewall and quickly learned that wasn’t going to happen as pfsense can’t just be installed. I could build it, but that seems stupid. However what also seems stupid to me is just installing pop os, installing vm tools, and then just running the tools I want on that, firewall and pihole being examples. Idk maybe some other tiny tools here and there. Point of using the mac though is the dual gigabit nics. As its just home users here it’ll be ok and I can upgrade later if needed.
no need if your system your running the vm on has a firewall. assuming your not running the vm with NAT as the network adapter.
if you are running NAT then yes you should run the firewall on the vm as your directly accessing the net, not passing through the vm, to the host and then to the net.
Yes, if you’re not hell bent on pfSense as a webui you could even run it in a container, and use docker-compose or podman-compose…
e.g. nat router in one container, pihole DHCP+DNS in another. You get to use the host kernel networking stack, and get to benefit from hardware offloading, without putting a ton of network management tools on the host os, or having services listening.
That way your host doesn’t really need an IP stack running assigned on the wan interface. Set Unmanaged=yes in systemd and you’re done.
If going for a VM doing qemu-kvm, for better performance enable vhost for networking. Also, if you don’t need spanning tree, let qemu use a macvtap instead of a traditional tap added to a bridge with a physical interface. (then if you want the host to talk to a VM over the macvtap, have systemd-networkd make you a macvlan)
If so, I’d run OpenBSD on it and call it a day. IIRC, you can implement the same block lists used by pihole into Unbound with pretty minimal effort. If you still need services that you can’t get on OpenBSD, you can run a Linux VM in vmm (although maybe check that vmm will work on PPC).
To answer your question though, you definitely can run a firewall in a VM (or container), but it adds complexity. There are a lot more opportunities to make terrible mistakes and you’ll need to keep track of any security issues with your virtualization platform (more CVEs to track).
Various firewall vendors fully support it, and indeed, if you have an azure tenant, etc. you will have virtual firewalls by default.
Yes, you have to deal with hypervisor escape potential (stay patched) but this is no different to dealing with potential exploits in any app exposed to the internet, even through a firewall.
Nope those only got one port. This machine has dual xeon 5150’s, 16gb ram, dual nics, and an egi system that I understand an infinite number of times more than my R510 not booting off of a usb stick.
Besides if I wanted to run openbsd for this I would use my sparc machine lol!
Also, what if just use void linux and have the newest patches?
Yes, do it. (I use a fairly vanilla Debian myself).
The only annoying thing is a constant stream of updates you should deal with somehow, but I find that kernel doesn’t update that often, and these days there’s this kexec thing, which means you don’t have to go through the bootloader on every reboot, and your firewall can be back running in 30s or so (initramfs+init…).
Updates of other software that don’t require a reboot are less disruptive. e.g. a DNS or a DHCP server restart takes only a second or two, most stuff in home even if it’s unlucky to need them, will just retry and you don’t notice.
Happy to share as minimal dnsmasq and a minimal iptables rules file if you want.