I'm thinking about installing Proxmox on my old PC (z68, i5 2500k) and possibly running pfSense in a VM on it. Considering this, I've two questions.
Security related: Some argue against running pfSense in a VM, because possible host vulnerabilities could be exploited as well. As a result the attack surface is increased. However, running a virtualised version of pfSense should be better (from a security standpoint) than NOT running pfSense at all? Or am I missing something?
Since pfSense is the entry point of my network, I'm wondering if it is possible to have other VMs on Proxmox (and possibly Proxmox itselft) behind pfSense? I saw a tutorial on Youtube where the author installed pfSense in a VM (on Proxmox), where two network cards were passed-through and one of those network cards was connected to a switch. In turn, this PC was connected to the switch a second time in order to connect the host with the network. However, I think virtualising this connection should work as well, shouldn't it?
Depending on how you setup your PFSense box and the virtual machine this is a legitimate concern. If you don't segregate your NICs out and just do bridging then your host machine has direct access to the internet since it's sharing the WAN NIC with PFSense. If you do NIC isolation, or PCI Passthrough to a dedicated NIC, you can mostly negate these concerns.
I can answer number two best, maybe, by explaining my setup. I'm running ESXi but it's the same deal. I have 2 port Intel PCI NIC doing PCI passthrough from my ESXi to my PFSense box. I have the WAN connection in one port and the LAN connection to the other. The LAN connection goes into a switch and the switch then connects into the motherboard NIC on the same ESXi host. ESXi doesn't even know the PCI NIC exists anymore, so it, and the other virutal machines it hosts, all get their LAN connection from the motherboard NIC.
Just be aware that there have been vulnerabilities in the past that allowed attackers to break out of KVM. Of course, they'd have to gain access to your pfSense box first and then exploit the host, making the attack extremely unlikely. They'd essentially have to find a zero day in both pfSense and Proxmox since the previous vuln has been patched. The more you know though :P.