Dangers of virtualisation of home firewall?

Cottmain · April 24, 2022, 11:38pm

Dangers of virtualisation of home firewall?
For a home user who is considering running pfsense or opensense … are the benefits of virtualisation (eg backup and saving of settings before upgrade) worthwhile or does the virtualisation itself expose the system to the outside world and become too much of a risk?
What if any virtualisation system might minimise those exposure risks?

brwainer · April 25, 2022, 12:34am

The virtualization system shouldn’t have a public IP, if it does you’re doing it wrong. You should have at least one interface that is connected only to the router/firewall VM (whether it is passed through to the VM, or the VM is the only thing on the virtual switch/bridge for that interface), and that interface is what connects to the ISP. At this point, since the router/firewall is the only device with a public IP, the security is identical to if you had a physical router/firewall appliance.

Most often the only downside to your router being virtualized is that you are now relying on that virtualization system, both hardware and software, to be reliable. Any issue with it, and your router is offline, which also makes it harder to search the internet for help getting it back up.

FredFerrell · April 25, 2022, 3:20am

@brwainer brings up valid points about the downsides of virtualizing, but I did want to mention that one of the positives is if you get a snapshot of the the pfsense image prior to an update, if it blows up all you have to do is a snapshot restore. If it was physical hardware, the recovery process is much more work.

YeOldeStonecat · April 27, 2022, 1:53pm

There have been exploits to the virtualization host OS…that can hop across the virtual NICs.
The fact that you have a WAN facing ETH interface, gives the virtualization system exposure to the red zone (internet).

Additionally some firewalls (such as Untangle)…are layer 7 firewalls, meaning they REALLY need to access the NIC for their gauntlet of UTM apps. Untangle runs like arse on cheap hardware, like realsuk or broadlesscom NICs. Runs like a champ on the better Intel NICs with better hardware control. Running on “virtual NICs”…does anyone remember the old “dial up days” of computers? Remember the differences of good external hardware modems, like Diamond Ultra, or the US Robotics 5685 or Courier modems…versus “WinModems”? Yeah, if performance was of concern…such as online gaming, one avoided “winmodems”.

daninmanchester · April 28, 2022, 8:21am

It’s fine as long as you only expose a pfSense WAN port (and no management interfaces etc). I use XCP-NG and the snapshot capability has got me out of problems a number of times which could have been resolved with backups etc. but snapshots make life much easier.

PCI passthrough is certainly something to consider. I have a 4 port Intel card so I can assign various ports within XCP-NG and it also supports PCI passthrough which I have found to be more reliable and if you dedicate a port for WAN you are much less likely to accidentally expose something.

The nice thing about having a dedicated unit is that if you need to do any server maintenance (or “play around”) you dont have to worry about the fall out of the internet being off within the household. Also if you screw up your networks within your virtualization environment or on pfSense when they are one in the same can create some headaches. Keep a dedicated management port.

If you want to try multiple firewalls and maybe switch between the two, virtualization is certainly your friend … but even then, a dedicated box to keep your household online while you “mess around” might save a lot of arguments!