(SOLVED) Isolating VMs in XCP-NG and Pfsense Without VLANs

Hey!

Before you go ahead and read all of this, I just want to say that this is just idle curiosity and experimentation for learning. So basically if you find someone else who actually needs urgent help, I can wait. This is far from an ideal setup, but I’m working with what I’ve got…

I have a XCP-NG box which is running a Nextcloud server, among other things. So far Nextcloud is working and accessible from outside my network. It’s got HTTPS and an A+ rating on nextcloud’s security check, so that’s all good, but on the internal side of my network I’m pretty ignorant about hardening and the ways forwarding ports 80 and 443 to the Nextcloud server puts the rest of the network at risk (if at all? Like I said - ignorant). For the moment I’ve un-forwarded the ports and shut down nextcloud until I understand all this.

I want to make sure that if something happens to the nextcloud server, the rest of the network is safe. My plan is to have a Pfsense VM on the same xcp-ng as nextcloud, have WAN and LAN connections through physical NICs serving the rest of the network like normal (which I have already tried, all working fine), but in addition have a separate LAN inside xcp-ng which is solely for the nextcloud (on a virtual interface (single server private network).

Basically I’m trying to achieve the same thing as a VLAN, but I don’t have a managed switch - only a big unmanaged one. I’m trying to do this with as little as hardware as possible. Just a broke student trying to get a grasp on something he finds interesting

Is it possible to have two isolated LANs on the same Pfsense? Would this actually be effective in stopping lateral network movement? If not, what should I do? Is any of this even necessary??

I’ve got a virtual xcp-ng interface showing up in Pfsense and configured as OPT1, with a static IPV4 of 192.168.10.1 and allow all firewall rules, but I can’t get internet access from a VM connected to it. I’ve googled and tried all day, but I just don’t know enough to get it working.

I’ve heard Tom talk about this kind of setup for his home network (I think?) but I can’t seem to find any more info about it, if he was using VLANs etc.

Even if I get this all working, I might have to buy another NIC anyway to make a direct connection to my FreeNAS server for VM storage. One of the two ethernet ports on my Dell PE R310 which I just bought on eBay isn’t working… The seller conveniently forgot to mention that. Still a bargin at £40 tho.

I’m just interested in how you guys would go about doing this in general terms. Once I know what I’m supposed to be doing I can learn about it and hopefully get it working.

Thanks in advance,
-Max

Okay for the no spend or cheap solutions I think you can still do a few things on your network and try to increase your knowledge, I’ve been doing the same thing for the last 25 years !

The obvious security improvement you can make is to setup an OpenVPN server and use that to connect to your Nextcloud. Takes a while to work out what to do but it’s knowledge worth holding.

If I’ve understood you correctly you want to set up a vlan without a switch. If so, I’ve come across a couple of things that you might want to look into, I know in vmware workstation it has a Network Editor, basically it allows you to create a “Virtual switch”, I think it might be based off another solution called Virtual Switch (could be wrong). Perhaps XCP-ng (don’t use) has something similar.

If it doesn’t, then in the VM add two NIC cards, with the second being another network, I believe you could then build something that kinda resembles a vlan. I know that works with vmware 15 years ago as I did it, things might have changed since

When you have the cash you can buy a switch off ebay and then you can see if things actually work.

Not sure how many Single-Server Private / Host Only networks you can create on XCP-NG but that should work. You could instead create a VxLAN in XCP-NG which I cover in this video.

Hey Tom,

Thanks a lot for that video - turns out I was 90% of the way there and it just joged my memory. Forgot to turn on the DHCP server for the second LAN in Pfsense.

There was no tab in the DHCP server settings for my additional interface at first (which is why I thought I was doing something wrong), but I changed the static IPV4 from /32 to /24, which solved it.

I have no idea what these numbers do or why it matters to DHCP, so that’s another thing to learn.

Thanks again!
-Max

Managed to get the OVPN sorted before doing nextcloud, and I’ve already found it incredibly useful, just thought that it would be fun to go through the process of making a secure nextcloud to learn about it and maybe offer it to a few of my friends.

I think I might go and buy a managed switch just for fun anyway and to play around with VLANs and stuff. Lots of interesting stuff about them which I can only read about for now.

Turns out I made a really stupid mistake in Pfsense and now my idea is working fine, but I’ll have to look into virtual switches as they sound mega cool.

Thanks!

The difference between /24 and /32 is literally everything. /32 is a single IP address, /24 is 254 usable addresses in the network.

Why 254 and not 256? Because you have a broadcast IP (.255) and .0 is generally not used as it is often just the descriptor of the start of the network. I should know better terms for the .0, but I can’t remember right now, need to hit the books again to remind myself.

If you want a very good break down of general networking, find some used Cisco CCNA route and switch books from the last few exams. They have a lot more detail on the basics than the most current exam. The first book is mostly what you want for this. There are also some really goods books at some of the Cisco prep. sites, books on subnetting and why we use it, as well as ipv6 guides which was made out to be a bigger thing than it actually is (does every PC really need an internet routable IP address?) This is one of the companies I like https://www.certificationkits.com/

https://www.openvswitch.org/

take a look at this, I’ve not implemented this but I maybe came across it when setting up Proxmox. Looks like the solution for a playing with a virtual switch in place of an actual one.