# [pfSense] firewall + vm



## douglasfim (Apr 7, 2013)

I have this network structure


```
modem <------> router <----> switch <-----> servers/computers
```

I have a machine with Windows 7, and running VMware with one network card. *I*n VMware, I have Windows 2008 and another VM with pfSense doing firewall/proxy. *H*ow do I pass by every network pfSense when accessing the internet? I'll have to configure the switch? *N*eed to have two virtual interfaces in pfSense?

*T*his is a feasible network structure?


----------



## DutchDaemon (Apr 7, 2013)

Disclaimer: PC-BSD, DesktopBSD, FreeNAS, NAS4Free, m0N0WALL, *pfSense*, ArchBSD, kFreeBSD topics


----------



## douglasfim (Apr 7, 2013)

I can edit my topic? pfSense change for Free_BSD_?

My doubt is not about pfSense, but on the redirect to the firewall.


----------



## abhay4589 (Apr 7, 2013)

Are you familiar with "network cards" in VMWare? If so, connect your pfSense box with two network interfaces:

1. Bridged
2. Host-only network

And all other virtual machines should use that host-only network only. Use NAT in pfSense to pass the traffic from other virtual machine. That is how you will be able to create an isolated virtual machine which uses pfSense as gateway.


----------



## douglasfim (Apr 7, 2013)

I only have windows 2008 and pfSense as VM. VMware is running on windows 7, the other computers are physical machines. *A*ll machines and windows 7 with VM, are connected to a switch.


----------



## douglasfim (Apr 7, 2013)

I have a physical machine with Windows 7 and connected to the switch. *T*his machine is installed VMware. *I*n VMware, I have *W*indows 2008 and pfSense. *W*indows 2008 is running AD and DNS. pfSense is running firewall and proxy. *A*ll other machines are connected to the switch. *T*hese machines do login with AD in *W*indows 2008. *H*ow do I get all the machines to pass through the pfSense "firewall / proxy"?


----------



## abhay4589 (Apr 7, 2013)

That is exactly what I clarified in my reply. You will need two network cards for firewall VM and one for Windows 2008 server. Bridge one network interface of firewall VM so it will act as if it is on your local network. Other interface should be host-only interface.

Windows 2008 VM should have only one interface (host-only).

This is how your firewall will act as a proxy between your "clients" and the Windows 2008 server given that you set up the firewall properly. If you set it up this way all the traffic coming from your switched network will go through the firewall and then to the Windows 2008 server.

Essentially you need to configure networking in VMWare to get it working as you desire.


----------



## douglasfim (Apr 9, 2013)

I have two virtual interfaces, NAT and bridge.

em0 - WAN - interface NAT
em1 - LAN - interface bridge

How to share internet from WAN to LAN?

I can not modify the Windows 2008, or VM it.


----------



## wblock@ (Apr 9, 2013)

This does not seem all that secure if both interfaces are really virtual ones sharing the same physical interface.  Or is this a firewall just for VM guests?


----------



## douglasfim (Apr 9, 2013)

This is a firewall temporarily for testing. SonicWALL is what I currently use. In a few months I will replace the SonicWALL with pfSense. pfSense will run on a physical machine. But for now, it will run in a VM.


----------



## abhay4589 (Apr 9, 2013)

You will have to modify interface settings in VMs to make sure that traffic that is destined to the Windows 2008 box will go through the firewall.

Try using this:

For firewall:
em0 - WAN - interface bridged OR NAT (given you configure static mappings in the firewall)
em1 - LAN - interface host-only

Windows 2008 Machine:
Interface host-only.

I know you will have to change the IP addresses of the server on all of your clients but as you said you want all traffic to move through the firewall.
If your Windows 2008 server has Bridged interface that means Local LAN clients will directly talk to it rather then going through firewall because Bridged interfaces are treated as if they are on Local LAN itself.

NAT interface on WAN side will not let you access any INSIDE services until you configure static mappings.

Bottom-line:
If you want you Server to be separated through Firewall from LAN Clients then you will have to configure separate Host-Only network for it.

@wblock:
Why can't two network share same physical interface and can be considered secure at same time?
Barring of course Host OS's vulnerabilities.


----------



## douglasfim (Apr 9, 2013)

Is forced through the firewall log as soon as the AD? I wanted to leave the local network without firewall.  The great goal of pfSense and use the proxy. I'll leave the proxy plus SonicWALL, SonicWALL is outsourced, I can not touch it. Migration will be done gradually.


----------



## wblock@ (Apr 9, 2013)

abhay4589 said:
			
		

> @wblock:
> Why can't two network share same physical interface and can be considered secure at same time?
> Barring of course Host OS's vulnerabilities.



That would be my concern exactly.  If the inside and outside are actually separate wires, it's a lot more difficult for one to eavesdrop on the other.


----------



## abhay4589 (Apr 9, 2013)

Can you elaborate please? I am not getting it properly, by proxy do you mean "Squid"? or do you want your firewall to act as a proxy between the Windows server and your clients? Because in your first post you said, you want to separate Windows server from rest of the clients.



> Windows 2008 is running AD and DNS. pfSense is running firewall and proxy. All other machines are connected to the switch. These machines do login with AD in Windows 2008. How do I get all the machines to pass through the pfSense "firewall / proxy"?



What you are stating in the post should be fairly easy, Should not take much effort if done right. If you want pfSense to act as the default gateway then put it in a physical machine instead of on a VM and configure your clients to use it.

Regarding SonicWall you don't need to touch it as long as you have Internet access from your modem. You have all clients on the LAN so there should not be any issue there.


----------



## douglasfim (Apr 10, 2013)

I will put my network structure in more detail.



> 2x modem <------> router(sonicwall) <----> switch <-----> servers/computers



All machines are connected to the switch.

I have a machine with VMware. In VMware I have Windows 2008r2 and pfSense. The pfSense has just been installed, has not been configured. My goal is to use pfSense as a proxy, but it is not permanent. I will eventually replace the SonicWALL with pfsense. And I will not need the pfSense in VMware as I have with a physical machine. When the physical machine is available, it will provide DHCP, proxy and firewall. But for now, only the proxy.

The pfSense needs to be the only means of internet connection. But I can not do NAT interfaces. I'm testing at home and at work, so everything is working, I'll install pfSense in all branches spread out over the country.

In two months, I will not have the SonicWALL anymore. By the end of the year, I will connect all branches with VPN, also using pfSense.

I have no problem with Linux/iptables/Squid, but I want to use pfSense (FreeBSD) in this project.


----------



## abhay4589 (Apr 10, 2013)

> The pfsense needs to be the only means of internet connection.


You need to configure pfSense as default gateway for computers and servers.

You can configure your network like this:


> 2x modem <------> router(sonicwall) <----> pfsense <----> switch <-----> servers/computers



In your pfSense configure WAN interface to use SonicWall as the default gateway. Other than that I don't see how you can test pfSense, This way you don't have to touch the existing network. But from within VMware you can't do that because your firewall needs to be the default gateway to make sure that all traffic passes through the firewall.

Why don't you create a test infrastructure consisting only of VMs rather then putting it directly on production?


----------



## douglasfim (Apr 10, 2013)

The entire network will connect through the interface em1. How do I redirect on em0? If I set the browser to the proxy IP and port, will it work?


----------



## douglasfim (Apr 10, 2013)

`iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.0/24 -j MASQUERADE`
`echo 1 > /proc/sys/net/ipv4/ip_forward`

How do I convert it to pfSense?

eth0 = em0


----------



## kpa (Apr 10, 2013)

Why are you still asking pfSense questions here when the (very excellent imo) pfSense forums would give you much better answers much faster?


----------



## douglasfim (Apr 10, 2013)

I will give the sequence pfSense forum. *F*ollow the link.

Thank you all.


----------

