this post was submitted on 28 Mar 2024
22 points (92.3% liked)

Selfhosted

40183 readers
1000 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

I am not overly happy with my current firewall setup and looking into alternatives.

I previously was somewhat OK with OPNsense running on a small APU4, but I would like to upgrade from that and OPNsense feels like it is holding me back with it's convoluted web-ui and (for me at least) FreeBSD strangeness.

I tried setting up IPfire, but I can't get it to work reliably on hardware that runs OPNsense fine.

I thought about doing something custom but I don't really trust myself sufficiently to get the firewall stuff right on first try. Also for things like DHCP and port forwarding a nice easy web GUI is convenient.

So one idea came up to run a normal Linux distro on the firewall hardware and set up OPNsense in a VM on it. That way I guess I could keep a barebones OPNsense around for convenience, but be more flexible on how to use the hardware otherwise.

Am I assuming correctly that if I bind the VM to hardware network interfaces for WAN and LAN respectively it should behave and be similarly secure to a bare metal firewall?

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 2 points 7 months ago (3 children)

So you're planning to reuse the same hardware that the firewall is running on now, by installing a hypervisor and then only running opnsense in that?

[–] [email protected] 2 points 7 months ago (2 children)

It is more powerful hardware with much higher single thread performance which should help with OPNsense networking; Ultimately to allow more than 1gbit WAN input which my current firewall hardware is incapable off, although that is still in the future.

But I feel like I could utilize this hardware better if it was running something other than OPNsense, thus the idea to make it run it in a VM.

[–] [email protected] 2 points 7 months ago (1 children)

Ah ok. I've done opnsense and pfsense both virtualized in proxmox and on bare metal. I've done the setup both at two work places now and at home. I vastly prefer bare metal. Managing it in a VM is a pain. The nic pass through is fine, but it complicates configuration and troubleshooting. If you're not getting the speeds you want then there's now two systems to troubleshoot instead of one. Additionally, now you need to worry about keeping your hypervisor up and running in addition to the firewall. This makes updates and other maintance more difficult. Hypervisors do provide snapshots, but opnsense is easy enough to back up that it's not really a compelling argument.

My two cents is get the right equipment for the firewall and run bare metal. Having more CPU is great if you want to do intrusion detection, DNS filtering, vpns, etc. on the firewall. Don't feel like you need to hypervisor everything

[–] [email protected] 3 points 7 months ago

Yeah, I did do a test-setup with OPNsense in a VM today and it mostly works. But I see where you are coming from and usually I also prefer setups that are easier to maintain and with less footguns. I guess I'll sleep over it first.