alt Hacker NewsUsed to run a virtualized firewall setup. And then one day discovered that somewhere along the lines I had made a change (or an update changed something) that meant proxmox admin interface was being served publicly. That's despite confirming during initial setup that it isn't.
So now I do not do any funky stuff with firewalls anymore. Separate appliance with opnsense bare metal.
Replies
I currently do something similar.
My router is a 16GB n150 mini PC with dual NICs. The actual router OS is within openwrt VM managed by Incus (VM/Container hypervisor) that has both NICs passed through.
One of the NICs is connected to another OpenWrt wifi access point, and the other is connected to the ISP modem.
The n150 also has a wifi card that I setup as an additional AP I can connect to if something goes wrong with the virtualization setup.
Been running this for at least 6 months and has been working pretty well.
I don't bother with virtualization, and use the machine at the edge of my network as router, email server, Web server, DNS server, and countless or other things such as hostapd.
An x86 mini PC can run all this without breaking a sweat; using separate appliances seems very wasteful. That being said, I configure everything in DIY mode, and don't rely on GUIs or other similar things that increase the attack surface considerably.
Fair enough and I think you have done the right thing - opnsense is pretty decent - and the clear delineation between collision domains helps avoid showing too much ankle to the internet 8)
I think your initial setup was perfectly valid. Then you diagnosed a fault and fixed it with aplomb, in a way that you could verify. The key point is: "in a way you could verify" and you failed safe. Well played.
Proxmox itself has a useful firewall implementation too, although it takes a bit of getting used to because you can set it at the cluster, host and VM levels. I personally love it because it is easier to manage than individual host based firewalls, which I also do, but I'm a masochist! For smaller systems I generally use the cluster level to keep all the rules in one place.
Dedicated appliances are the way to go for the most important parts of your setup. I've always had my router as an appliance because I don't like the idea of my network failing due to something going wrong with the server that runs a bunch of other things that are less important. I also have Home Assistant running on a dedicated machine because that's also important.
Btw you do also need to be careful with opnsense. I was years behind on updates for mine because every time I updated I assumed that it would bring me up to date with the latest version. But opnsense has to install the upgrades in order. After you reboot you need to check again for updates and repeat until there's no more to install.