VM firewall for the rest of the VMs? (Xenserver host)

1337

What is the best way to setup a VM firewall controlling the traffic in and out of the box for the rest of the VMs?
It's a Xenserver (xcp-ng) host.

Or would it be better to put firewall rules on the host itself?

PS. For the firewall VM I'm thinking Pfsense (freebsd) or Vyos (debian)? Are there others I should consider?

black3dynamite

I've only used pfsense/opnsense. I've only used VyOS has a DHCP server, but that will work too.

black3dynamite

You will need to create a private network on XCP-ng for your VMs.
If I was to setup pfSense has a firewall VM, I would have the WAN using the external vSwitch and LAN using the private vSwitch. All the other VMs will use the private vSwitch.

travisdh1

@black3dynamite said in VM firewall for the rest of the VMs? (Xenserver host):

I've only used pfsense/opnsense. I've only used VyOS has a DHCP server, but that will work too.

VyOS can do DHCP, but why, when you'll have a more appropriate way to handle that through one of the servers on the back end?

JaredBusch

@travisdh1 said in VM firewall for the rest of the VMs? (Xenserver host):

@black3dynamite said in VM firewall for the rest of the VMs? (Xenserver host):

I've only used pfsense/opnsense. I've only used VyOS has a DHCP server, but that will work too.

VyOS can do DHCP, but why, when you'll have a more appropriate way to handle that through one of the servers on the back end?

This makes no sense. Yes, you can do a lot with backend servers, but DHCP/DNS is so basic, let the router do it.

I do not setup a DHCP and DNS box at every SMB client? Fuck that.

They have an ERL or ER4 and DHCP/DNS runs from there.

JaredBusch

@pete-s said in VM firewall for the rest of the VMs? (Xenserver host):

What is the best way to setup a VM firewall controlling the traffic in and out of the box for the rest of the VMs?
It's a Xenserver (xcp-ng) host.

Or would it be better to put firewall rules on the host itself?

PS. For the firewall VM I'm thinking Pfsense (freebsd) or Vyos (debian)? Are there others I should consider?

The best answer here depends on WTF you are doing with this host.

The host itself should already be behind something.

You can review a thread from @coliver maybe? about his server he dropped in a 1U colo and had no way to put anything in front of his host. He has the router running on the host handling all the traffic. Even circling back to the host for remote access via something behind the firewall.

JaredBusch

@pete-s said in VM firewall for the rest of the VMs? (Xenserver host):

PS. For the firewall VM I'm thinking Pfsense (freebsd) or Vyos (debian)? Are there others I should consider?

VyOS is a solid solution, less known than pfSense in general, but VyOS is forked from the same original source as Ubiquiti's EdgeOS.

stacksofplates

@jaredbusch said in VM firewall for the rest of the VMs? (Xenserver host):

@travisdh1 said in VM firewall for the rest of the VMs? (Xenserver host):

@black3dynamite said in VM firewall for the rest of the VMs? (Xenserver host):

I've only used pfsense/opnsense. I've only used VyOS has a DHCP server, but that will work too.

VyOS can do DHCP, but why, when you'll have a more appropriate way to handle that through one of the servers on the back end?

This makes no sense. Yes, you can do a lot with backend servers, but DHCP/DNS is so basic, let the router do it.

I do not setup a DHCP and DNS box at every SMB client? Fuck that.

They have an ERL or ER4 and DHCP/DNS runs from there.

Yeah the only time I do it is when it's under config management and it's mostly for reservations. If you just want a DHCP pool it's just more to manage.

scottalanmiller

Is this a hosted machine in a datacenter so that you can't have a normal firewall?

1337

@scottalanmiller said in VM firewall for the rest of the VMs? (Xenserver host):

Is this a hosted machine in a datacenter so that you can't have a normal firewall?

Yes.

EddieJennings

@jaredbusch said in VM firewall for the rest of the VMs? (Xenserver host):

@pete-s said in VM firewall for the rest of the VMs? (Xenserver host):

PS. For the firewall VM I'm thinking Pfsense (freebsd) or Vyos (debian)? Are there others I should consider?

VyOS is a solid solution, less known than pfSense in general, but VyOS is forked from the same original source as Ubiquiti's EdgeOS.

VyOS is working fine for my colo server. +1

scottalanmiller

@pete-s said in VM firewall for the rest of the VMs? (Xenserver host):

@scottalanmiller said in VM firewall for the rest of the VMs? (Xenserver host):

Is this a hosted machine in a datacenter so that you can't have a normal firewall?

Yes.

Ugh, that's a pain. Then VyOS is my choice, too.

JaredBusch

@eddiejennings said in VM firewall for the rest of the VMs? (Xenserver host):

@jaredbusch said in VM firewall for the rest of the VMs? (Xenserver host):

@pete-s said in VM firewall for the rest of the VMs? (Xenserver host):

PS. For the firewall VM I'm thinking Pfsense (freebsd) or Vyos (debian)? Are there others I should consider?

VyOS is a solid solution, less known than pfSense in general, but VyOS is forked from the same original source as Ubiquiti's EdgeOS.

VyOS is working fine for my colo server. +1

Ah so, @EddieJennings not @coliver, but i knew we had conversations about this.