I am not overly happy with my current firewall setup and looking into alternatives.

I previously was somewhat OK with OPNsense running on a small APU4, but I would like to upgrade from that and OPNsense feels like it is holding me back with it’s convoluted web-ui and (for me at least) FreeBSD strangeness.

I tried setting up IPfire, but I can’t get it to work reliably on hardware that runs OPNsense fine.

I thought about doing something custom but I don’t really trust myself sufficiently to get the firewall stuff right on first try. Also for things like DHCP and port forwarding a nice easy web GUI is convenient.

So one idea came up to run a normal Linux distro on the firewall hardware and set up OPNsense in a VM on it. That way I guess I could keep a barebones OPNsense around for convenience, but be more flexible on how to use the hardware otherwise.

Am I assuming correctly that if I bind the VM to hardware network interfaces for WAN and LAN respectively it should behave and be similarly secure to a bare metal firewall?

  • Illecors@lemmy.cafeEnglish
    9·
    7 months ago

    I’d been running OPNsense in a VM for some time. I used xen as a hypervisor, but that shouldn’t really be a requirement. Passed the nics through and it was golden! All the benefits of a VM - quick boot-up, snapshots on the hypervisor - it’s truly glorious :)

    • poVoq@slrpnk.netOPEnglish
      1·
      7 months ago

      Sounds great. What about hardware acceleration features of the NIC? I read somewhere that its better to disable the support for that in OPNsense when running it in a VM?

      • Illecors@lemmy.cafeEnglish
        2·
        7 months ago

        Dunno, worked well for me. Give it a shot and see if anything needs to be disabled.

      • umbrella@lemmy.mlEnglish
        1·
        7 months ago

        in my case the driver had a bug with power management, so i had to disable that on the hypervisor.

        other than that everything worked well, passing the nics through also passes all the features.

        • poVoq@slrpnk.netOPEnglish
          2·
          7 months ago

          I just saw that option. What would be the advantages and disadvantages of this?

          I guess when I pass the actual NIC device the hardware acceleration should work?

          Edit: Looks like my host system does not support this, at least that is the error I get when trying ;)

          • wildbus8979@sh.itjust.worksEnglish
            11·
            7 months ago

            For one you offload the entire processing and driver handling to the VM, so if the OS wants to do something funky, it can.