| ▲ | Havoc 3 hours ago | |||||||
Used to run a virtualized firewall setup. And then one day discovered that somewhere along the lines I had made a change (or an update changed something) that meant proxmox admin interface was being served publicly. That's despite confirming during initial setup that it isn't. So now I do not do any funky stuff with firewalls anymore. Separate appliance with opnsense bare metal. | ||||||||
| ▲ | tarruda 3 hours ago | parent | next [-] | |||||||
I currently do something similar. My router is a 16GB n150 mini PC with dual NICs. The actual router OS is within openwrt VM managed by Incus (VM/Container hypervisor) that has both NICs passed through. One of the NICs is connected to another OpenWrt wifi access point, and the other is connected to the ISP modem. The n150 also has a wifi card that I setup as an additional AP I can connect to if something goes wrong with the virtualization setup. Been running this for at least 6 months and has been working pretty well. | ||||||||
| ||||||||
| ▲ | gerdesj 2 hours ago | parent | prev [-] | |||||||
Fair enough and I think you have done the right thing - opnsense is pretty decent - and the clear delineation between collision domains helps avoid showing too much ankle to the internet 8) I think your initial setup was perfectly valid. Then you diagnosed a fault and fixed it with aplomb, in a way that you could verify. The key point is: "in a way you could verify" and you failed safe. Well played. Proxmox itself has a useful firewall implementation too, although it takes a bit of getting used to because you can set it at the cluster, host and VM levels. I personally love it because it is easier to manage than individual host based firewalls, which I also do, but I'm a masochist! For smaller systems I generally use the cluster level to keep all the rules in one place. | ||||||||