Virtualized firewall under Hyper-V?
We are currently considering installing an instance of pfSense on our Hyper-V R2 based server to act as a content filter, captive portal and general firewall.
Although it is usually bad practice to virtualise a firewall / gateway.. sometimes you gotta work with what you've got! :)
We've got 2 physical NICs.. 1 Facing the internet (WAN) and 1 facing our internal LAN.
How would one go about making sure all internet access goes through the pfSense VM?
Is there a configuration that eliminates any possibility of traffic coming in on the LAN NIC bypassing the pfSense VM?
Sorry if it's a silly question, I'm a developer by day :D
Solution 1:
What Wesley said... Plus a diagram:
+----------------------------------+
| +----------+ +---------+ | +----+ +----+ +----+
| | pfSense | | Host OS | | | | | | | |
| | | | | | | PC | | PC | | PC |
| +----------+ +---------+ | | | | | | |
| ^ ^ ^ | +----+ +----+ +----+
| | +------+ | | ^ ^ ^
| | | | | | | |
| V V V | V V V
+--------+ +---+ +-------+ +-------+ +---+ +-----------------+
|Internet|<-->|WAN|<->|WAN NET| |LAN NET|<->|LAN|<----+| LAN SWITCH |
+--------+ +---+ +-------+ +-------+ +---+ +-----------------+
| Hyper-V Host |
+----------------------------------+
It's actually possible to use the same NIC on the Hyper-V Host for both WAN and LAN, but you'll need to setup vLANs and need a switch that supports them. It gets messy quickly and NICs are fairly cheap. A note on NIC chips, get a good one, like Intel, Broadcom, etc. Stay away from Realtek, Marvel, and most of the on-board chips on cheaper and DIY motherboards. They're nothing but trouble for virtualized environments.
Also, keep in mind that Hyper-V is a bare-metal Hypervisor. It is NOT a service that runs in Windows. What used to be the Windows installation on the machine becomes a special VM. This will not appear to be the case for simplicity and usability reasons, but comes into play when you do things like setup the Hyper-V Networking.
Solution 2:
Simply setting all PCs, switches, routers and etcetera network infrastructure to use the pfsense virtual machine as their default gateway will make all traffic flow through the content filter.
Certainly, someone could yank network cables out of the server and plug their PC straight into your WAN. You could set some kind of MAC filtering or 802.1x authentication to enact port level security. Of course, someone could just wire around that as well. The point being: There comes a time when you are merely relying on "I've got the passwords and the keys to the server room and you don't."
Simply setting up your gateway as the default gateway / router and not having any other routing options on the network prevents all outlets with the exception of someone storming your server closet and frobbing with cables.