Pfsense with IDS/IPS working as HVM.
1,705 views
Skip to first unread message
Black Consult
Jan 13, 2016, 2:39:29 AM1/13/16
to qubes...@googlegroups.com
Hi All,
I have the last couple of days been working to get PfSense installed as
a HVM inside QubesOS and it works for me. I think it's a good firewall,
with extra options to install IDS/IPS and PfBlocker and/or Squid with
ClamAV to give a better protection.
I have several things tried before it actually works.
My current setup is as follows (ip's are fictional ;-)
Pfsense with NetVM sys-net, this creates a interface xn0 inside PfSense.
This becomes the WAN side of PfSense.
Add xn1 inside Pfsense for the LAN side with the xen command from dom0
bc@dom0 xl network-attach pfsense
script=/etc/xen/scripts/vif-route-qubes ip=10.137.33.18 backend=lubuntu
Configure and install PfSense normal way.
Installed an other HVM with lubuntu as a thin linux client to surf the web.
bc@dom0 xl network-attach lubuntu
script=/etc/xen/scripts/vif-route-qubes ip=10.137.33.19 backend=pfsense
This connects the 10.137.33.0 network and it should work.
To install extra add-ons from PfSense, see the package menu in the
webfrontend.
I have tried to use the Qubes Fedora-23 as backend, but somehow this
doesn't work, so i tried a thin linux client as HVM. First i tried
Slacko, but this also didn't work, i didn't give back the vif interface
from xen. Eventually i get it working with lubuntu.
My question is how do i automate things, cause i get it working
manually. It would be cool, to get PfSense as a template or NetVM or
just like the Whonix ws/gw with a single click on the web browser to
start thing up for example.
Hope this is helpfull...
--
Greetings,
Rudy
I have the last couple of days been working to get PfSense installed as
a HVM inside QubesOS and it works for me. I think it's a good firewall,
with extra options to install IDS/IPS and PfBlocker and/or Squid with
ClamAV to give a better protection.
I have several things tried before it actually works.
My current setup is as follows (ip's are fictional ;-)
Pfsense with NetVM sys-net, this creates a interface xn0 inside PfSense.
This becomes the WAN side of PfSense.
Add xn1 inside Pfsense for the LAN side with the xen command from dom0
bc@dom0 xl network-attach pfsense
script=/etc/xen/scripts/vif-route-qubes ip=10.137.33.18 backend=lubuntu
Configure and install PfSense normal way.
Installed an other HVM with lubuntu as a thin linux client to surf the web.
bc@dom0 xl network-attach lubuntu
script=/etc/xen/scripts/vif-route-qubes ip=10.137.33.19 backend=pfsense
This connects the 10.137.33.0 network and it should work.
To install extra add-ons from PfSense, see the package menu in the
webfrontend.
I have tried to use the Qubes Fedora-23 as backend, but somehow this
doesn't work, so i tried a thin linux client as HVM. First i tried
Slacko, but this also didn't work, i didn't give back the vif interface
from xen. Eventually i get it working with lubuntu.
My question is how do i automate things, cause i get it working
manually. It would be cool, to get PfSense as a template or NetVM or
just like the Whonix ws/gw with a single click on the web browser to
start thing up for example.
Hope this is helpfull...
--
Greetings,
Rudy
Outback Dingo
Jan 13, 2016, 1:39:49 PM1/13/16
to Black Consult, qubes...@googlegroups.com
Okay, so Im curious, are you saying you replaced the firewallvm with a BSD based pfsense VM which routes all vm traffic out to the netvm ?
First curious why pfsense and not OPNSense, however thats just preference on my part.
Second, are all your vms not routing through this pfsense firewallvm ?
I would be curious how, when you start a vm it ausostarts both the net and firewallvm, is it the case that this vm is being started in the same way?
I think a better better write up of the configuration could be helpful. Ive got a skylake laptop, i considered the vyatta route, however if I can use OPNSense id rather do that
great work... be nice if you could help assist others get there witha short write up
--
You received this message because you are subscribed to the Google Groups "qubes-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email to qubes-devel...@googlegroups.com.
To post to this group, send email to qubes...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/5695FF29.6010208%40blackconsult.nl.
For more options, visit https://groups.google.com/d/optout.
Black Consult
Jan 13, 2016, 3:27:04 PM1/13/16
to qubes...@googlegroups.com
Subject: Re: [qubes-devel] Pfsense with IDS/IPS working as HVM.
Date: Wed, 13 Jan 2016 21:19:43 +0100
From: Black Consult <in...@blackconsult.nl>
To: Outback Dingo <outbac...@gmail.com>
sys-net as backend to connect the WAN side of PfSense as the outgoing
gateway (the sys-net handles actually the real ethernet connection, if
i'm not wrong and has the 137.10.1.1 gw).
But it routes NOT all traffic, because i choose another network for the
LAN side of PfSense and not the standard 137.10.2.*, so the fedora-vm's
can't connect yet to pfsense.
Cause somehow at first i didn't get fedora-23 templates get working to
connect to pfsense, i choose lubuntu as a HVM as a PoC to get a running
pfsense. That was the main goal.
I am looking for other options. I guess i better stick with fedora, and
have to try again or try another setup or make a clone. Comments are
welcome.
For me it was a Poc and to see if pfsense would run inside Qubes. The
default firewall from Qubes was not satisfying for me.
> First curious why pfsense and not OPNSense, however thats just
> preference on my part.
this fork and the rest of it as mentioned on the OPNSense site.
I am looking into it.
> Second, are all your vms not routing through this pfsense firewallvm ?
It could add a very strong firewallvm to Qubes for daily use. But that's
up to the Qubes dev people.
>
> I would be curious how, when you start a vm it ausostarts both the net
> and firewallvm, is it the case that this vm is being started in the same
> way?
and the lubuntu HVM's must be running before you can add the xen xl
commands to add the interfaces. Cause the IP adresses are static and
configured inside pfsense and lubuntu, you only have to give the two xl
commands from dom0 and then everything should work.
>
> I think a better better write up of the configuration could be helpful.
> Ive got a skylake laptop, i considered the vyatta route, however if I
> can use OPNSense id rather do that
>
> great work... be nice if you could help assist others get there witha
> short write up
>
sys-net <---> xn0 Pfsense HVM xn1 <--> vif lubuntu HVM
10.137.1.1 <---> WAN 10.137.1.7 (Pf) 10.137.4.5 LAN <--> lubuntu
10.137.4.6
gw 10.137.4.5
- xn0 is a netvm added interface as set in the Qubes manager and is
standard.
- xn1 is added to pfsense with the xl command from dom0 as described.
- vif4,1 is also added with the xl command. (Both VM's must be running).
- ping and DNS lookups where good from lubuntu, but i needed squid for
http traffic. Maybe NAT in PfSense is not properly working, have to
figure out why it didn't work.
Some minors, sometimes the pfsense times out of pci0 and the parallel
bus when booting, so it boots slow sometimes, but i discovered that when
i have a clean boot from my laptop, it boots smooth.
It needs improvement ;-)
Hope this helps...
--
Greetings,
Rudy
Black Consult
Jan 13, 2016, 5:08:33 PM1/13/16
to qubes...@googlegroups.com
On 01/13/2016 09:26 PM, Black Consult wrote:
>
> Setup
>
> sys-net <---> xn0 Pfsense HVM xn1 <--> vif lubuntu HVM
> 10.137.1.1 <---> WAN 10.137.1.7 (Pf) 10.137.4.5 LAN <--> lubuntu
> 10.137.4.6
> gw 10.137.4.5
>
To stick more the the Qubes implementation, i did some thinking and i
>
> Setup
>
> sys-net <---> xn0 Pfsense HVM xn1 <--> vif lubuntu HVM
> 10.137.1.1 <---> WAN 10.137.1.7 (Pf) 10.137.4.5 LAN <--> lubuntu
> 10.137.4.6
> gw 10.137.4.5
>
guess i can get it working with the 10.137.2.x network as i somehow can
set or choose the 'pfsense' HVM as backend from the Qubes VM manager for
various VM's. Is there a quick way to achieve this and how do i do that?
I still have to add a second interface in pfsense (with xl) and it needs
a backend, which you can see as clients. This is variable or can be
multiple and depends on the VM's your running. The IP should be a
default gateway option in Qubes or something like that.
Any advice is welcome, as i am not yet familiar with the internals of
Qubes. Is must be possible i guess.
--
Greetings,
Rudy
Reply all
Reply to author
Forward
0 new messages