This document summarizes a hangout on firewalls and virtualization. It discusses types of virtualization, virtual networking options like bridged, NAT, and host-only, and considerations for virtualizing firewalls in production and for testing. Virtual networking is demonstrated for VirtualBox, VMware, ESX, and Hyper-V. While virtual firewalls can work well, having a physical firewall manage the virtualization environment is recommended. Performance and high availability considerations are also covered.

1. June 2014 Hang Out
Firewalls and Virtualization
Chris Buechler

2. Project News
● Training registration now open
○ August 1-2
○ September 5-6
○ In-person, in Austin, Texas
○ https://www.pfsense.org/university/
● 2.1.4 release available
○ Release notes at blog.pfsense.org

3. Virtualization Overview
● Means of running multiple OSes on a single
piece of hardware
● Types 1 and 2, 0? 1.5?
● Desktop class
● Server class

4. Virtualization Usage Scenarios
● Production systems
● Testing and development environments
● Fun but ugly hacks

5. Virtualization Security
● Are virtual firewalls secure?
○ it depends
● Hypervisor vulnerabilities
○ Guest to host
○ Guest to guest
● More subject to human error

6. Virtual Networking - Desktop
● Bridged
● NAT
● Host-only
● Internal

7. Virtual Networking - Bridged
● Put VM on the same broadcast domain as a
physical NIC

8. Virtual Networking - Bridged

9. Virtual Networking - Bridged
● Caveats with wireless
● Be careful!
○ More damage potential than other options
○ Rogue DHCP servers
○ IP conflicts
○ CARP VHID conflicts
○ Layer 2 loops

10. Virtual Networking - NAT
● Share host’s IP(s)
○ including (some) VPNs
● Easiest to deal with at times
● Separate broadcast domain safer
● NAT router inside hypervisor
● Complications reaching VM from physical
network

11. Virtual Networking - NAT

12. Virtual Networking - Host-only
● Allow connectivity to host
● No outside connectivity
○ provided by hypervisor at least

13. Virtual Networking - Internal
● No connectivity to host
○ on that vswitch at least

14. VirtualBox Networking
demo

15. VMware Workstation Networking
demo

16. Parallels and VMware Fusion
● Same basic capabilities of others
○ Bridged
○ NAT (“Shared”)
○ Host-only

17. Host OS Network Configuration
demo

18. Virtual Networking - Server
● Concepts
● VLAN handling
● NIC PCI passthrough

19. Virtual Networking - ESX
● vSwitches
○ None, one or more associated physical NICs
○ Port groups within vswitches
■ optionally with VLAN ID
■ Can pass all tagged VLANs
demo

20. Virtual Networking - HyperV
● Three types
○ External - bridged to physical NIC
○ Internal - bridged to virtual NIC on host (“host-only”)
○ Private - VM-only, no host connection
demo

21. Virtualizing Production Firewalls
● Can be great fit
○ but not always
● Need firewall to manage virtualization
environment? Keep at least 1 physical
firewall!

22. Virtualizing Production Firewalls
● Typical basic architecture

23. Performance Considerations
● Some overhead vs. bare metal
○ many times doesn’t matter
○ could be faster (vs. bare metal on slower hardware)

24. Performance Considerations - HA
● Promiscuous mode often required for
anything using virtual MACs
○ CARP, VRRP, HSRP
○ One MAC, or all the MACs
● With high traffic, can flood firewall NIC

25. Test and Development Environments

26. High Availability Considerations
● Hypervisor-level HA not a replacement for
pfSense HA

27. Virtual Hacks
● In a bind? Need a quick temporary fix?

28. Questions?
Feedback, comments, suggestions
welcome to gold@pfsense.org