Junos 12.3R12.4 Security - PfSense VM on Cable-Modem vlan?

RichMD

New Member
Mar 10, 2021
2
0
1
Hello,
I bought a couple of Juniper EX2200-C switches and I am wondering how secure it would be if I had one of them configured as follows:
1) An "Internet" vlan
1a Port) My cable-modem connected to one port (ge-0/0/0) with an IP on that port so the NIC is the client according to my ISP,
1b Port) The WAN interface of a PFSense VM (ProxMox most likely)
1c Port) A honeypot possibly with SNORT or something (just curious what I would see)
2) A "Router" vlan
2a Port) The LAN interface of the PFSense VM (ProxMox)
2b Port) The WAN interface of my Asus RT-AC86U - Potentially shutting off the firewall to see if I can increase throughput to get closer to full 1Gb internet
2c Port) Occasional connection to verify if internet issues - bypass the Asus and pass only through the PFSense VM
3) Other vlans that would only be accessible by routing through the Asus and static routes to the vlan interface IPs on the EX2200-C

I'm not sure if exposing the EX2200-C to "the wild internet" could allow a hack to breach Junos and then bypass the PFSense VM firewall, etc. and then hack the Asus so my whole home network would be exposed.

I also have considered just using a "dumb" netgear 4-port switch to connect the Cable Modem and PFSense WAN interface so everything else is "air gapped" and they would have to hack the PFSense VM via the WAN interface. If the hack is that good, I'm not going to stop it anyway. Would the air-gap be SIGNIFICANTLY more secure? I can configure the EX2200-C port security to the extent possible but I don't know if that would still be easy enough that automated scans/hacks might identify it as a weak point, etc.

Sorry for the long post and thanks in advance for any input.

RichMD
 

ArmedAviator

Member
May 16, 2020
89
51
18
Ohio
I'm unwaveringly confident there are tens of thousands of JunOS switches connected to the internet in all sorts of fashions, including as edge switches/routers. Don't sweat it.

Regarding your 1a.....

If you have a dynamic IP, don't give the switch port an IP address. Leave the VLAN as L2 only and let pfSense get the WAN address from the modem. On my virtualized pfSense (Proxmox) setup and a Brocade switch, I simply assign the port that the modem is connected to as untagged and the ports with my Proxmox servers attached as tagged. There's no virtual interface/IP on the switch for the VLAN. pfSense's vNIC used as WAN in Proxmox gets assigned the same VLAN as the modem. I am using OpenVSwitch with Proxmox.
 

RichMD

New Member
Mar 10, 2021
2
0
1
I'm unwaveringly confident there are tens of thousands of JunOS switches connected to the internet in all sorts of fashions, including as edge switches/routers. Don't sweat it.

Regarding your 1a.....

If you have a dynamic IP, don't give the switch port an IP address. Leave the VLAN as L2 only and let pfSense get the WAN address from the modem. On my virtualized pfSense (Proxmox) setup and a Brocade switch, I simply assign the port that the modem is connected to as untagged and the ports with my Proxmox servers attached as tagged. There's no virtual interface/IP on the switch for the VLAN. pfSense's vNIC used as WAN in Proxmox gets assigned the same VLAN as the modem. I am using OpenVSwitch with Proxmox.
Thanks for the info. I actually have 2 Gigabit cards that are passed directly through to PFSense rather than virtualizing. My thought was that it would be slightly better performance and possibly more secure??? since the traffic doesn't flow through core ProxMox before getting to PFSense - it would go direct hardware and then PFSense is processing it. I might be over-thinking it but that is my plan.
I haven't used OpenVSwitch. For the setup I am considering, do you think it would offer any significant benefits? I'm assuming even with security features, it wouldn't be more secure than physical dedicated NICs but I'm open to opinions.
 

ArmedAviator

Member
May 16, 2020
89
51
18
Ohio
Passing through the NIC to the VM will offer better performance depending on your CPU performance, but on my aging R710s (10 years old) I can achieve over 1Gbps throughput through pfSense (virtio driver) with OpenVSwitch. The benefit of this option is I can live migrate my pfSense VM from one server to another in the cluster with no downtime. Of course that is not possible with PCI passthrough.

Regarding security, OpenVSwitch is widely deployed around cloud services, just like JuneOS. I have full confidence that I am at no more risk keeping pfSense entirely virtualized vs PCI passthrough.