host router gateway interface to private networks

S

systech2012

Hi, I'm newbie and I would like to create in my freebsd host an internal router gateway for many vms in internal networks rfc1918 addresses that can communicate to internet in nat networks.

in host I have:
- 1 physical interface: wlan0
in host I would have:
- I need 1 interface (loopback??) gateway for routing to and from private networks connected to Virtual Switch compliant with 802.1q vlans tagging
- vms that must communicate to internet only for update software or pass out and drop inbound traffic

The goal is create router/ pf firewall nat with internal virtual interface to switch and to vms attached to switch in private networks, How can I do It?
How can I create an interface to the private networks?
I have only physical interface: wlan0

For an idea there is a similar lab:

FreeBSD Firewall and NAT with PF | Karim's Blog

elatov.github.io elatov.github.io

Thank you for the kind help
 
If your whole network will be virtual on this one physical box, I see no need for VLAN tagging. VLANs are a nice way to separate virtual networks using the same physical infrastructure (cables, switches, ...), but as I'm reading your post, your only physical interface will be the shared "WAN" interface, so internally, you can just use one bridge(4) per internal network segment and setup routing (and firewalling) between these bridges plus NAT on the WAN interface.

Be aware that a setup like this has two theoretical weaknesses:
  • A successful exploit on the firewall itself gives the attacker full control over the whole physical machine
  • A successful exploit on one of the VMs puts an attacker in a position to try "side-channel attacks" for accessing the other VMs and/or the host
You could avoid the first one by making your router/firewall a VM itself (passing the physical NIC to that VM with PCI pass-through if possible). The only way to avoid the second risk is to use a dedicated firewall box though.
 
Thank you for your detailed reply and solutions.
I have made this logical "explanation" for the possible networks involved in my freebsd host:

Screenshot-Logical_Networks.png



Reguards your reply:
"Be aware that a setup like this has two theoretical weaknesses:

A successful exploit on the firewall itself gives the attacker full control over the whole physical machine
A successful exploit on one of the VMs puts an attacker in a position to try "side-channel attacks" for accessing the other VMs and/or the host

You could avoid the first one by making your router/firewall a VM itself (passing the physical NIC to that VM with PCI pass-through if possible). The only way to avoid the second risk is to use a dedicated firewall box though."

About your reply and 2 security risks, if I understand well this are the solutions:
1- a Vm with router firewall/between wlan0 (internet) and an interface to private networks could resolve or mitigate attacker to get full control of the whole machine attacched to bridge?, please could tell me ,if there exist, a guide to do it?

2- for second problem: "A successful exploit on one of the VMs puts an attacker in a position to try "side-channel attacks" for accessing the other VMs and/or the host", maybe it is possible to mitigate or resolve this with a possible solution:
Router/Firewall in a jail? And if It is possible how can I do It?


thanks
 
You must log in or register to reply here.
Back
Top