Hello,
I use XCP-ng and want to protect virtual machines. There are VyOS and pfSense firewalls for this. Can IPFire be used for this?
Cheers.
If you expect to have more than one internet (RED) connection for your host, I don’t think so.
Hi,
Thank you so much for your reply.
Assuming one internet connection is required for the host, how can I protect virtual machines with IPFire?
Sorry for this kind of chicken-egg answer but… you should learn about firewalling.
Ip access rules, conditions, eventual application that could ease/help the creation of rules, like libloc (a geoip location library developed by IPfire Project), suricata (a intrusion/detection system), VPNs to help you have remote secure access to the lan behind your IPFire like OpenVPN and IPSec, currently available on IPFire. And… much more.
IPfire packs a lot of tools, and this toolbox can be nuanced with more additions called add ons, not all security related; most of addons are provided by thirdy party developers.
100% of software provided with IPFire is GNU/GPL, so you don’t actually have to pay fees to access documentation, find some video which explain how this or that package/function works and how can be used to achieve… control over your network traffic. Security is first and foremost have more control and information about what happens, and have some tools to… change what happens.
Hoping that this helps anyway, even if it seems some… zen.
Security is not a band aid to patch a wound. It’s a process where you understand what can go sideways today… and find the right tool to reduce the risks.
Because 100% computer safe is the one switched off, diskless, in a safe located on the seabad of Mariana Trench. But i’m not sure about that.
If you’re willing to buy security… pay a person. And explain your fears. 
1 Like
Hi,
Thanks for your tips, but there are several articles on setting up this scenario in pfSense, and the lack of such an article is a disadvantage for IPFire.
So Rubicon Communications LLC made a better marketing job than Lightning Wire Labs GmbH for your opinion.
I am no part of Lightning Wire Labs GmbH, nor doing marketing job or sales job. So no sales pitch from here. I hope you’ll find the correct advertisment and sales team you’re looking for
I run ipfire in KVM as virtual machine, ipfire can protect virtual machines, it depends on your setup, say you have one host runs all virtual machines, the host has two network interface, one to the internet, one for local network, then your ipfire virtual machine would need two virtual network interface, one virtual network interface to internet, one virtual network interface to local network. all your other virtual machine only need one virtual network interface for local network and use ipfire virtual machine as gateway to internet.
1 Like
Hi,
Thank you so much for your reply.
How do you use KVM? I am using XCP-ng which is a virtualization platform.
You said:
All your other virtual machine only need one virtual network interface for local network and use ipfire virtual machine as gateway to internet.
How do virtual machines use an IPfire virtual machine network card instead of using a virtual network card?
you will need to run Linux distribution like Ubuntu as Host OS on hardware, then follow something like Setup Virt-Manager, Qemu, libvert and KVM on Ubuntu 20.04 | by tanut aran | CODEMONDAY | Medium. you can setup linux bridge on Host Linux for the two network interface, then select the bridge as guest virtual network interfaces. I myself uses libvirt virsh command to do everything, if you like, probably I could publish a video on how to do that :).
just google searched XCP-ng, it is Linux based virtual machine, so you should have no problem running KVM on Linux machine then
pfSense is good protection ?
pfsense is BSD based, IPFire is Linux based, personally I prefer IPFire because IPFire ships recent Linux kernel that has more powerful features like eBPF for advanced packet filtering as I have shown you here https://youtu.be/1pdNgoP-Kho?si=J-GlcFLiaLr2l2GZ, BSD is lack of eBPF feature, I think pfsense will suffer when under DDoS attack without XDP DDoS like feature. DDoS feature is a must to have because DDoS is so easy to launch with tool like hping3, almost anyone could launch DDoS attack.
1 Like
Hello,
Can someone explain how to protect virtual machines with IPFire in this post?
Cheers.
well I sort of explained in Linux KVM hypervisor already since you are using XCP-ng, according to Networking | XCP-ng documentation, similar idea applies, you run IPFire with two virtual NIC provisioned from open vswitch that XCP-ng uses, one virtual NIC has external connectivity to Internet/Public network, one virtual NIC for internal network, and all your other virtual machine only has one virtual NIC for internal network. the idea is same for physical network and machines, you will just need to get familiar with your particular virtual network environment, this kind of applies to any firewall virtual machine, nothing special to IPFire, maybe specific about IPFire is if IPFire supports XCP-ng hypervisor.
also could mix physical network with virtual machine network, for example run IPfire in physical box to protect virtual machines in virtual network, it all depends on how you would like to design your network.
I am using VirtualBox for a virtual network for evaluating testing releases and bug fixes.
I have two virtual IPFire machines.
One has one virtual arch Linux system on its green network.
The other virtual IPFire system has two machines on the green network, three on the blue network and two on the orange network, all Arch Linux based systems.
With two IPFire vm’s I have been able to successfully setup a net2net openvpn connection between the two of them.
I basically used the VirtualBox wiki page, https://www.ipfire.org/docs/installation/virtual-box, as my starting point and then adapted things to my specific network testing needs.
I can’t help you with any VMware or XCP-ng specifics as I have never ever used them.
Based on the wiki, IPFire has been used successfully on all products by VMware, KVM, Xen, Microsoft Hyper-V and VirtualBox.
Looking up the XCP-ng documentation I found a comment that it was originally based on Xen Server, so based on that I would expect that it might work but XCP-ng itself is not listed as having been tested by any IPFire users.
The documentation has a section on how to migrate to XCP from other vm systems.
https://xcp-ng.org/docs/migratetoxcpng.html#from-xenserver
A slight concern I see is that the documentation section entitled Supported Guest OS only contains the word “TODO”, so it looks like you are on your own with regard to installing your guest systems as far as documentation support.
Hi,
Thank you so much for your reply.
I mean, how do I direct the traffic of the virtual machines to IPFire?
Are you providing IP’s for your virtual machines from IPFire.
If so then IPFire will automatically tell the virtual machines that IPFire is the router they should use via the dhcp communication.
If you are setting static IP’s on the vm’s then you need to ensure that you also manually enter into the vm’s dhcp client that the IPFire green IP is the router IP for the network.
Hi,
Thanks again.
I just installed IPFire as another virtual machine alongside the other virtual machines.
My server has 4 network cards that virtual machines use these network cards. I have some questions:
1- Should the IPFire virtual machine have these 4 network cards?
2- Virtual machines use static IP addresses. Should I change them to DHCP?
3- Static IP addresses of virtual machines should be set on IPFire network cards?
4- I just installed IPFire. While configuring the network, I saw settings like GREEN, RED, ORANGE and BLUE. Which network card should be assigned to which color?
5- Does IPFire perform routing operations automatically? For example, one of my virtual machines is a web server, if I set its IP address on the IPFire network card, then IPFire automatically directs incoming requests to that virtual machine.
Hello,
Any idea?
Cheers.