VM Firewall on the Openhab machine

  • Platform information:
    Hi, I am using windows and running OH2.2+Node-red ,
    I want to know if i run a distro like pfsense/ipfire,
    as VM on that machine, can I include OH under that VM firewall?

i know people are using another machine for a router , and connecting the OH to that machine
but how can use the same one?

afaik there is no option for pfsense nor ipfire to run java. Of course, if java >= v 8u151 is installable, you are free to install openhAB2 on the same machine (although it’s a nightmary for security fans…)

Hi Udo i did not get you…

i am runing OH2,i am not so concern with security , my Q is

if i am doing routing for my home on PC1(on VM)
and also ruining OH on that same PC1(not VM just windows run and node-red)
how can i get OH to talk to the router ?

i want OH under the Ipsense routing…

I ran this way for awhile. The setup:

  • Hardware: a desktop server with lots of ram and a CPU that supports all the right virtualization extensions (an Intel i3 in this case). I added an extra wherever card to bring the total number of ports you to three.

  • Base OS: I chose ESXi 6.5. We’re I to do it over again I would choose Xen or KVM because the free ESXi Ewell only let you provision you to 8 CPUs to the vms at a time.

  • VMs: I have an Open media vault VM, one VM running OH and other related services like Mosquitto’s, all running in Docker container, one VM running media servers like plex and Calibre, one desktop VM so I can really remote into my system through VNC, and pfSense.

  • Network: I attached a cable from my cable modem to one port on my server, one cable going from my server to my wifi router, one one cable from the wifi router back to the server. I set up the interfaces in ESXi Esso the cable connected to the cable modem was labeled WAN and assigned only to the pfsence VM. The interface with the cable heading to the wifi router was labeled LAN and all the vms are assigned to LAN. The cable coming back to the server from the wifi router too the server gives the physical server/ESXi it’s connection to pfSense.

I configured the wifi router too be AP mode only and configured pfSense to be the dhcp server and dbs server for the lan.

This everything must go through pfSense to get any anywhere on the network or the internet.

And therein lies the problem. This basically rendered the pfsence VM a single point if failure. When the pfsence VM goes down so does the network. And since you can only administer the vms through the web interface in ESXi it means you cannot bring the pfsence VM down to, for example, assign more ram or give it another CPU. It also means if you don’t have your vms set to automatically restart when the machine boots you are completely hosed. If pfSense doesn’t come up you have no network. Period. And with out network you can’t get into ESXi to start pfSense.

So do not do what I did. To avoid this problem, and free up a CPU I got a separate machine to host pfSense. This let’s meet give way more resources to the firewall than I would otherwise be able to and it simplifies the whole setup.

Anyway, now to your question.

If you don’t care about security why bother with pfSense at all?

I suspect the configuration will have to be similar to what I set up and you too will face a catch-22 problem, assuming you want your whole network to route through pfSense including the Windows server. I’m not entirely it is even possible for the host to route it’s traffic through a VM running on it without a separate physical network interface and even then I don’t know how much ability you have to exclusively assign one to just the VM with type 2 hypervisors.

But, if you can get the networking right, there is nothing preventing you from running OH on the host and pfSense in a VM on the same hardware. That is sort of the point of VMs.

thank you !
allot to consider…

i think i will not do this VM stuff, to many issues along the way…

tell me what do you think on runing OH as parat of free nas?as VM

There is nothing special about running OH on a VM except sometimes certain hypervisors make it difficult to pass the USB devices into the VM so if you have USB controllers that might be a challenge.

i think i will stick with my PC setup for now, and will consider switching to RPI4 :slight_smile: some day

i want the system small as posbile, as i cant find any reason to keep such a big system on, for openhab only
,my dreams of bulding all in one machine are gone hhh

but i was able to install openhab on ubuntu VM, and its working great so my trip was not for nothing
next time i will build OH machine i will build it on linux !