TL;DR<\/strong> – Prevent the hypervisor from sending ARP packets to the cable modem.<\/p>\n There is a quirk with the way that DHCP leases are handed out with a cable modem.\u00a0 It is a common enough issue that the question has been asked in several forums.\u00a0 The responses tend to be along the lines of “use an old computer and don’t run your firewall as a vm”.\u00a0 I think that there are a number of valid reasons to run the firewall as a vm and not on separate, dedicated hardware.\u00a0 Some advantages for running as vm are:<\/p>\n When running a firewall as a vm with a cable modem.\u00a0 The external interface of the firewall will not receive an IP address from the service provider.\u00a0 The fundamental cause is that a cable modem will only allow and IP address to be handed out to the first physical system seen by the device.\u00a0 This is why virtualized firewalls do not get an external IP address.<\/p>\n The hypervisor must not be allowed to send ARP packets to the cable modem so that the cable modem does not “see” the hypervisor, but only the virtualized firewall.\u00a0 This can be achieved via the system firewall on the hypervisor.<\/p>\n In this example, the hypvervisor is KVM and the system firewall in nftables.\u00a0 The hypervisor has 2 phsyical NICS – eno1 and eno2.\u00a0 Each has a bridge associated with it – br1 and br2.\u00a0 Br1\/eno1 is the internal network.\u00a0 All VMs use br1 as their NIC.\u00a0 The bridge allows the VMs to reside on the same network as the hypervisor itself.\u00a0 This would be the same network that the wireless access point is on as well as other devices such has phones, laptops, etc.\u00a0 The firewall’s internal NIC is the hypervisor’s br1.\u00a0 Br2 is the external interface for the firewall.\u00a0 The firewall is the only VM which has br2.\u00a0 The image below shows the VM info of the firewall.<\/p>\n Next, on the hypervisor, create an ARP filter for the NIC and bridge that is the device connected to the cable modem.<\/p>\n After getting the ARP packets dropped, reboot the cable modem.\u00a0 Your firewall should then be able to get an IP address via DHCP.<\/p>\n","protected":false},"excerpt":{"rendered":" I will not run a consumer grade router as my border firewall. There are a number of reasons, but the largest is that manufacturers often quickly stop supporting the devices.\u00a0 This translates to a lack of updates and patches leaving many systems vulnerable.\u00a0 The recent NetUSB flaw is a prime example.\u00a0 How many devices are […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[],"tags":[],"class_list":["post-1031","post","type-post","status-publish","format-standard","hentry"],"_links":{"self":[{"href":"https:\/\/www.ixeous.net\/cms\/index.php\/wp-json\/wp\/v2\/posts\/1031","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.ixeous.net\/cms\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.ixeous.net\/cms\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.ixeous.net\/cms\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ixeous.net\/cms\/index.php\/wp-json\/wp\/v2\/comments?post=1031"}],"version-history":[{"count":6,"href":"https:\/\/www.ixeous.net\/cms\/index.php\/wp-json\/wp\/v2\/posts\/1031\/revisions"}],"predecessor-version":[{"id":1038,"href":"https:\/\/www.ixeous.net\/cms\/index.php\/wp-json\/wp\/v2\/posts\/1031\/revisions\/1038"}],"wp:attachment":[{"href":"https:\/\/www.ixeous.net\/cms\/index.php\/wp-json\/wp\/v2\/media?parent=1031"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.ixeous.net\/cms\/index.php\/wp-json\/wp\/v2\/categories?post=1031"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.ixeous.net\/cms\/index.php\/wp-json\/wp\/v2\/tags?post=1031"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}\n
![\"\"](\"https:\/\/www.ixeous.net\/cms\/wp-content\/uploads\/2022\/02\/firewall_vm_info.png\")
<\/p>\ntable arp filter {\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0chain INPUT {\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0type filter hook input priority filter; policy accept;\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0}\n\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0chain OUTPUT {\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0type filter hook output priority filter; policy accept;\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0oifname \"br2\" drop\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0oifname \"eno2\" drop\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0}\n}\n<\/pre>\n