I’d use a seperate firewall, but OPNsense, not PFsense…
See this firends Home-Lan. The firewall hardware (Soekris) died, and I had to setup (via remote) a new firewall… It’s been working over a year now, extremly stable.
If I, accessing that network with VPN, need to reboot the Proxmox, I can log in with VPN in 3-5 minutes…
Here, the Firewall is running in Proxmox, is always the first to boot, and has 2 virtual NICs associated: vmbr0, connected to my friends home LAN, and vmbr1, which is simply connected to the guy’s Internet-Box.
VPN from outside in (roadwarrior VPN) works with OpenVPN and with IPsec.
This guy only has a dynamic connection from his provider, so we use DynDNS.
The DynDNS named is the target for his “official” DNS, with the domain pointing to the DynDNS name.
Even so, site2site AND roadwarrior VPN works well and extremly stable!
Using a seperate firewall from nethserver will allow you to reboot your nethserver - and still have internet in the meantime… (Usefull if you’re testing stuff…) A firewall boots faster!
The creator of Monowall (From which PFsense was forked), Manual Kaspar, suggests using OPNsense, NOT PFsense (Also due to the fuss they made when OPNsense forked, not very OpenSource mentality!). I’m using OPNsense for about 30 clients, most on hardware boxes, some virtual. Most virtual Firewalls are used at friends Home-LANs.
If you can handle PFsense, you can handle OPNsense! Both have the same basis, OPNsense has a bit more modern GUI, IMHO.
If it helps, I can provide a default config for OPNsense…
My 2 cents