Centralised management
-
Hi,
Very new to pfSense but I have to say I'm pleased with what I've seen so far. I've been testing this at home and was considering approaching our IT service provider at work, about moving over to pfSense rather than them continuing with the never ending money grab from Cisco.
We are a small organisation with 23 museums and art galleries across the county. With such numbers and us moving away from hosting internal services, I'm calling into question the need to continue having a county-wide WAN and move over to DIA leased lines with something like the 6100's. I'm just wondering how they would centralise the management of the pfSense devices?
The WebGUI is great once you're on a device but how does the ecosystem centrally manger things?
I've seen some very old posts on the subject but I can't find anything recent. Am I missing something obvious or is this functionality simply not available?
Regards,
Scott
-
@scotty It's not built in yet. It's been talked about a while now, like you say "I've seen some very old posts on the subject...", so there is a desire for a management function on a wide scale.
Honestly, for a handful of sites, it isn't too terrible to just add bookmarks in your browser for each remote site. When it starts to become a problem is when there's a bunch more, like you said - 23 museums and galleries. Sure, you could VPN into each one of them to manage the firewall, but that would get old pretty fast. If it were me, and you are sitting at a single location (work office as an example), it's pretty easy to make a single firewall rule on each remote pfsense box for immediate access into the firewall, no VPN required. I'm not saying this is the best, most secure way, but it will definitely work, and it's simple. Then all you would have to do is make the bookmarks in your browser for each remote site and open them as needed.
By the way, what kind of centralized management are you thinking you're going to need after the pfsense box is all setup and running? I've got 4 of them running at "other places" and I don't login into them all that often. Just wondering what you think you will need to do to them?
-
@akuma1x Thanks for the feedback.
I'm thinking more for our services provider, they provide services to a number of small organisations like us. They currently recommend we purchase Cisco and Meraki products whose consoles can keep an eye on all of the estate from a single pane. The issue being they cost a
fortune.We're a charity, not a bank, so we have to justify every pound spent. Hence my interest in pfSense and giving it a go at home first. I was hoping for something similar here so 'ease of management' isn't a factor for them (the service provider) to argue against.
As for what to manage, I guess the alerting can be automated but I'm thinking more about updates, config backups and then the basics CPU/Interfaces/temps etc. Also, from an alerting perspective, it can't send an alert...if the leased line is down. Having a centralised console that notices a device has disappeared can send its own alerts. Otherwise I will have my end users being my alerting mechanism...and that's never good
-
Centralize everything in a datacenter and run all your services on VDI.
Then you dont need expensive hardware onsite and centralized management.
Its like fire and forget.
-
@cool_corona I'm not sure how that helps. We would still have up to 20 WiFi AP's in a site and staff connecting with laptops and we provide Public access to the network. Oh, and you still have the hosting/DC charges, leased lines into DC, and then another much larger (additional) link to the internet from the DC.
The idea here is to de-centralise the equipment, make better use of aggressive pricing on smaller leased lines with DIA. However this de-centralised model requires better us of centralised tooling to manage it. Hence the question.
-
@scotty You couldnt be more wrong.
You only need small lines to the DC.
Pfsense will handle the AP's no issues using range extenders segregated into different local networks.
That way you dont need to mange the AP's a lot and it will require a minimum of intervention.
-
Monitoring:
For the "Monitoring/Alerting" i am using Zabbix (Free Enterprise Network Management system)
I just set it up on a "little debian VM" - 2 CPU's & 4GB RampfSense has an installable Zabbix Agent , that will easily enable collection & graphing of pfSense data. For network equipment , Zabbix can collect via SNMP.
pfSense Mgmt
Collecting backups etc .. Is quite easyDepending on "how static" your 23 sites firewall config is, i'd be more worried about the magnitude of "clicks" required to implement a new rule (change) on each of the sites.
But as you mention : You can fund a lot of work hours, on the Cisco vs pfSense pricing./Bingo
-
@cool_corona I really do appreciate your input and ideas but I've only provided part of the information and the business case as I didn't feel in warranted explaining. In summary with 150 desktop/laptops in the estate and the impact of Teams A/V on our centralised infrastructure it was much more cost effective to move our hosting requirements online rather than hosting internally as we had been doing. We were at a point where the server estate needed major investment which wasn't a viable or sustainable option. So going back to a Terminal Server/VDI solution is off the cards just so we can manage the network.
Irrespective of my particular circumstances, the key 'positive' thing here is that netgate/pfSense has now matured to such an extent that much larger deployments use cases are being considered. To break into the next market, they need to consider the ease on managing an 'estate' rather than an 'individual' devices. I don't mean that to be a slur on netgate/pfSense in any way. Many companies out there have great products but get to a point where chasing the 'next new thing' out weighs the more mundane tasks on optimising the less glamorous management functions larger/complex organisations require.
