What hardware do I need for creating lots of VLANS?
-
Hi guys,
I am currently using pfsense software based firewall.
My setup is roughly as follows:I have a couple of servers. each one has some virtual machines running via microsoft hyperV.
each physical server has its own pfsense virtual appliance running and it provides vlans for each virtual server on that physical box.
The idea being that I need to keep the virtual servers on seperate LANs from each other.I would like to purchase a physical pfsense firewall to replace the virtual firewalls that I currently have - the main reason is so that networking can be centrally managed rather than having several different software firewalls.
The question I have is this:
I have roughly 8 VLANS at the moment and 1 WAN network. Do I need a firewall with a physical port for each VLAN that I want to set up, or can I somehow have multiple VLANS per port?Sorry if this doesnt make sense, if you guys need more info then I can provide it.
-
I don't understand why you think you need a virtual pfSense for each virtual server.
A virtual pfSense instance can handle multiple VLANs or NICs just fine.
How many VLANs are we talking about?
-
Hi derelict, thanks for the reply.
Well, I only have multiple pfsense installs through my lack of knowledge at the beginning of setting this system up.
When I started I had a single server and then pfsense running as a VM.When I installed a new server I got a new subnet from colo provider and I didnt know how to link the new server to the VM running on the first server, so I just replicated the same setup - another pfsense VM on the new server.
Now I just wanted to consolidate so that everything is running from one VM or from one hardware appliance, whatever is easer.
I currently have around 8 VLANS and I think I have 4 seperate WAN subnets. But I am planning to condense this into a single /27 wan subnet and then still the 8VLANS so I can segregate my VMs by client.
I dont know the best way of doing this but I figured removing the firewall from the rest of the setup would be a good idea so that its easier to manage and so its not reliant on any other part of the system…..
I am open to any advice you can give on the best way to do this though.
-
You simply convert the VM vNICs to use VLAN IDs then connect them all to the external vSwitch on each host.
Make sure all the hosts are connected to a VLAN trunked port on the switch fabric.Choose one of the hosts to run your virtualized pfSense instance (single instance); On that host, just add multiple vNICs (for each VLAN ID) to connect to the external vswitch. This will allow your pfSense instance to be connected on all the VLANs across the hosts. Let Hyper-V vswitch handle all the VLAN tagging and un-tagging from there.
-
You simply convert the VM vNICs to use VLAN IDs then connect them all to the external vSwitch on each host.
Make sure all the hosts are connected to a VLAN trunked port on the switch fabric.Choose one of the hosts to run your virtualized pfSense instance (single instance); On that host, just add multiple vNICs (for each VLAN ID) to connect to the external vswitch. This will allow your pfSense instance to be connected on all the VLANs across the hosts. Let Hyper-V vswitch handle all the VLAN tagging and un-tagging from there.
OK, noted…. Sort of :-/ I think I remember being told I could have all of my hosts on a VLAN. So I guess in this scenario I would only need one cable connected to the server running pfsense and the hyperv vswitch could do the rest.
And so in the same respect, if I had a hardware firewall it would be the same - If I had a physical switch in place I would only need one connection to the firewall itself, and the switch could do the rest? Even if I had VLANS set up?
But from the comments made so far I am guessing that a hardware firewall is going overboard?
For redundancy of my other VMs I am planning to impliment a live copy of VMs between multiple servers so I could impliment something similar for the pfsense VM to avoid any issues if the host running that VM went down.?
-
OK, noted…. Sort of :-/ I think I remember being told I could have all of my hosts on a VLAN. So I guess in this scenario I would only need one cable connected to the server running pfsense and the hyperv vswitch could do the rest.
And so in the same respect, if I had a hardware firewall it would be the same - If I had a physical switch in place I would only need one connection to the firewall itself, and the switch could do the rest? Even if I had VLANS set up?
But from the comments made so far I am guessing that a hardware firewall is going overboard?
For redundancy of my other VMs I am planning to impliment a live copy of VMs between multiple servers so I could impliment something similar for the pfsense VM to avoid any issues if the host running that VM went down.?
You can have all the hosts on the same vlan but they will be able to communicate with each other.
You can do the same with pfSense on physical hardware as long as you have the vlans setup on the physical switch port(s).
For redundancy, you will need to setup Hyper-V for HA clustering. At least 1 or 2 other vlans need to be setup just for the migration purpose. Also, you will need to setup a DFS fileshare for both nodes to act as a witness (for 2 node replication) and also for a 'common' repository for the snapshots.