Firewall for production network
-
Hello Guys,
Hope you have a great Christmas!
In the mid February I'm planning to colocate another server, and right now I'm thinking about firewall solution. It will be a VMware host on Dell R620 (2 x CPU Intel E5-2600 v2, 128GB RAM, 2 NIC (1Gbps port and management port) I was thinking about hardware solution but the licenses for the hw firewall are too expensive (over 1000 pounds for IDS).
I did some research and I think that software firewall pfsense will be the best option.
1. Does anyone using pfsense for production servers ? have you got any problems ?
2. The traffic on existing server is between 20Mbit/s and 150Mbit/s up - Do you think that IDS like snort or suricata will work without any problems with pfsense on this traffic ?
3. Some software don't support private IP addresses, the server network setting have to be configured on public IP address - is it possible to pass traffic from server in DMZ through pfsense on public IP addresses ? (80.80.80.80 –> pfSense --> 80.80.80.80)Thanks,
Snort -
0. I think a dedicated appliance would be appreciated, not a virtual appliance. Security wise.
1. Yes, many, many, many people and companies do (and yes, many, many, many problems occur: that is what this forum is for; it's almost just like in real life: problems ;D ).
2. I think 99,9999999999999999999999999999999999999% it won't be any problem. But I will humbly leave this to the Great Steve or others to reply: they know all the nasty details I don't.
3. I'm a noob, I'll leave this question for the Masters who actually know what they are doing ;D -
Whenever someone around me asks questions about implementing pfSense in any commercial environment I usually pull up this document and show them.
https://doc.pfsense.org/index.php/Comparison_to_Commercial_Alternatives
pfSense can easily be configured to port forward on a port by port, 1:1 NAT, or even act only as a firewall to devices/computers behind it that have their own public IP addresses.
:)