Having trouble understanding the best way to connect pfSense to my environment

djliortal

Hi,

We have decided to migrate to pfSense.
I'm having trouble understanding the best way to connect pfSense to my environment.
Already configured 2 machines with pfSense high availability.

My topology:
I have 6 Esxi hosts connected to 2 switches for high availability purposes. each one have 1 port to either switch.
Switches are stacked and not connected to one another.
I thought of adding one more switch and connect both pfSenses to it and then connect to both switches. but again i have 1 point of failure.
what is the best way to connect 2 pfSense machines to this environment in high availability mode?

I hope i was clear :)

Thanks.
Lior.

johnpoz

@djliortal said in Having trouble understanding the best way to connect pfSense to my environment:

I hope i was clear :)

Not without a drawing - no your not clear at all... Normally pfsense is at the edge.. If you need more switch ports to do that - then ok.. Normally it would replace what your using now as your edge router.

You can also use as a downstream router/firewall between your segments with just a transit to your edge device... But Normally that is more complex..

You haven't stated that your doing vlans or not even.. If you want help with your network on where to best place pfsense, or how to connect it, etc. etc. You need to draw it up so we are all sure how you actually have it connected.

djliortal

Thanks for your reply.

Sorry about that...
I have about 50 vlans configured on LAN interface.
I added a drawing of my topology. removed the storage from topology because it is not connected to the internet
Esxi servers connected through with 2 NICs active/active.
I also wrote class c IP for wan for demo purposes.
Currently we are using single checkpoint firewall. connected only to switch number 1.

if anything still not clear let me know.

johnpoz

So what routes between your vlans? Your checkpoint? If so then that is where your pfsense setup would go.. Are you wanting to have your pfsense setup route between your vlans? And still have your edge router?

Maybe your having a problem figuring out where it goes because you don't know exactly what you want function you want it to perform?

Do you want to replace your checkpoint? Do you want a firewall/router between your vlans and still use your checkpoint as edge? Keep in mind that pfsense as downstream router to handle routing between 50 some vlans prob not the best choice if what your after is wire speed between your vlans.. Unless you have a lot of interfaces on this pfsense setup. That is normally best handled by a L3 switch doing routing.. While the limitation of those devices is ease of firewalling between the vlans - which is where something like pfsense would shine.

How much intervlan traffic do you push? Is your concern with having full wire speed between vlans, or is it the firewall aspect?

djliortal

Hi,
I do want to replace checkpoint and it does route between VLANs. As i said checkpoint is connected only to switch1
and if this switch is fails or checkpoint fails I have no redundancy.
I don't think it's a problem to use the firewall as router because I do need a firewall between VLANs and only small amount of traffic is produced between VLANs because each VLAN is different customer.
The question is how to physically connect 2 pfSense machines to this topology? do i need to bridge two interfaces and connect them to each switch in order to get HA?

JKnott

@djliortal said in Having trouble understanding the best way to connect pfSense to my environment:

I have about 50 vlans configured on LAN interface.

????

Why do many? The most I've ever seen is 3 on top of the native LAN.

djliortal

@JKnott said in Having trouble understanding the best way to connect pfSense to my environment:

Why do many? The most I've ever seen is 3 on top of the native LAN.

We are cloud providers. each customer has it's own private VLAN.

johnpoz

Kind of with JKnott here, while I understand you want different vlans for each customer - and that might well be 50.. You have 50 customers all sharing single physical interface? So this what speed? Even if your internet was gig.. 50 customers on that would break down to shit... 20K each??

While for sure can put that many vlans on a single interface - your sharing the limitation of the physical connection like that - you prob want to break up these connections over multiple physical interfaces.

But if they are all just sharing a 1 gig or so internet connection then guess it doesn't matter ;) Is this physical interface you have the vlan on 10ge? Or higher? What is the internet speed for these customers? Is this lan connection a lagg with multiple interfaces in say 4x1g? Or even 4x10g ?

djliortal

Well, Internet speed is 500Mbit and all clients share it.
Our clients connect through RDP to terminal servers. Internet speed is no issue here.
I guess i could split the VLANs cross other interfaces (this means i need even more ports on switches)
Yet, it doesn't give me proper answer to the question how to connect 2 pfSense with HA to this topology :)

Thank you both for your responses.

johnpoz

@djliortal said in Having trouble understanding the best way to connect pfSense to my environment:

Well, Internet speed is 500Mbit and all clients share it.

Ouch!!! Guess they don't do much...

But guess doesn't matter all that much if they are sharing 1 gig interface then.. Since the internet speed is less than that anyway.

So you put pfsense where the checkpoint is - and if you want to make sure you don't fail with a single switch failure then you would to a port channel across your switches.. This not really a pfsense question - are you not knowing how to create a lagg interface? But your switching environment needs to support the ability to do that.. Creating a lagg over non stacked switches can be problematic at best, etc.

They RDP over the public internet? - Again Ouch!

djliortal

@johnpoz said in Having trouble understanding the best way to connect pfSense to my environment:

are you not knowing how to create a lagg interface? But your switching environment needs to support the ability to do that.. Creating a lagg over non stacked switches can be problematic at best, etc.

I have Dell N2024 switches that are stacked. are you proposing to create LAG interface of type LACP and connect one port to switch 1 and the the other to switch 2? and do it from both master and backup?

@johnpoz said in Having trouble understanding the best way to connect pfSense to my environment:

They RDP over the public internet? - Again Ouch!

each company has fiber connection to the internet and vpn ipsec to the cloud.