Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Implement pfSense To Protect Distributed Virtual Private Servers

    Scheduled Pinned Locked Moved General pfSense Questions
    11 Posts 3 Posters 1.2k Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J Offline
      jtomelevage
      last edited by

      Hello,

      I want to setup a pfSense firewall in front of three separate servers that are currently live in production.

      All three servers are virtual private servers on two different providers, Linode and Vultr. Two of the servers are running web servers and email on Debian Stretch.

      The third server is running FreePBX on CentOS with SIP trunking provided by a third party. The users of this FreePBX phone system are remote in various locations.

      All servers have one IP address each.

      All servers are running the built-in iptables firewall and fail2ban.

      I want to eliminate, if possible, the firewalls in the three servers and offload that work to a new dedicated virtual private server running pfSense.

      Since all this infrastructure is in the cloud and in various locations I am not sure how to connect them together.

      Here is a diagram on how things are now:
      Current Situation

      Here is what I want to do:
      Desired Situation

      Does this all seem reasonable?

      Any input or suggestions are appreciated.

      John

      1 Reply Last reply Reply Quote 0
      • stephenw10S Offline
        stephenw10 Netgate Administrator
        last edited by

        What's the purpose in doing this? Actually just off-loading the firewall load? Easier management?

        It's going to be difficult to achieve this with VPSs. What you're looking at there is a distributed VPC. There are solutions for that! 😉

        To do this you would need to setup tunnels between the pfSense and the 3 servers. Those should really be encrypted so that's likely going to be higher total load. Then you can forward traffic to them in pfSense. You would only have 1 public IP available for all resources of course, unless you get more IPs at the pfSense instance. The additional latency might affect VoIP badly, depending on actual distance etc.

        Steve

        J 1 Reply Last reply Reply Quote 0
        • J Offline
          jtomelevage @stephenw10
          last edited by

          @stephenw10 said in Implement pfSense To Protect Distributed Virtual Private Servers:

          t's going to be difficult to achieve this with VPSs. What you're looking at there is a distributed VPC. There are solutions for that!

          Thanks for the reply. What is a VPC?

          I was concerned about the SIP latency and it's potential affect on call quality. I also would not like to hinder the web server performance.

          stephenw10S 1 Reply Last reply Reply Quote 0
          • JKnottJ Offline
            JKnott
            last edited by

            @jtomelevage said in Implement pfSense To Protect Distributed Virtual Private Servers:

            Does this all seem reasonable?

            How are the servers connected? If via the public Internet, each one will need it's own firewall.

            PfSense running on Qotom mini PC
            i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
            UniFi AC-Lite access point

            I haven't lost my mind. It's around here...somewhere...

            J 1 Reply Last reply Reply Quote 0
            • J Offline
              jtomelevage @JKnott
              last edited by

              @JKnott said in Implement pfSense To Protect Distributed Virtual Private Servers:

              How are the servers connected? If via the public Internet, each one will need it's own firewall.

              All three servers are independently operating and are not currently connected other that the public Internet.

              JKnottJ 1 Reply Last reply Reply Quote 0
              • JKnottJ Offline
                JKnott @jtomelevage
                last edited by

                @jtomelevage

                Then you can't just use one pfSense intance, as those servers will not have any protection beyond what their own firwall can provide.

                PfSense running on Qotom mini PC
                i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                UniFi AC-Lite access point

                I haven't lost my mind. It's around here...somewhere...

                1 Reply Last reply Reply Quote 0
                • stephenw10S Offline
                  stephenw10 Netgate Administrator @jtomelevage
                  last edited by stephenw10

                  @jtomelevage said in Implement pfSense To Protect Distributed Virtual Private Servers:

                  What is a VPC?

                  Virtual Private Cloud
                  Edit: Better link

                  Still not sure why you are doing this? I we know what you're hoping to achieve by doing it we might be able to make more helpful suggestions.

                  Steve

                  1 Reply Last reply Reply Quote 0
                  • J Offline
                    jtomelevage
                    last edited by

                    @stephenw10 said in Implement pfSense To Protect Distributed Virtual Private Servers:

                    Still not sure why you are doing this? I we know what you're hoping to achieve by doing it we might be able to make more helpful suggestions.

                    Thanks for the reply. I had not heard of VPC previously, and that looks like a great solution depending on the cost. Right now I think the cost of the above production environment is $60 per month.

                    The reason why is that these servers already exist and have been running well (despite all the attacks) and I was hoping to protect the servers with a single firewall and eliminate the need to manage the individual server's firewalls.

                    John

                    1 Reply Last reply Reply Quote 0
                    • stephenw10S Offline
                      stephenw10 Netgate Administrator
                      last edited by

                      It might be more expensive. Other VPCs are available, I changed out the link.

                      Vultr appears to have some sort of private networking feature that you may be able to use for this. Consolidate all your servers there perhaps.

                      Not something I've ever tried. But multiple servers behind pfSense in AWS or Azure is quite common.

                      Steve

                      J 1 Reply Last reply Reply Quote 0
                      • J Offline
                        jtomelevage @stephenw10
                        last edited by

                        @stephenw10 said in Implement pfSense To Protect Distributed Virtual Private Servers:

                        Vultr appears to have some sort of private networking feature that you may be able to use for this. Consolidate all your servers there perhaps.

                        I did not find the service at Vultr that you refer to. Can you share a link?

                        John

                        1 Reply Last reply Reply Quote 0
                        • stephenw10S Offline
                          stephenw10 Netgate Administrator
                          last edited by

                          I've never used Vultr so I have no way to know if this fits you usage....

                          https://www.vultr.com/docs/configuring-private-network

                          I note that: "Private networks are only available on Vultr compute and dedicated compute instances."

                          Steve

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.