Implement pfSense To Protect Distributed Virtual Private Servers
-
Hello,
I want to setup a pfSense firewall in front of three separate servers that are currently live in production.
All three servers are virtual private servers on two different providers, Linode and Vultr. Two of the servers are running web servers and email on Debian Stretch.
The third server is running FreePBX on CentOS with SIP trunking provided by a third party. The users of this FreePBX phone system are remote in various locations.
All servers have one IP address each.
All servers are running the built-in iptables firewall and fail2ban.
I want to eliminate, if possible, the firewalls in the three servers and offload that work to a new dedicated virtual private server running pfSense.
Since all this infrastructure is in the cloud and in various locations I am not sure how to connect them together.
Here is a diagram on how things are now:
Here is what I want to do:
Does this all seem reasonable?
Any input or suggestions are appreciated.
John
-
What's the purpose in doing this? Actually just off-loading the firewall load? Easier management?
It's going to be difficult to achieve this with VPSs. What you're looking at there is a distributed VPC. There are solutions for that!
To do this you would need to setup tunnels between the pfSense and the 3 servers. Those should really be encrypted so that's likely going to be higher total load. Then you can forward traffic to them in pfSense. You would only have 1 public IP available for all resources of course, unless you get more IPs at the pfSense instance. The additional latency might affect VoIP badly, depending on actual distance etc.
Steve
-
@stephenw10 said in Implement pfSense To Protect Distributed Virtual Private Servers:
t's going to be difficult to achieve this with VPSs. What you're looking at there is a distributed VPC. There are solutions for that!
Thanks for the reply. What is a VPC?
I was concerned about the SIP latency and it's potential affect on call quality. I also would not like to hinder the web server performance.
-
@jtomelevage said in Implement pfSense To Protect Distributed Virtual Private Servers:
Does this all seem reasonable?
How are the servers connected? If via the public Internet, each one will need it's own firewall.
-
@JKnott said in Implement pfSense To Protect Distributed Virtual Private Servers:
How are the servers connected? If via the public Internet, each one will need it's own firewall.
All three servers are independently operating and are not currently connected other that the public Internet.
-
Then you can't just use one pfSense intance, as those servers will not have any protection beyond what their own firwall can provide.
-
@jtomelevage said in Implement pfSense To Protect Distributed Virtual Private Servers:
What is a VPC?
Virtual Private Cloud
Edit: Better linkStill not sure why you are doing this? I we know what you're hoping to achieve by doing it we might be able to make more helpful suggestions.
Steve
-
@stephenw10 said in Implement pfSense To Protect Distributed Virtual Private Servers:
Still not sure why you are doing this? I we know what you're hoping to achieve by doing it we might be able to make more helpful suggestions.
Thanks for the reply. I had not heard of VPC previously, and that looks like a great solution depending on the cost. Right now I think the cost of the above production environment is $60 per month.
The reason why is that these servers already exist and have been running well (despite all the attacks) and I was hoping to protect the servers with a single firewall and eliminate the need to manage the individual server's firewalls.
John
-
It might be more expensive. Other VPCs are available, I changed out the link.
Vultr appears to have some sort of private networking feature that you may be able to use for this. Consolidate all your servers there perhaps.
Not something I've ever tried. But multiple servers behind pfSense in AWS or Azure is quite common.
Steve
-
@stephenw10 said in Implement pfSense To Protect Distributed Virtual Private Servers:
Vultr appears to have some sort of private networking feature that you may be able to use for this. Consolidate all your servers there perhaps.
I did not find the service at Vultr that you refer to. Can you share a link?
John
-
I've never used Vultr so I have no way to know if this fits you usage....
https://www.vultr.com/docs/configuring-private-network
I note that: "Private networks are only available on Vultr compute and dedicated compute instances."
Steve
