Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Administrative host for multi-site pfSense implementation

    Scheduled Pinned Locked Moved General pfSense Questions
    6 Posts 4 Posters 572 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • ?
      A Former User
      last edited by

      I have three sites that will soon be using pfSense firewalls. I plan to create a management VLAN for each site that provides administrative access to the web configurators for each managed device (ie. Switches, AP's etc).

      My question relates to best practices for creating a single, secure, administrative host that can access the three management VLANs (one per site). I will likely have a hub and spoke VPN with head office serving as the NOC.

      Any suggestions for this configuration, and a secure administrative host would be greatly appreciated. Thanks.

      1 Reply Last reply Reply Quote 0
      • P
        pfBasic Banned
        last edited by

        One computer to access all three locations management VLANs securely?

        If I understand correctly.

        • Put the administrative computer behind a firewall that does not allow access to anything that isn't necessary - don't use this computer for anything else.

        • Key + Pass VPN to each location.

        • HTTP/S only access to the WebGUI with a strong password (don't use port 443 for your VPN)

        • You could even use RADIUS to further restrict authentication for the management VLAN

        1 Reply Last reply Reply Quote 0
        • ?
          A Former User
          last edited by

          Thanks pfBasic.
          I wear quite a few hats that require regular non-administrative use of all subnets (one is subject to PCI) in our environment. To avoid having to keep half of a dozen towers by my desk, would VMs on maybe two desktops be advised/ secure with dedicated NICs per VM? Would a host-based hypervisor suffice, or should it be bare metal?

          Thanks.

          1 Reply Last reply Reply Quote 0
          • P
            pfBasic Banned
            last edited by

            All of those questions are honestly beyond me. I'm not in IT or anything related to that professionally.

            Isolating the admin computer to only pfSense management functions is the most secure but by no means a requirement.

            I would say just isolate the management device as much as practical. Security will always have to make a compromise with convenience, so it's just up to you where you find that compromise.

            I'm sure bare metal is technically more secure in some ways, but for real world use I doubt that it will matter at all.

            1 Reply Last reply Reply Quote 0
            • S
              Smoothrunnings
              last edited by

              @SR190:

              Thanks pfBasic.
              I wear quite a few hats that require regular non-administrative use of all subnets (one is subject to PCI) in our environment. To avoid having to keep half of a dozen towers by my desk, would VMs on maybe two desktops be advised/ secure with dedicated NICs per VM? Would a host-based hypervisor suffice, or should it be bare metal?

              Thanks.

              VMWare or Hypervisor would work.

              1 Reply Last reply Reply Quote 0
              • ?
                Guest
                last edited by

                Any suggestions for this configuration, and a secure administrative host would be greatly appreciated. Thanks.

                The pfSense team is likes I am remembering me right working on a solution likes that, but I can´t fairly nothing say about the
                stage of that work and other things, there is not to much information about. If you want to get a fair answer I personally would
                work at each side with Aten serial console switches, they have some interesting solutions and different models, for real serial,
                USB and LAN Port console switches, so on each side all models can be connected to that LVM switches and over VPN you will be
                the able to connect to them for configuring all your devices and pfSense on top. VPN might be secure to realize that action.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.