Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Administrative host for multi-site pfSense implementation

    General pfSense Questions
    4
    6
    330
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      SR190 last edited by

      I have three sites that will soon be using pfSense firewalls. I plan to create a management VLAN for each site that provides administrative access to the web configurators for each managed device (ie. Switches, AP's etc).

      My question relates to best practices for creating a single, secure, administrative host that can access the three management VLANs (one per site). I will likely have a hub and spoke VPN with head office serving as the NOC.

      Any suggestions for this configuration, and a secure administrative host would be greatly appreciated. Thanks.

      1 Reply Last reply Reply Quote 0
      • P
        pfBasic Banned last edited by

        One computer to access all three locations management VLANs securely?

        If I understand correctly.

        • Put the administrative computer behind a firewall that does not allow access to anything that isn't necessary - don't use this computer for anything else.

        • Key + Pass VPN to each location.

        • HTTP/S only access to the WebGUI with a strong password (don't use port 443 for your VPN)

        • You could even use RADIUS to further restrict authentication for the management VLAN

        1 Reply Last reply Reply Quote 0
        • S
          SR190 last edited by

          Thanks pfBasic.
          I wear quite a few hats that require regular non-administrative use of all subnets (one is subject to PCI) in our environment. To avoid having to keep half of a dozen towers by my desk, would VMs on maybe two desktops be advised/ secure with dedicated NICs per VM? Would a host-based hypervisor suffice, or should it be bare metal?

          Thanks.

          1 Reply Last reply Reply Quote 0
          • P
            pfBasic Banned last edited by

            All of those questions are honestly beyond me. I'm not in IT or anything related to that professionally.

            Isolating the admin computer to only pfSense management functions is the most secure but by no means a requirement.

            I would say just isolate the management device as much as practical. Security will always have to make a compromise with convenience, so it's just up to you where you find that compromise.

            I'm sure bare metal is technically more secure in some ways, but for real world use I doubt that it will matter at all.

            1 Reply Last reply Reply Quote 0
            • S
              Smoothrunnings last edited by

              @SR190:

              Thanks pfBasic.
              I wear quite a few hats that require regular non-administrative use of all subnets (one is subject to PCI) in our environment. To avoid having to keep half of a dozen towers by my desk, would VMs on maybe two desktops be advised/ secure with dedicated NICs per VM? Would a host-based hypervisor suffice, or should it be bare metal?

              Thanks.

              VMWare or Hypervisor would work.

              1 Reply Last reply Reply Quote 0
              • ?
                Guest last edited by

                Any suggestions for this configuration, and a secure administrative host would be greatly appreciated. Thanks.

                The pfSense team is likes I am remembering me right working on a solution likes that, but I can´t fairly nothing say about the
                stage of that work and other things, there is not to much information about. If you want to get a fair answer I personally would
                work at each side with Aten serial console switches, they have some interesting solutions and different models, for real serial,
                USB and LAN Port console switches, so on each side all models can be connected to that LVM switches and over VPN you will be
                the able to connect to them for configuring all your devices and pfSense on top. VPN might be secure to realize that action.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post

                Products

                • Platform Overview
                • TNSR
                • pfSense
                • Appliances

                Services

                • Training
                • Professional Services

                Support

                • Subscription Plans
                • Contact Support
                • Product Lifecycle
                • Documentation

                News

                • Media Coverage
                • Press
                • Events

                Resources

                • Blog
                • FAQ
                • Find a Partner
                • Resource Library
                • Security Information

                Company

                • About Us
                • Careers
                • Partners
                • Contact Us
                • Legal
                Our Mission

                We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                Subscribe to our Newsletter

                Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                © 2021 Rubicon Communications, LLC | Privacy Policy