Pfsense Firewall to pfsense router on a stick
-
All,
New to pfsense but loving it over Cisco products. I'm in the middle of labbing out a new setup for our offices. Currently we are running a cisco 5505 with a few vlans to layer 2 switch. I am in the process of labbing out pfsense and was just going to do the router/firewall in one. As a security measure I have always heard it is best to split your firewall away from your local lan router. I have a few Supermicro blades that I am reusing for this project. So my question is how to to setup the pfsense box just as a firewall and also what the connection would look like from the pfsense router on stick to the pfsense firewall... Just a /30 subnet? Any help is appreciated.
-
It would be far easier not to separate those functions.
Whatever security advantage you gained (debatable if any) would likely be offset by the massive additional complexity being far more likely to introduce errors in my opinion.
The connection to a router on a stick has to carry all the VLANs it wouldn't be a single tunnel subnet if you really did choose to do that.
Steve
-
Thanks for the quick reply.. So far in my lab I have a 2 ports on pfsense box one for wan the other for lan.. I am using a cisco sg300 as my managed switch. Question is should the managed switch be setup in layer 3 or layer2 and just have all vlans tagged? As far as everything else goes it is pretty straightforward just not to sure on the setup between the managed switch and pfsense.
-
It depends what filtering you need between the internal subnets. If you don't need filtering or what you do need to can done on the switch then it will be better to route between those at the switch. The switch will always be faster and it removes load from the firewall that could other wise be using thise CPU cycles for something the switch can't do.
Steve
-
My plan is to have the pfsense box as a vpn/router on a stick/firewall. I have at least 32gbs of memory and a hefty xeon processor. I think this should work well for the setup. My problem with trying to filter traffic at the switch is that the sg300 has a limited amount of memory so once you create a few ACL/ACE's for a few vlans it starts throwing errors that no more can be added. Do you think with this setup the supermicro blade will be able to handle all those services or am I better of spending a little money for a better managed switch?
-
I imagine you will fine routing at the firewall between the internal subnets. That hardware is probably far in excess of what you need.
Steve
