Redundant pfsense configuration
First, I apologize if this topic was posted in the wrong forum. I wasn't sure where to put it.
We ($work) are currently looking at alternative firewall solutions. We're currently using Watchguard but we're not happy with it - long story, but in the end it doesn't work the way we want it to work. So we've decided to use something different (the Watchguard is also a major single point of failure).
We also use FreeBSD (and in some areas OpenBSD) quite extensively so I've been looking at different solutions based on FreeBSD. Now I'm looking at pfsense and it looks like it provides what we need.
Let's start to look at a very simplified picture describing our network:
We have two physically different connections to our ISP. The ISP is using HSRP to quickly do a failover to the secondary connection in case the primary goes down. The primary connection is 100/100 and the secondary 10/10, but we're not even close to fully using it.
Next we have a switch where we collect our external ip adresses. It isn't just the firewall that's connected to this, we also have some appliances that we need to put directly on a external ip and we don't want the traffic to go through the firewall to reach these appliances.
After this is the Watchguard …
And then we have the dual HP 5412zl switches, connected to each other using VRRP to provide redundancy for the servers connected to the switches. One switch can reboot or fall apart, and our servers continue to work without any disruption in the network.
Ok, so for the real question: How would you design a pfsense solution based on the above scenario (with redundancy in mind)? I haven't yet tried pfsense so I don't know if it can do what we want it to do, so I'm asking here before I spend too much time on it. We have two spare HP DL360 G6's that we can use.
You could put two pfSense boxes configured as a CARP pair in place of the Watchguard box. You'd just need to be sure that your CARP VIPs do not conflict with any of the VRRP/HSRP traffic that you likely have on WAN and LAN.
I'd also try to find a way to hook up two switches on WAN between pfSense and your ISP links, otherwise you still have a single point of failure. For instance, one ISP link into each switch, and one pfSense box into each switch. Depending on your devices that plug straight into those switches you may be able to do LAGG/LACP and ensure they are redundant across those switches also.
I know what CARP is, but what is a CARP VIP? (and how do I make sure it doesn't conflict with the VRRP traffic? ;)
So, assuming we'd put two boxes with pfsense in our net, what would the best way to hook them up to the HP switches? I'm thinking that each pfsense box should be connected to both switches, but I have no idea if that's going to work.
Is anyone running a similar configuration? I'd love to see pictures (like the one I provided) of how people are using pfsense to achieve redundancy.
There is an example like this (fully redundant) in the book.
A CARP VIP is a Virtual IP address shared between the CARP hosts. It allows one firewall to quickly take over if the other fails. Each firewall has its own (different) LAN and WAN (and DMZ, etc, etc) IP addresses and also a shared CARP address for each interface.
It would probably be sufficient to have each pfSense box plugged into each switch just once, e.g. pfSense box #1 into switch #2 and pfSense box #2 into switch #2.
In pfSense 2.0 there will be support for LAGG interfaces so you could have each pfSense box plugged into all your redundant switches, so that might be feasible when that is released.
Ok, so how far away is 2.0? Next month? Next year? :)
One other thing that crossed my mind right now: does pfsense support gmirror? Can I gmirror two disks during the pfsense installation?
2.0 is still a ways off. It'll be out "when it's ready" :-) but is likely to be by the end of the year. It's a very ambitious release. Lots of features were added.
You can install on a gmirror, yes, but the setup isn't handled properly in the installer yet. I think it appears in the installer but does not actually function at this point. There are instructions on the doc wiki for doing it by hand, and I've setup probably a dozen machines that way over time.