PfSense for virtual firewalling/VPN services?
-
We are looking to provide "virtual firewalling/VPN" services to customers hosted in our VMware and Hyper-V hosting environments (trying to avoid dedicating a physical NIC port for each customer on the host and hanging a firewall appliance off of each). In a nutshell, each customer gets their own VLAN subinterface (which will cascade all the way down into their virtual machine), and we can define unique firewall rules (as well as establish IPSec VPN tunnels) on a per-customer basis.
After reading the docs, it is not clear if pfSense will do this. Basically, I need a unique routing table (with regards to VPN especially), a unique set of firewall rules/zones, and the ability to define VPN tunnels even if there are overlapping VPN endpoint networks among multiple customers (e.g. both Customer "A" and Customer "B" use 192.168.1.x on their side).
Any insight would be much appreciated.
-
I'm pretty sure all of that is possible via pfsense. I'm not 100% on the overlapping VPN endpoints, however..
When you setup a VLAN as it's own interface, it gets its own set of rules. So that's not bad, but you'll want to setup a firewall rule that will exclude your other interfaces, which is slightly annoying (coming from Sonicwalls), but easily accomplished via not-based rules and a couple of aliases (i.e. Destination !AllLocalInterfaces)
The only issue i've run into lately is on my Intel Dual-Nic PCI card, when adding a new vlan, it interrupts network connectivity, and recommends (requires?) rebooting the system. If you require adding VLANs on a frequent basis, you may want to create a few hundred off the bat and simply have them 'waiting' for use.
-
The overlapping VPN endpoints is the key – we won't be able to control what network ranges they might happen to use on their side, so I guess I'll just need to get pfSense installed and test things out..