Is this a good plan?
-
At work we need to gain PCI compliance on our firewall plus I want to change our infrastructure around a little bit to make it easier to manage. So I am looking to use Pfsense since I use it at home and I think it will be perfect for what I want to do at work. Currently we have two linux boxes as gateways to our two WAN links. These (old slackware boxen) linux machines also provided DNS via bind9 and also DHCP. We really only have about 20 computers on our LAN that need to get to the internet, however, we have about 220 boxes total. See we are a callcenter and there are about 200 or so machines that really just need DHCP and to access local resources.
So what about this: I slap pfsense on our gateway connected to the primary WAN and setup my rules. Then I would go to our domain registrar and get it to point to a DNS service like dyndns or something. Then can I just forward that DNS to my local LAN? Or do I have to do something else? What about internal DNS can I offer that also on the pfsense box? We use a lot of dns in house to access local servers and what not. I was thinking I wouldn't even need to pay extra for fancy DNS failover and I could just access the DNS hosting account and point it at the secondary WAN link's IP if the primary took a crap…. does that sound feasible? We have a pretty simple setup and don't really use our WAN link for much of anything that is business critical and we don't have much of a surfing policy or QoS. The only thing that is critical is that the CEO and other execs need to access our locally hosted email (Zimbra) at all times.
Mainly I would like to get DNS out of the building and maybe even email later on. I know the basics when it comes to admin'ing BIND but would prefer not messing with it in a production environment. I get a little scared when I think about making a mistake and then having to wait for changes to propagate while executives can't get their mail.
What do you guys think? Can you point me in the right direction. -
Keep in mind that DNS servers must be on fixed IP addresses, you can't run one on a Dynamic IP and expect to avoid problems. You'd be far better off with a service like DynDNS's DNS Custom to allow you to update hostnames with changing (WAN) IP addresses. Initially it's probably easier to run your LAN DNS service on pfSense.
As for email, have you considered switching to Google Apps?
-
Actually a friend just suggested google apps for email today. Zimbra is… ok. The web mail is sufficient but the Outlook "connector" seems to be a bit buggy at times.
Yes, we have two wan connections both with static IPs. Since we really don't need an automatic failover i am planning on simply unplugging the primary in the event of a loss and plugging in the secondary. I was considering dyndns's custom service; seems like it has all the right features. What do you think about ditching the bind servers? Can I run dns service for internal name resolution (local servers like; db, web, appp) on pfSense AND use a service like dyndns DNS custom?
-
I do something very similar and it all works very smoothly.
If you wanted automatic failover DynDNS's Dynect range has that feature, but it does cost quite a bit more than the basic DNS Custom package.
-
Right on. Thanks for the input.
Interesting note, the previous net admin at work took a quad core xeon w/ 4GB ram and purposed it as an iptables firewall/gateway. I don't understand why, maybe he had plans to make that machine take on other duties such as backing up or something… i dunno. Seems like I will just re-purpose it as something else and throw together a p4 w/ 512 to take on firewall duties. Now that I think about it the other gateway is a quad core xeon with 2GB. Wtf.
