Best practices for virtualized fully collapsed dmz ala pfsense in esxi cluster



  • Wans are ATT Uverse and Comcast business gateways both with built-in multi port lan interface switches and several static ips. Looking at Comcast MetroEthernet. Pfsense will be performing traffic shaping, qos, and vpns plus more.

    What are the best methods for eliminating single points of failure in network for virtualized pfsense in an esxi vsphere cluster? Should the isp gateway wans cross connect into vlans onto two different managed switches and then trunk/tag this into each esxi host? Pfsync would have dedicated vlan but how will pfsense carp primary and backup vm instances connect to second switches redundant wan vlans? (additional gateways but with lower priority and triggered by member down?)

    Is it worthwhile to investigate pfsense behavior with vmotion, FT, HA?

    Reviewing http://www.vmware.com/files/pdf/dmz_virtualization_vmware_infra_wp.pdf and am curious if others have had success and could share their strategies in esxi clusters. Maybe separating the firewall from the cluster and setting up two hardware pfsense boxes is best method? Open to all comments and suggestions.. thanks!


Log in to reply