Upgrading company Firewall. Sujestions.



  • Hello,

    I am here to be told I am crazzy and out of my mind or i am crazzy and it is going to take some time and mind power to do. I am really not expecting any one saying it is going to be easy.

    I have gotten to the point of being fed up with Fortigate after a 10 hour outage of half the pc's in the company and 6 hours on the phone with Fortigate getting no where but teaching there three levels of techs how to use there product. A simple seamless cut from dsl to fiber turned into a huge nightmare. Not to include the past weeks of there horrible Web Filtering updates that have blocked 80% of the websites our company needs. I guess General Motors corporate web applications are top level porn.

    Here is my goal, I would like to run two boxes both running two VM instances. One box as the active one then the second as a failover.
    We have two dedicated lines coming in, One is for customers only and one is for the company.

    Now i am planning on running Pfsense in front of Endian to run IDS,QOS,and DHCP.

    The Endian box will then be setup as Transparent and UTM.

    The attachment is a small diagram i made to try and get grasp on what i am trying to accomplish. The main area i am stuck at is the bridging the Endain server to the pfsenes. I have to keep both dedicated links pretty much separate the whole time. And if the routing will have to be handled by PF or Endian?

    My second thought is just building a second box and running the dedicated line for the customers threw it running Endian, but i rather only have two boxes not 3 to 4.

    *The filters will be by subnet not ip ranges. and the bridges if possible would like to be done by ESXi 5 to limit the need for the external ports. 
    *Budget is key on this project hence the Endian vs the Untangled.

    Thanks



  • It is very possible to do this type of setup. pfSense will do the routing. Endian looks like you have it set to be a transparent firewall (filtering bridge).
    I am guessing that in the primary (and secondary), you are going to have pfSense and Endian as 2 seperate VMs with 1 VM networks (1 for pfsense WAN with interface assigned for each connection, 1 for pfsense LAN to Endian WAN with no interface assigned, 1 for cluster communication (both endian and pfsense), and 1 for Endian LAN (Main LAN)). If it is a true bridge, then the Endian machine will only have an IP for MGMT only, perhaps a 4th NIC so you can manage outside the bridge.

    Just my $0.02.



  • Endian looks like you have it set to be a transparent firewall (filtering bridge).

    Yes will will be running esxi 5 with both pfsense and Endian in vm and have Endian setup as a Transparent Firewall following there documentation.

    I am guessing that in the primary (and secondary), you are going to have pfSense and Endian as 2 seperate VMs with 1 VM networks (1 for pfsense WAN with interface assigned for each connection, 1 for pfsense LAN to Endian WAN with no interface assigned, 1 for cluster communication (both endian and pfsense), and 1 for Endian LAN (Main LAN)). If it is a true bridge, then the Endian machine will only have an IP for MGMT only, perhaps a 4th NIC so you can manage outside the bridge.

    So If i am understating you correctly.

    Inital connection from ISP to PFbox to Endian:

    1 for pfsense LAN to Endian WAN with no interface assigned

    Wan  <–-----20...----->
                                            PFsense <--- Lan --(Static Ip)--> Endian Wan
    OPT (Wan#2)  <--70.
    ..-->

    Cluster:

    1 for cluster communication (both endian and pfsense)

    PFsense
                <–Sync Connection--> CARP
    Endian

    1 for pfsense WAN with interface assigned for each connection

    Now i am trying to get this one is there any way you can map this out. I get the interface part but the Wan are you talking about both Wan's or just one?

    1 for Endian LAN (Main LAN))

    And this one i am not quite fully getting the purpose of this one.

    Thanks sorry for slow reply the cut over for the new lines did not go smoothly due to the current firewall not working as it should be.



  • Well it should work like:

    WAN1              WAN2
      |                    |
      –---------------|---------------
                  |                            |
            pfSense (Primary)-----pfsense (secondary)
                  | LAN                      | LAN
                  | --------------------|
                  | WAN                      | WAN
          Endian (Primary) ------ Endian (secondary)
                  |                            |
                  -----------------------
                              |
                              LAN

    Now for each device you have designators ... pfSense you  have LAN, WAN and OPTx ... So WAN and OPT1 will be your internet. LAN on pfSense will be hooked up to WAN on Endian. OPT2 will be used for pfsync as part of the cluster setup.

    WAN and LAN on Endian will be bridged and transparently pass or block traffic based on rules. I am not familiar with Endian so I have no idea how the clustering or failover works.

    But all the connectors that match should be in the same logical switch (be it virtual or physical). Meaning that LAN on both pfSense machines and the WAN on each Endian should be in the same virtual switch. So since you are running 2 seperate boxes, you only need to assign an interface and put in a crossover cable between the 2 ESX boxes to the interface assigned to that virtual switch. You can also use VLAN at the ESX level to help with all this.

    Hopefully that cleared it up a bit. If not, then I am not explaining it the way it is in my head. :)



  • I may have most of the connections as vlans in the ESX the only ones that wont be will be the cross over to the carp server and the lan to switches.
    Time to brush up a little bit on the ESX vlans setup.

    Just waiting on hardware to show up to start. I will let you know how it goes and if any problems arise.

    Thanks again for your help you cleared up the clutter in my head.



  • Well, do you really need both pfSense & Endian ? I'd try to not further complicate things which are already pretty complicated to start with.

    Every product has a learning curve and even if you have some Linux background (as most IT people do these days) pfSense is based on BSD and is very different under the hood (no iptables, no tc etc). This requires some reading.

    And while pfSense isn't a full blown "UTM" in the sense other products are, you should check it's packages. You might conclude they're are "good enough" for you.



  • @nez:

    The Endian box will then be setup as Transparent and UTM.

    I agree with dhatz, what UTM features do you need?

    I think pfsense can do all.

    att,
    Marcello Coutinho



  • With the UTM I need to be able to Filter the Web based on subnets and the list needs to be updated often. As well as Application Control.
    General Motors monitors all our internet activity so the Filter list has to be updated every so often to please them.

    Now if i am missing something with DansGaurdian or Squid that I can do this with out messing up the QoS or use something else that is better I am all game.



  • I was looking around endian website and they seem to use a lot of the same things as pfsense. Like snort, openvpn, and so on. I could not find it on their website, but it stands to reason that they might be using squid with squidguard for content filtering. Maybe even dansguardian, but I am not sure what they are using. If they are using any of those, and claim that it will not mess with QoS, then it should not in pfSense.
    Your updated every so often needs defining. Are you talking about auto-updating subnets or something?



  • @podilarius:

    I was looking around endian website and they seem to use a lot of the same things as pfsense. Like snort, openvpn, and so on. I could not find it on their website, but it stands to reason that they might be using squid with squidguard for content filtering. Maybe even dansguardian, but I am not sure what they are using. If they are using any of those, and claim that it will not mess with QoS, then it should not in pfSense.
    Your updated every so often needs defining. Are you talking about auto-updating subnets or something?

    Most of the tools that are currently marketed as "UTM" have done significant work to tightly integrate & enhance the content filtering functionality and reporting. The result offers more than what can be achieved by simply slapping a SquidGuard or DansGuardian package on top of a firewall distro.



  • In Endian or pfsense?



  • @podilarius:

    In Endian or pfsense?

    Were you asking me? I was referring to the several Linux-based products which offer integrated "UTM" functionality, e.g. Smoothwall, Astaro, Untangle etc.

    There are at least a dozen different firewall products (nearly all of them are specialized Linux distros) aiming to address the needs of SMBs (small-medium businesses), and typically offer UTM functionality and AD integration. In addition, there are about a dozen more Linux-based fw distros which are still decent/usable, but less actively developed.



  • dhatz, I was seeing if you were talking about pfSense putting in the time to UTM or if you were refering to Endian. Or if either is one of those that just slapped in SQuid/ snort / and the like.



  • The reason for going with a smoothwall, Endian, or untangled type of distro is the subscriptions for the web filtering, anti virus, spam control ect… As well as they, like mentioned have done a lot of work to make the underlying packages pfsense uses to work, in a much more solid versital form.

    I would love to run it all in one box but i have yet to see it possible to provide the features we need to meet certain security standards while keeping the speed there. And i am guess this is why I see a lot of people who have pfsense and untangled combo.


Log in to reply