Deployment suggestions: multiple instances
-
hello!
I'm running fine pfsense with this setup:- multiple LAN interfaces (at least 13)
- dual wan (HDSL for services and wimax for web surfing)
- Vpn server (ipsec for two branch offices with multiple phase 2 and openvpn for dial-in users and remote admin)
- port forwarding to "some" servers (mail, ftp, web) on different lan
My goal is to split my pfsense install in 3 different instances: one for LAN router/firewall, one for WAN and one for vpn.
But how to do it, expecially for the wan-side and vpn stuff?
Cheers! Riccardo.
-
My goal is to split my pfsense install in 3 different instances: one for LAN router/firewall, one for WAN and one for vpn.
Why? Is there something unsatisfactory about your present configuration?
Why? Is there something particular you want to accomplish by the split?
-
the present configuration is ok, but i'd want to distribute network appliances across two esxi instances.
-
the present configuration is ok, but i'd want to distribute network appliances across two esxi instances.
For failover? Load sharing?
-
For both failover and load sharing.
I have two esxi hosts reserverd only for pfsense… so I will put the active instance of lan router on one host, the active instance of wan firewall and vpn server on other host. passive instances will be put on opposite host. -
I'm trying the setup in a test environment.
Now I have 1 pfsense acting as lan router (outbound nat disabled and no outbound nat rules): I put the wan interface in a so called "router lan".
The second pfsense has two interfaces: one for wan and one for "router lan". for reachin lans behind the first pfsense I added in the routing table one entries for each lan subnet.
It works. Nat also.
Now I'm approaching the vpn machine… -
Interesting setup you have.
I have to say that I don't think there will be any advantage to splitting WAN/firewall and LAN routing as you are. I would expect you to see a degradation in performance due to increased overhead without any real benefit in redundancy. Also you have greatly increased complexity which is never a good idea IMHO. ;)
Moving the VPN endpoint to a separate machine is a valid choice though.I await any results. :)
Steve
-
my LANs are various tenants, and most of the traffic is tenant to tenant. For lan routing i can use my a L3 core switch, but what I'm looking for regulating traffic between lans.
I also have multiple wans in my setup, so my choice is to separate wan part from lan part.
Today I tested the vpn part and with openvpn is workin as expected (vpn machine is behind nat). Once tested ipsec I'll start deploying stuff on esxi environment in production.