Separation of Packages into Virtual Servers

wheelz

Originally I was going to do physical installs so everything would be on one box (well, two for redundancy) but with all the testing and such I was doing it seemed like using virtual hosts with snapshot capability is a necessity.  Also after looking at all the packages I want to use, there may be some conflicts.

I have two servers running as virtual hosts I want to use for my edge applications.  I have 2 dual core 2.0 Ghz (I may upgrade them to 2 quads if needed) CPUs and currently 10 GB of ram (though I may be able to bump them to 32GB later if needed) in each.  I also have separate NICs for Host Traffic, Internal Traffic, and External Traffic.

I'm looking to use the following services in pfsense (and its available packages) in an HA (CARP, pfsync, etc.) fashion:

Edge Firewall
DNS Forwarder
Site to Site (and possibly Client) VPN Server
Captive Portal for Guest Wireless
Squid/Dansguardian/ClamAV Internet Proxy/Filter with NTLM SSO
Postfix Forwarder/Mailscanner/Spamassin/ClamAV Email Filter

I've done most of my testing/research with the proxy part of it but I've started looking at the rest of the services now and I think I'm noticing some potential conflicts with perl, etc.  Since I am now using virtual hosts, I'm thinking it would be best to split at least some of these up into separate VM instances.  Ideally so they don't affect one another and potentially break everything during updates I would think it would be best to separate them by function:

Gateway VMs:

Edge Firewall
DNS Forwarder
Site to Site (and possibly Client) VPN Server
Captive Portal for Guest Wireless

Internet Proxy/Filter VMs:
Squid/Dansguardian/ClamAV Internet Proxy/Filter with NTLM SSO

Antispam VMs:

Postfix Forwarder/Mailscanner/Spamassin/ClamAV Email Filter

This is more of an architecture type question.  I'm hoping with the hardware I have and following marcelloc's advice in http://forum.pfsense.org/index.php/topic,43737.msg226507.html#msg226507 by creating RAM drives for temporary files like proxy cache, performance won't be an issue.

Does this make sense? 
Will pfsense work well in a non-gateway mode (1 NIC)? 
I still want the guests using the captive portal to go through the internet proxy/filter so there is at least basic virus and illegal content protection.  Would this still work securely if my proxy is in the internal network (assuming I poke a firewall rule - should I?)? 
Or should I keep the internet proxy and gateway services on the same VM? 
Or do one proxy for IP auth (for guests and phones/tablets that can't authenticate) on the gateway and a separate one for internal windows clients?  I have yet to get both NTLM auth SSO and IP auth working the way I want it. 
How would you separate them out (if you would separate them out)? 
Am I trying to push a square peg into a round hole?  In other words am I trying to get pfsense to be something it is not and there are better/easier distros for certain functions that I am missing (and that can be redundant/meet my requirements)? 
What is the meaning of life?

Ok… you can skip that last one.  ;)

marcelloc

@wheelz:

Will pfsense work well in a non-gateway mode (1 NIC)?

I have some servers with one nic just to use package gui and backup and works fine!

The other questions I`ll take a look later  :)

wheelz

Just to clarify, I wasn't really looking for anyone to test this for me.  I was just looking for some advice/recommendations on where I put different services based on prior experience.