Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Separation of Packages into Virtual Servers

    pfSense Packages
    2
    3
    1002
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      wheelz last edited by

      Originally I was going to do physical installs so everything would be on one box (well, two for redundancy) but with all the testing and such I was doing it seemed like using virtual hosts with snapshot capability is a necessity.  Also after looking at all the packages I want to use, there may be some conflicts.

      I have two servers running as virtual hosts I want to use for my edge applications.  I have 2 dual core 2.0 Ghz (I may upgrade them to 2 quads if needed) CPUs and currently 10 GB of ram (though I may be able to bump them to 32GB later if needed) in each.  I also have separate NICs for Host Traffic, Internal Traffic, and External Traffic.

      I'm looking to use the following services in pfsense (and its available packages) in an HA (CARP, pfsync, etc.) fashion:

      Edge Firewall
      DNS Forwarder
      Site to Site (and possibly Client) VPN Server
      Captive Portal for Guest Wireless
      Squid/Dansguardian/ClamAV Internet Proxy/Filter with NTLM SSO
      Postfix Forwarder/Mailscanner/Spamassin/ClamAV Email Filter

      I've done most of my testing/research with the proxy part of it but I've started looking at the rest of the services now and I think I'm noticing some potential conflicts with perl, etc.  Since I am now using virtual hosts, I'm thinking it would be best to split at least some of these up into separate VM instances.  Ideally so they don't affect one another and potentially break everything during updates I would think it would be best to separate them by function:

      Gateway VMs:

      Edge Firewall
      DNS Forwarder
      Site to Site (and possibly Client) VPN Server
      Captive Portal for Guest Wireless

      Internet Proxy/Filter VMs:
      Squid/Dansguardian/ClamAV Internet Proxy/Filter with NTLM SSO

      Antispam VMs:

      Postfix Forwarder/Mailscanner/Spamassin/ClamAV Email Filter

      This is more of an architecture type question.  I'm hoping with the hardware I have and following marcelloc's advice in http://forum.pfsense.org/index.php/topic,43737.msg226507.html#msg226507 by creating RAM drives for temporary files like proxy cache, performance won't be an issue.

      Does this make sense? 
      Will pfsense work well in a non-gateway mode (1 NIC)? 
      I still want the guests using the captive portal to go through the internet proxy/filter so there is at least basic virus and illegal content protection.  Would this still work securely if my proxy is in the internal network (assuming I poke a firewall rule - should I?)? 
      Or should I keep the internet proxy and gateway services on the same VM? 
      Or do one proxy for IP auth (for guests and phones/tablets that can't authenticate) on the gateway and a separate one for internal windows clients?  I have yet to get both NTLM auth SSO and IP auth working the way I want it. 
      How would you separate them out (if you would separate them out)? 
      Am I trying to push a square peg into a round hole?  In other words am I trying to get pfsense to be something it is not and there are better/easier distros for certain functions that I am missing (and that can be redundant/meet my requirements)? 
      What is the meaning of life?

      Ok… you can skip that last one.  ;)

      1 Reply Last reply Reply Quote 0
      • marcelloc
        marcelloc last edited by

        @wheelz:

        Will pfsense work well in a non-gateway mode (1 NIC)?

        I have some servers with one nic just to use package gui and backup and works fine!

        The other questions I`ll take a look later  :)

        1 Reply Last reply Reply Quote 0
        • W
          wheelz last edited by

          Just to clarify, I wasn't really looking for anyone to test this for me.  I was just looking for some advice/recommendations on where I put different services based on prior experience.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post

          Products

          • Platform Overview
          • TNSR
          • pfSense
          • Appliances

          Services

          • Training
          • Professional Services

          Support

          • Subscription Plans
          • Contact Support
          • Product Lifecycle
          • Documentation

          News

          • Media Coverage
          • Press
          • Events

          Resources

          • Blog
          • FAQ
          • Find a Partner
          • Resource Library
          • Security Information

          Company

          • About Us
          • Careers
          • Partners
          • Contact Us
          • Legal
          Our Mission

          We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

          Subscribe to our Newsletter

          Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

          © 2021 Rubicon Communications, LLC | Privacy Policy