Multi-tenancy with high availability



  • We're considering pfSense for a multi-tenancy environment where each customer has a dedicated pfSense firewall. Any gotcha's to look out for?

    Also, each customer will need high availability. Is it possible to failover between pfSense firewalls running on different physical servers?



  • You might want to check out the 2.1 Release candidates http://snapshots.pfsense.org/, there is a new menu option <system, high="" avail.="" sync="">which has a number of options that might meet your requirements.</system,>



  • How exactly do you see this working?  Do you want two physical servers for each client or would a bunch of VMs suffice?  Is the entire thing going to be based on vLANs or are you going with physical separation of the networks?

    If VMs are OK, assuming the traffic isn't expected to be super high, I'd probably skip the built-in HA (CARP) in pfSense (it eats 3 IPs per interface vs 1 from a single box) and use Fault Tolerance across two boxes with vSphere.  That way there's a single image for the users to manage and they wouldn't even notice that they've failed over to backup hardware.



  • Fault Tolerance in vSphere is limits your to use one virtual processor only.

    @Jason:

    …... and use Fault Tolerance across two boxes with vSphere.  ....



  • @labasus:

    Fault Tolerance in vSphere is limits your to use one virtual processor only.

    @Jason:

    …... and use Fault Tolerance across two boxes with vSphere.  ....

    Yes, that's true, but depending on the bandwidth & package requirements, that might be more than enough.