Firewall for production network



  • Hello Guys,

    Hope you have a great Christmas!

    In the mid February I'm planning to colocate another server, and right now I'm thinking about firewall solution. It will be a VMware host on Dell R620 (2 x CPU Intel E5-2600 v2, 128GB RAM, 2 NIC (1Gbps port and management port) I was thinking about hardware solution but the licenses for the hw firewall are too expensive (over 1000 pounds for IDS).

    I did some research and I think that software firewall pfsense will be the best option.

    1. Does anyone using pfsense for production servers ? have you got any problems ?
    2. The traffic on existing server is between 20Mbit/s and 150Mbit/s up - Do you think that IDS like snort or suricata will work without any problems with pfsense on this traffic ?
    3. Some software don't support private IP addresses, the server network setting have to be configured on public IP address - is it possible to pass traffic from server in DMZ through pfsense on public IP addresses ? (80.80.80.80 –> pfSense --> 80.80.80.80)

    Thanks,
    Snort



  • 0. I think a dedicated appliance would be appreciated, not a virtual appliance. Security wise.

    1. Yes, many, many, many people and companies do (and yes, many, many, many problems occur: that is what this forum is for; it's almost just like in real life: problems  ;D ).
    2. I think 99,9999999999999999999999999999999999999% it won't be any problem. But I will humbly leave this to the Great Steve or others to reply: they know all the nasty details I don't.
    3. I'm a noob, I'll leave this question for the Masters who actually know what they are doing  ;D



  • Whenever someone around me asks questions about implementing pfSense in any commercial environment I usually pull up this document and show them.

    https://doc.pfsense.org/index.php/Comparison_to_Commercial_Alternatives

    pfSense can easily be configured to port forward on a port by port,  1:1 NAT, or even act only as a firewall to devices/computers behind it that have their own public IP addresses.

    :)


Log in to reply