1. Home
  2. pfSense® Software
  3. General pfSense Questions
  4. Firewall-Cluster / Active-Active / Link Aggregation… Questions

Firewall-Cluster / Active-Active / Link Aggregation… Questions

  • K

    Hello,

    we plan to replace our current Firewall / VPN by PFSense with OpenVPN. We want to install 2 servers as a cluster. But I've many questions.

    Is it possible to run the two firewall nodes in active-active mode or only in active-passive (failover)?
    If active-active is possible: Is it possible to Load-Balance connection over both firewalls (not multi-wan-loadbalancing)?

    FreeBSD supports Link Aggregation. In WebGUI I can't setup LAGs. On Shell I can do this. Is it possible to use LAGs? Is LAG-support
    in WebUI planned?

    We've many (20) VLans e.g. Mgmt, DMZ, Server, Backup, User-Lan1-x. Is it possible to Setup an separate Management-IP, so that I can only configure
    from Mgmt-VLan? Do I need Vlans or can I also use one LAN (Firewall-Transfer-Network) and setup all rules on this interface?

    Greetings
    Thomas

    0
  • GruensFroeschli

    Active-active is not availlable as far as i know.

    If you cannot do something in the GUI then it's not supported.
    Since you can do it from the shell it's "possible" to do it.
    But you're on your own.

    If you want to restrict access to the webgui:
    Just create your rules so they are that only certain IP's / Interfaces have access to the webgui.

    something along the lines of:
    allow
    source: LAN-subnet
    destination: "! LAN-interface" (NOT the LAN-interface)

    At the bottom of all rules is an invisible block everything.
    So with this rule you would still allow access to everywhere (internet) except the LAN-interface addess.

    Use the Alias system if you have more complex destinations.

    You also might want to disable the "anti-lockout option" under advanced since without that pfSense would still allow access to the webgui even you dont have a rule that explicitely allows it.
    Just be aware that if you disable this option and you dont have a rule that allows access to the webgui you're locked out :)

    If you have multiple VLAN's you can configure them under interfaces –> assign --> VLANs.
    Each VLAN appears as seperate "Interface" in pfSense.

    I dont understand what you mean with your last question.
    Maybe a diagramm would help.

    0
  • K

    Details to my last question:

    Firewall LAN-Interface: 10.10.254.254
    Layer-3-Switch forwards all traffic to extern to firwall-lan-interface (10.10.254.254)

    Sample:
    VLAN 1  10.0.0.0 ==> 10.10.254.254
    VLAN 2  10.0.1.0 ==> 10.10.254.254
    VLAN 2  10.0.2.0 ==> 10.10.254.254

    Do I need Setup separate Vlans or can I use Aliases instead?

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

© 2020 Rubicon Communications, LLC | Privacy Policy