4. Firewall-Cluster / Active-Active / Link Aggregation… Questions

Firewall-Cluster / Active-Active / Link Aggregation… Questions

  • K

    Hello,

    we plan to replace our current Firewall / VPN by PFSense with OpenVPN. We want to install 2 servers as a cluster. But I've many questions.

    Is it possible to run the two firewall nodes in active-active mode or only in active-passive (failover)?
    If active-active is possible: Is it possible to Load-Balance connection over both firewalls (not multi-wan-loadbalancing)?

    FreeBSD supports Link Aggregation. In WebGUI I can't setup LAGs. On Shell I can do this. Is it possible to use LAGs? Is LAG-support
    in WebUI planned?

    We've many (20) VLans e.g. Mgmt, DMZ, Server, Backup, User-Lan1-x. Is it possible to Setup an separate Management-IP, so that I can only configure
    from Mgmt-VLan? Do I need Vlans or can I also use one LAN (Firewall-Transfer-Network) and setup all rules on this interface?

    Greetings
    Thomas

    0

  • Active-active is not availlable as far as i know.

    If you cannot do something in the GUI then it's not supported.
    Since you can do it from the shell it's "possible" to do it.
    But you're on your own.

    If you want to restrict access to the webgui:
    Just create your rules so they are that only certain IP's / Interfaces have access to the webgui.

    something along the lines of:
    allow
    source: LAN-subnet
    destination: "! LAN-interface" (NOT the LAN-interface)

    At the bottom of all rules is an invisible block everything.
    So with this rule you would still allow access to everywhere (internet) except the LAN-interface addess.

    Use the Alias system if you have more complex destinations.

    You also might want to disable the "anti-lockout option" under advanced since without that pfSense would still allow access to the webgui even you dont have a rule that explicitely allows it.
    Just be aware that if you disable this option and you dont have a rule that allows access to the webgui you're locked out :)

    If you have multiple VLAN's you can configure them under interfaces –> assign --> VLANs.
    Each VLAN appears as seperate "Interface" in pfSense.

    I dont understand what you mean with your last question.
    Maybe a diagramm would help.

    0
  • K

    Details to my last question:

    Firewall LAN-Interface: 10.10.254.254
    Layer-3-Switch forwards all traffic to extern to firwall-lan-interface (10.10.254.254)

    Sample:
    VLAN 1  10.0.0.0 ==> 10.10.254.254
    VLAN 2  10.0.1.0 ==> 10.10.254.254
    VLAN 2  10.0.2.0 ==> 10.10.254.254

    Do I need Setup separate Vlans or can I use Aliases instead?

    0
Locked
 

Products

Applications

Support

Services

News

Resources

Company

Our Mission

As host of the pfSense open source firewall project, Netgate believes in enhancing network connectivity that maintains both security and privacy. We also believe everyone should be able to afford it.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy