1Gbps HA firewall recommendation



  • Hi,

    I am looking for some advise on choosing a hardware firewall device for a web hosting business start-up. So, I guess the throughput traffic could vary at all times (from serving a simple static html file to streaming some audio or video for potentially hundreds if not thousands of domains/user accounts).

    To begin with there will be about 5-8 servers will be placed behind the chosen the firewall device. The requirements are very straightforward:

    1. High Availability is a must.
    2. The device must support 1Gbps uplink (provided by the data center. Two uplinks for redundancy, so the idea is to connect 1 uplink to each device in HA setup and if one device fails there is no loss of connectivity to the upstream provider).
    3. Each server behind the firewall will be assigned with multiple static IPv4 public addresses. The purpose of having this hardware firewall is to protect the traffic destined to those IPv4 public address assigned to the servers. There will ZERO Private IPs assigned to any of the servers in this setup scenario. Hence, there will NO public to private IP NATing done.
    4. No requirement for VPN
    5. All network devices and servers will have 1Gbps ports.

    The purpose is to protect those web servers behind the firewall and only allow authorized port numbers for specified IPs. DDoS protection to some extent will definitely a nice to have feature.

    My setup will look something like the following:

    Internet –-> Redundant Core Switches <--> Redundant Firewall <---> Redundant Switches <---> eth 0 (Server) multiple Public IPv4

    I looked at some of Microtik's high end solutions but at the same time I keep eyeing on PFSense products. Since, HA is a must I guess I have two options listed on PFSense Store: https://store.pfsense.org/Hardware/HA.aspx  I have a feel the SG-8860-2000-B might be an overkill for my purpose (what do you think?).. and the only other option I am left with is SG-4860-2000-B.

    The other reason I like SG-4860-2000-B is because it looks like they are two separate physical devices stacked together which means two separate power supplies which is another layer of redundancy. But, I don't think that's the case with SG-8860-2000-B device.

    What are you thoughts or recommendations to me based on my above requirements? Any advise is greatly appreciated.

    Thank you.



  • If I understand your question correctly, you'll have servers with publicly routable IP addresses assigned to their ethernet interfaces.  In this case, for pfsense to perform the functions you want, the subnet assigned to the servers will need to be different than the subnet assigned to the WAN interfaces on pfsense.  In this case, pfsense will perform as a router and firewall without NAT.

    Hardware wise,  it looks like the main difference in the two HA solutions is core count.  If you have no high end requirements (IDS, VPN) then the quad core systems will work well.



  • @whosmatt:

    If I understand your question correctly, you'll have servers with publicly routable IP addresses assigned to their ethernet interfaces.  In this case, for pfsense to perform the functions you want, the subnet assigned to the servers will need to be different than the subnet assigned to the WAN interfaces on pfsense.  In this case, pfsense will perform as a router and firewall without NAT.

    Hardware wise,  it looks like the main difference in the two HA solutions is core count.  If you have no high end requirements (IDS, VPN) then the quad core systems will work well.

    You're correct. All servers will have routable public IP addresses assigned to them and those servers/IPs needs to be protected by PFSense. It is good to know that the subnets have to be different in order to get the setup I described above - I believe that setup is also called the transparent firewall?

    IDS would be nice to have but definitely no VPN required.



  • @purathal:

    You're correct. All servers will have routable public IP addresses assigned to them and those servers/IPs needs to be protected by PFSense. It is good to know that the subnets have to be different in order to get the setup I described above - I believe that setup is also called the transparent firewall?

    IDS would be nice to have but definitely no VPN required.

    It's not a "transparent" firewall, as in cisco lingo.  Technically that's a bridge that filters traffic, and i'm not sure that it's supported in pfsense, though it can be done.  The setup I'm describing is a router/firewall in the traditional sense.  Sounds like what you really want is a switch that can filter traffic.

    One more edit, since I'm having fun thinking about this.  A traditional setup would have the two pfsense routers as the only devices connected to the WAN (internet).  You will give each an IP address from your public pool.  The rest of those IP addresses in that pool (or only some if you have other devices that need to connect directly to the internet) will be assigned as CARP addresses.  You give your servers behind the firewall private IP addresses, and assign one of the CARP addresses as 1:1 NAT to each server.  You will also, on the LAN side, need to assign each pfsense box a private address, and then provide one additional CARP address as the gateway for the servers behind the firewall.  That will give you a HA setup with your pfsense boxes filtering every packet.



  • @whosmatt:

    Technically that's a bridge that filters traffic, and i'm not sure that it's supported in pfsense, though it can be done.

    Search for "Filtering Bridge" in this forum.
    Tunable settings can be found at  System: Advanced: System Tunables  net.link.bridge.pfil_bridge  etc.

    Consider Commercial Support to help you with your setup or at least the Gold Subscription with access to the book  pfSense: The Definitive Guide
    The latter is included with a hardware purchase in the shop IIRC.



  • @whosmatt:

    One more edit, since I'm having fun thinking about this.  A traditional setup would have the two pfsense routers as the only devices connected to the WAN (internet).  You will give each an IP address from your public pool.  The rest of those IP addresses in that pool (or only some if you have other devices that need to connect directly to the internet) will be assigned as CARP addresses.  You give your servers behind the firewall private IP addresses, and assign one of the CARP addresses as 1:1 NAT to each server.  You will also, on the LAN side, need to assign each pfsense box a private address, and then provide one additional CARP address as the gateway for the servers behind the firewall.  That will give you a HA setup with your pfsense boxes filtering every packet.

    I totally understand what you mean with the traditional 1:1 NAT setup with public IP -> private IP natting. But, for this setup purpose all servers behind the firewall has to have public IPs assigned to them.



  • @whosmatt:

    In this case, for pfsense to perform the functions you want, the subnet assigned to the servers will need to be different than the subnet assigned to the WAN interfaces on pfsense.  In this case, pfsense will perform as a router and firewall without NAT.

    By default the uplink connection provided by data center comes with /29. I then plan to buy several /27 or /26 as my need grows.

    So if I assign an IP from the /29 to the WAN interface on pfsense and servers will all have either /27 or /26 IPs assigned to them…Would that be OK with the setup you described above to get pfsense to perform as a router/firewall without NAT?


  • LAYER 8 Netgate

    Yes. A /29 gives you three IP addresses for your side and three for the ISP. You will assign one to FW1, another to FW2, and the third will be a CARP address. You provider will then route the other networks to the CARP address.

    You can use the routed subnets any way you like. It sounds like this will be on a LAN interface.  Note that three IP addresses will be used by the HA config on that side too. Then you disable NAT.

    With no firewall rules you will not be able to reach any of the routed addresses. That will be controlled by firewall rules on the WAN. Want port 80 available on IP address, 80.80.80.80, then make that rule.

    I would probably get a pair of C2758s or 4860-1Us for this.



  • @purathal:

    @whosmatt:

    In this case, for pfsense to perform the functions you want, the subnet assigned to the servers will need to be different than the subnet assigned to the WAN interfaces on pfsense.  In this case, pfsense will perform as a router and firewall without NAT.

    By default the uplink connection provided by data center comes with /29. I then plan to buy several /27 or /26 as my need grows.

    So if I assign an IP from the /29 to the WAN interface on pfsense and servers will all have either /27 or /26 IPs assigned to them…Would that be OK with the setup you described above to get pfsense to perform as a router/firewall without NAT?

    That will work perfectly.  Do yourself a favor and set up VLANs from the start, even if you have more physical interfaces than networks. That way, as your needs grow and you find yourself adding more networks, you'll be able to do all the config remotely. Assuming your redundant switches are stacked and manageable as a single unit, I'd set up all the interfaces on each pfsense box into a lagg, physically connect half of them to each switch (also setting the ports as a port-channel or whatever your switches call it).  That way you'll have your redundancy physically with the network, and CARP will add the extra layer of redundancy between the two pfsense boxes.  And all you'll need to do to add new subnets as you acquire them is add a vlan to pfsense and to your switches. No more patching required.  Good luck and keep us updated with your progress!

    Matt


  • LAYER 8 Netgate

    That redundancy would also require LACP on the uplink. But even without that a 50% chance of surviving a switch failure is better than 0%.



  • @Derelict:

    That redundancy would also require LACP on the uplink. But even without that a 50% chance of surviving a switch failure is better than 0%.

    Fair enough.  My ISP sends us two ethernet links, and from what I can see on pcaps, they are using VRRP to provide redundancy.  The switchports they're connected to (one on each switch in the stack) are just simple "access" ports on my internet VLAN.  No link aggregation required for that side of things.  Not sure how other datacenters handle this, though.  I'm on 100Mbps WAN so link aggregation would be useless for bandwidth  considerations.

    Sorry to get off-topic.

    EDIT:  I'm talking mostly about the switches behind the firewalls.  If the switches in front are managed by the OP, then this scenario changes.


  • LAYER 8 Netgate

    I wasn't saying it's a bad idea. But there has to be something either aggregating or preventing loops, like RSTP. But if they're their switches, you don't really care. It gets pretty complicated pretty quickly and boy does it start to chew up switch ports.



  • Thanks for all your input. I am starting to understand the required configuration now. But, it appears there might have been some confusion with what I originally requested. So I decided to put them on a diagram.

    Attached is a simple diagram (I hate to call it a network diagram) that shows the exact setup I have in mind.  I will try to walk you through with what I am describing in that diagram.

    Before we get started:
    I plan to use https://store.pfsense.org/HIGH-AVAILABILITY-SG-4860-1U-pfSense-Systems-P47.aspx as the HA PFSense firewall.

    OR

    I might use https://store.pfsense.org/XG-1540/

    1. My Data Center (DC as noted in the diagram) said they will provide one uplink connection with /29. I am hoping to get a second uplink (cross connect?) from them with another /29.  My DC said I can buy more IP addresses as necessary (more on this below). My idea is to connect these two uplink connections provided by the DC to the two managed switches (I like to call them the core switches).  The "core swiches" will be interconnected to provide redundancy between them.

    2)  There will be some servers connected directly to the "core switches" with direct Internet access (software firewall). These servers will have public IPv4 assigned to them. I will buy additional /27 or /26 addresses and assign them to these servers as necessary.

    1. One connection from each core switch will go into the WAN link of the above PFSense HA device.

    2. There will be another two managed switches that will be connected to PFSense LAN link(?) and these switches will split the connections to each server with dual NIC on them. So, the idea is if one of the switch dies the server doesn't loose any network connectivity. Again, these servers will also have public IPv4 assigned to them. I will buy additional /27 or /26 addresses as necessary and assign it to these servers. These additional IP addresses are the ones that need to protected by PFSense.

    Having said that I am open to any other ideas or suggestions you might have for the network hardware redundancy that I am trying to achieve in order to keep the network downtime minimal.

    Thank you again.



Log in to reply