HIGH AVAILABILITY SG-4860 as core routers
-
Hi community. This is my first post.
We are working for long time with pfsense routers in our infrastructure.
We are very happy with this, on virtual (esx cluster) and physical servers.As enterprise network is growing and getting converged, we're thinking to buy 2 HIGH AVAILABILITY SG-4860.
One for LAN firewall to connect 8 logical networks.
Basic firewall, no NATOther dedicated to our wan connections. Actually 7 ADSL and 3 SDSL.
- Approx 20 VPN IPSEC to our remote sites
- 2 load balancing groups gateways
- NAt Firewall port forwarding
max bandwidth per ADSL is 18Mbs.
We hope have Fiber one day but actual price for enterprise is much too high.
Between the 2 routers would be the DMZ for web services, mail, and IPBX
Both would need VLAN for missing interfaces, but traffic isn't very high.
What makes those products interesting is HA and many ports. Price is of course important.
Is it well suited or oversized for our needs ?
thank you for suggestions.
-
Would you please try to draw a small network schematic for us to better understand what you are talking about?
I was reading your post some times, but I am aware of understanding it really. There are more then one case
where two firewalls will be in usage. here some of them;- Cluster or redundant over VRRP/OSPF as active/passive, each working beside of the other
- High Availability (HA) over CARP as active/passive, each working beside of the other
- Router cascade or also called bastion host, each working behind the other device
Configuring pfSense Hardware Redundancy (CARP)
High Availability
So about what kind of set up we are talking here now?
-
Thank you for reply. With 2 HA routers, i meant 4 boxes. 2 active/2passive.
Here's a drawing :
http://picpaste.com/Capture-HaSWhiQN.PNGActually, each service is separated with one or 2 Internet access.
SDSL is to maintain VPN on remote sites.Wee have small routers between services for some specific needs but it became hard to maintain. Goal is to converge networks.
-
XG-1540 might be a better option
-
Why the two pairs of firewalls? Why not just use another interface for DMZ and maintain one pair?
-
Xg-1540 is the best. But 10gb switch even with few ports is too expensive.
Only one pair suggestion seems a good idea after all. With well designed interface sharing.
Haven't play much with vlans in pfsense but it should be unlimited.1 Interface for all DSL woud be enough.
1 for dmz
and others for inter vlans.Does HA need a dedicated interface ?
thank you.
-
I don't think I would put pfsync on a vlan interface. The ones I have right now are just crossover cables - probably unnecessary to use a xover but wth. The WANs and LANs can certainly be VLANs. CARP works just fine on a VLAN.
Unless you need 10G I think I'd go with a pair of 8860s (or 4860s) to get the extra interfaces. And a pair is less than just one XG-1540.
-
Only one pair of C2758 1U (2 units) would do the job also, and if needed you could upgrade this
ones then with extra NICs and also extra ports.The Chelsio 2 port NICs from the pfSense shop are also offloading VLANs completely from the
pfSense boxes or their CPUs (SoCs) that the box will be able to unleash their full potential.
And one DMZ and one LAN Switch could be connected over 10 GBit/s.7 x ADSL lines with 18 MBit/s = 126 MBit/s : 8 = ~16 MB/s
3 x SDSL lines with xx MBit/sWhat is the speed of the last three Internet connections?
You might be not really needing the bastion host, but if so I would place the VOIP part into the
DMZ that ports could be opened and forwarded into the DMZ to the VOIP or PBX appliance.
-
I don't think I would put pfsync on a vlan interface. The ones I have right now are just crossover cables - probably unnecessary to use a xover but wth. The WANs and LANs can certainly be VLANs. CARP works just fine on a VLAN.
Unless you need 10G I think I'd go with a pair of 8860s (or 4860s) to get the extra interfaces. And a pair is less than just one XG-1540.
Direct Corssover (or not) cable with CRAP for one interface and others for vlans seems the way to go.
@BlueKobold:
Only one pair of C2758 1U (2 units) would do the job also, and if needed you could upgrade this
ones then with extra NICs and also extra ports.The Chelsio 2 port NICs from the pfSense shop are also offloading VLANs completely from the
pfSense boxes or their CPUs (SoCs) that the box will be able to unleash their full potential.
And one DMZ and one LAN Switch could be connected over 10 GBit/s.7 x ADSL lines with 18 MBit/s = 126 MBit/s : 8 = ~16 MB/s
3 x SDSL lines with xx MBit/sWhat is the speed of the last three Internet connections?
You might be not really needing the bastion host, but if so I would place the VOIP part into the
DMZ that ports could be opened and forwarded into the DMZ to the VOIP or PBX appliance.I haven't noticed 2 pcie Slots in the box. That could be a way to expand.
SDSL is 5Mbs = 15Mbs : 8 = ~ 2 MB/s max
So 10Gbe is defentively oversized.With you're advices I'll then go to a pair of 4860s which will be enough and cost effective.
Thank you all. 8)
-
I haven't noticed 2 pcie Slots in the box. That could be a way to expand.
SG-2220, SG-2440, Sg-4860, SG-8860, C2758 1U and XG-1540 are able to buy from the pfSense shop.
And only the C2758 1U and the XG-1540 is sorted with an PCIe expansion slot.SDSL is 5Mbs = 15Mbs : 8 = ~ 2 MB/s max
Ok.
So 10Gbe is defentively oversized.
At the WAN port for sure and of course, this was for the uplink to the DMZ and LAN Switch.
With you're advices I'll then go to a pair of 4860s which will be enough and cost effective.
But it comes without any expansion slots! But ok it will within shipped 6 Intel based GB LAN Ports if this is
enough go for it. Perhaps it might be also a good idea to go with a pair of SG-8860 units that is stronger.
