Question about PFSense Load Balancer

[3zzz]

Greetings all,

I have read the "HowTo" here and I am interested in trying this for a new production network:
http://www.howtoforge.com/how-to-use...ur-web-servers

I noticed the author writes "if this is your edge firewall I would recommend a physical machine"

Is this so that PFsense will have dedicated CPU resources to handle the load balancing? Are there other considerations?

I had been considering putting everything onto VMWare ESXi hosts including a PFSense cluster, based on the 2 tutorials here http://doc.pfsense.org/index.php/Tutorials

1) Installing pfSense in VMware
&
2) "Building a fully redundant Cluster with 2 pfSense-systems between WAN/LAN with CARP & pfsync / pfSense CARP & pfsync failover-simulation"

But maybe I'll need to run separate hardware for the PFSense cluster?
Will be trying some experiments over the next week or 2 to see if I can figure this out... appreciate any advice, TVMIA

[3zzz]

Quote:

Originally Posted by 3zzz

Are there other considerations?

Well I realized security is also a consideration. If the physical box is hooked to the WAN, we'll need to make sure there are no open ports other than to PFSense. But assuming we use NAT to all the other VMs, how much of a concern is this really?

[mmidgett]

I think the thinking behind this is not to put all your eggs in one basket. Depending on your network load and the power of your cpu it is defiantly doable. Just think if your esxi server dies so does all your network but if this is use in a colocation rack and your trying to save space then for temp solution I don't think that you have a problem. Also most pfsense servers need not to be more than 1ghz. If your not running lots of vpn connections then 500mhz will do.

[3zzz]

Thanks mmidgett!

Quote:

Originally Posted by mmidgett

Just think if your esxi server dies so does all your network

Well I was thinking to have 2 identical physical esxi servers, on each would be PFsense and synched copies of all the VMs (or perhaps shared storage?)

I will set up VMs from each in a pool so that if primary fails and secondary takes over, half the pool will still be there to serve clients.

Quote:

Originally Posted by mmidgett

but if this is use in a colocation rack and your trying to save space then for temp solution I don't think that you have a problem.

More of a long term permanent solution if i get it to work as i'm thinking...

Quote:

Originally Posted by mmidgett

Also most pfsense servers need not to be more than 1ghz. If your not running lots of vpn connections then 500mhz will do.

That's great - I don't plan on much vpn at all, but hope to push 100mbps+ from the setup.

[neofire]

Hey 3zzz

The Reasons i Suggested a physical machine if pfsense is going to be edge firewall, (and mmidgett nailed one of the reasons) is purely from Disaster Recovery point a view ( all eggs in one basket situation ) and the other reason is security and expandability, i have seen one situation where a client had a VM firewall on the same host as his production VMs and (his firewall was setup quite poorly) and some one managed to hack and gain access to his VMware ESXi Console, and cause considerable damage to his environment

In regards to expandability, if you want to build a DMZ for example i personally like other hardware to control this and not have my esxi touching the dmz at all

if you have any more questions or concerns feel free to ask

[3zzz]

Quote:

Originally Posted by neofire

Hey 3zzz

The Reasons i Suggested a physical machine if pfsense is going to be edge firewall, (and mmidgett nailed one of the reasons) is purely from Disaster Recovery point a view ( all eggs in one basket situation ) and the other reason is security and expandability, i have seen one situation where a client had a VM firewall on the same host as his production VMs and (his firewall was setup quite poorly) and some one managed to hack and gain access to his VMware ESXi Console, and cause considerable damage to his environment

if you have any more questions or concerns feel free to ask

Thanks neofire!!
I think I will have 2 identical machines for redundancy; seems for my purposes it'll be cheaper than shared storage.
For security I will limit access to ESXi to the local network only, and use pfsense to block LAN addresses from spoofing over the WAN so I would hope ESXi is not accessible to hackers unless they first gain access to a LAN machine.

Well thanks for your advice, I'll let you know how it goes!