Advice On Configuration(pfsense, managed switches, multi-wan)

[No1451]

So for my new and improved fileserver I'm rolling a pfsense installation alongside(virtualized in ESXi, and yes I am aware of the risks of running my firewall on the same box as my fileserver). This box will be managing 3 separate WAN connections and in lieu of buying a quad NIC(too rich for my blood) I am hoping that a cheaper used managed switch could offer me the same functionality through VLANS.

Now, my question with this is: can I tag my WANs on the switch to the single NIC on my server and have another NIC on the server connect to the same switch to gain access to the rest of the network? A lot of the guides I have read recommend having a managed switch used this way ONLY used for this, is that simply a "best practice" or are there actual issues that will arise if I don't?


Second part to this: I know nothing about managed switches. I have never owned one and am now in the market. Can anyone recommend a switch, I'm looking for stability over everything else(a 10/100 switch is fine, my fastest WAN is going to be only 50/2) and I only need up to 5 ports(though more ports never hurt anybody )

Thanks for reading!

 

[dranem]

I am partial to HP switches. We use dozens of the HP 5400 and 3500 series and they are quite dependable. We also use a few smaller switches in different locations that also work well.

For a small 10/100/1000 managed switch with VLAN tagging, the V1810-8g is nice...

http://h10010.www1.hp.com/wwpc/us/en/sm/WF05a/12883-12883-4172267-4172304-4172281-3963985.html


A small 10/100 managed switch with VLAN tagging, is the V1700-8

http://h10010.www1.hp.com/wwpc/us/en/sm/WF05a/12883-12883-4172267-4172304-4172281-3411648.html


In Canada, the V1810-8g goes for $160 to $180......the V1700-8, for $70 to $100


All HP switches are at.......

http://h17007.www1.hp.com/us/en/products/switches/index.aspx

 

[Metaluna]

I'm also a noob to managed switches, and I just resolved a problem with my Dell 2816 that might be of general interest:

Without going into too much detail, if you ever encounter a problem where a device (e.g. my Xbox 360) has trouble getting a DHCP address immediately after powerup, try disabling "Spanning Tree Protocol" on that port, or at least putting it in "fast" mode, if your switch has such a setting.

By default, when my switch detects a client powering up on a port, it will block access to that port for something like 30 seconds while the STP checks to make sure the port is not a loop connection. If, during this time, the connected device is trying to access the network, it will fail. The "fast" mode passes through network traffic while STP is running, and will only shut off the port if it detects a problem. This is less desirable behavior, but on a small network where you may not even need STP anyway, it's a reasonable compromise.

 

[unclerunkle]

Could someone point me in the right direction to learn more about the "risks of running my firewall on the same box as my fileserver"?

 

[nitrobass24]

Could someone point me in the right direction to learn more about the "risks of running my firewall on the same box as my fileserver"?

Yea ive been wanting some good info on this as well. People always scream when they see you are virtualizing your firewall on the same box as production and i get it that there are possible vulnerabilities in the hypervisor that could be exploited because its just software and as we know, no software is 100% secure...but i would like to see some hard facts rather than theory.

 

[PigLover]

I happened to be in a meeting sitting next to the network security director for a major network operator today...so I asked:

In his opinion, the biggest reason why this is a bad idea is that you just have to compromise the management interface to the Hypervisor to effectively eliminate the firewall. Most hypervisors are not particularly well hardened. They often share their management interfaces with the more general LAN. They are protected by simple passwords. And many times there are intentional "back door" accesses created through the firewall for the convenience of the administrator - which also become convenient for the bad guys too. They are pretty easy to break into. Anyone who gains even the most benign access to the LAN-side of your firewall has a pretty easy road to break into the hypervisor...and once you are in you can very easily reconfigure the virtual networks to bypass the firewall VM from any remote location.

It is this kind of attack that makes security experts prefer a dedicated appliance. The appliances are often better protected. He said that all of their firewalls are set up so that they can only be accessed from a dedicated management LAN (a physically separate LAN). They use a fairly sophisticated token-based access control. But most importantly, they are physically wired in a way that you have to enter the room and touch the cables in order to take it out of the path. There is no combination of switches, routers, etc, that you can manipulate to bypass it without touching it. From a remote location there are a limited number of changes you can make to the firewall configuration before alarms are raised.

For most of us - most home users and SOHO configs - these are rather extreme concerns. You are certainly safer with a strong firewall embedded in a VM than with nothing at all.

Thinking about it some more, there is at least one thing you might do to help harden things a bit: use vmware PCI-passthrogh to give the NICs directly to your firewall VM. Do this for your network ingress NIC, and possibly the egress too (though this means all traffic has to leave the VM host and pinwheel back through your switch before it can reach another VM...). If you do this then you severely complicate the task of bypassing your firewall: he can't just reconfigure the VM-networks to bypass the firewall...he has to at last force a re-boot of the VM host in order to remove the NIC from its passthrough state. Yes - a bad guy could create a whole new firewall VM and pass the NIC through to it, but that's a lot of work and pretty likely to be noticed.

 

[Patrick]

I do something fairly similar where my IPMI NICs all sit on a network that I have to VPN into. Probably unnecessary for most home users, but it is not too expensive to setup.

 

[No1451]

Thanks PigLover, judging from what you say I don't think it's too much a concern for me.

 

[No1451]

So now I've tried it, and I must say that performance is fairly abysmal. I'm not sure if I need to do tuning in pfSense or dedicate physical WAN and LAN ports for the guest, but atm I get absolutely terrible performance using a virtual install of Pfsense. Using pingtest.net I'm up from 0% packet loss to a whopping 26%, and my ping/jitter goes from 90/110 to 270/140. Yuck.

Bears a lot most testing, if anyone here is doing something similar in their setup I'd love to hear about it and how you fixed the seeming issues.

 

[nitrobass24]

Not having dedicated ports and using software to emulate physical interfaces is going to cause performance issue.

What are you musing to measure ping/jitter? What are you comparing it to?

 

[No1451]

Using Pingtest.net, not the best metric but I compared it pfsense vs my standard dlink router, so the results should hold well enough for my purposes. I'm going to give it a try using an actual adapter for the LAN, hopefully that can clear up some of my troubles.