Enterprise routers/firewall vs pfSense

Discussion in 'Networking' started by James Verbunk, Feb 4, 2020.

  1. James Verbunk

    James Verbunk New Member

    Joined:
    Apr 13, 2018
    Messages:
    5
    Likes Received:
    0
    Hey Everyone,

    I'm hoping to gather some opinions / experience for or against replacing my Watchguard XTM5 running pfSense with a Juniper SRX345.

    I'm sure some of you are running a combo of these at home and work. What pain points would I have?

    Some considerations,
    - SRX345 has no active license for features but I think there is a hardware feature unlocked (like full speed ports or something)
    SRX has the DOCSIS mini-pim and it works. I can pull down a dhcp address. Haven't configured past that.
    - pfSense is running a good deal of services, dhcp, DNS, suricata, tls cert manager, acupsd. I would need to replicate these functions.
    - planning on upgrading from juniper 2x ex2200 and 1x ex4200 to 2x icx 6610-24p to match existing ruckus H510 APs using the excellent 6610 guide on STH (seriously, wow)
    - this has WAF credits to account for. :)

    What do you think?
     
    #1
  2. klui

    klui Member

    Joined:
    Feb 3, 2019
    Messages:
    57
    Likes Received:
    26
    I run an SRX240.

    Why are you migrating away from pfSense to SRX? If pfSense meets your needs and you want a HW upgrade, then install pfSense on a bigger box. Unless you use the licensed features of SRX, you won't be installing anything significant on it. Other than DHCP/DNS, you will need to rely on another machine/VM to perform Suricata and other functions.

    Learning curve on the SRX is quite high and there are a lot of little things you need to be aware of to make the platform resilient/reliable. The SRX 300s are stuck at 1GB so you will need to use L3 switches to perform some filtering if you have a faster-than-1 GB network.
     
    #2
    Aluminat likes this.
  3. James Verbunk

    James Verbunk New Member

    Joined:
    Apr 13, 2018
    Messages:
    5
    Likes Received:
    0
    Its only a small bit for a HW bump. More that I wanted to try the docsis mini-pim / learn some new methods. The SRX is the last stop before WAN so it is not a huge deal on 1GB speeds.

    At the time I picked this up I was trying for Juniper e2e but their Mist APs are cloud hosted only (their edge gear is nonexistant on ebay etc) which is a deal breaker. The ex4200 sounds like a jet engine full time and burns waaaay too much energy as well. I guess I'm Ok with going a different direction but seems a shame. My bad I didn't do enough homework ahead of time.

    On the plus side Ruckus is a joy and provide upgrades w/o maintenance. Looking forward to picking up an ICX. :)

    -J
     
    #3
  4. vangoose

    vangoose Active Member

    Joined:
    May 21, 2019
    Messages:
    119
    Likes Received:
    35
    I have SRX300 for FW and routing is done in 10G core in stacked ICX7250. My internet goes max 940/940 so 1Gb interface is enough.

    SRX has 3 zones, Internet, LAN and DMZ.
    My original FW was pfsense but I wanted to build a new one with 10G then scraped the idea. A FW is a FW, no additional roles, everything else like DHCP and DNS, etc. is handled in VMs.

    I'm thinking to try multiple routing-instances on SRX.

    There are a few things I wouldn't run in VM. Firewall, storage and backup. These should not have dependency on other infrastructures except network.
     
    #4
  5. Rand__

    Rand__ Well-Known Member

    Joined:
    Mar 6, 2014
    Messages:
    4,020
    Likes Received:
    692
    Significantly simpler to do HA and Backup/Snapshots in a VM though :)
     
    #5
  6. Deslok

    Deslok Well-Known Member

    Joined:
    Jul 15, 2015
    Messages:
    1,088
    Likes Received:
    119
    I rather like having my firewall in a VM, it opens up a lot of options for redundancy and keeps traffic internal to my vm hosts without bouncing everything through a switch. Nightly checkpoints are great for botched config changes as well.
     
    #6
  7. IamSpartacus

    IamSpartacus Well-Known Member

    Joined:
    Mar 14, 2016
    Messages:
    2,113
    Likes Received:
    491
    I've gone back and forth on the VM or physical box route. I do like the flexibility of VM's but I've settled on the hardware route as the one things I value above all else is not having my network go down when my VM box(es) go down/have to be taken down.
     
    #7
  8. Rand__

    Rand__ Well-Known Member

    Joined:
    Mar 6, 2014
    Messages:
    4,020
    Likes Received:
    692
    No prob with your old 3 node vsan cluster;)
     
    #8
  9. IamSpartacus

    IamSpartacus Well-Known Member

    Joined:
    Mar 14, 2016
    Messages:
    2,113
    Likes Received:
    491
    4 node, get your facts straight :p. But yes, obviously if you're running a large cluster that almost never goes down you're fine. Now that I've downsized down to a single AIO server, no chance I'd run my firewall in a VM. Probably wouldn't even with 2 servers.
     
    #9
  10. Rand__

    Rand__ Well-Known Member

    Joined:
    Mar 6, 2014
    Messages:
    4,020
    Likes Received:
    692
    Ah couldn't remember 100% and to lazy to check :D
    And yes, its all about the specific case...
     
    #10
  11. vangoose

    vangoose Active Member

    Joined:
    May 21, 2019
    Messages:
    119
    Likes Received:
    35
    We are not talking about enterprise here.

    For home, wait for catastrophic failure like power outage. Your HA will have zero benefits., once power is backup, you are going to experience chicken and egg thing. Is yout network up? DNS up? DHCP up? Storage up? Virtual Host up? Some VMs are crashed, I need restore, backup server up?

    Been there, done that, will never do it again.

    About HA, there are infrastructure layer HA and application layer HA. Many services can use application layer HA which is very straightforward.

    HA for storage service is quite complex but do we really need it for home? I have critical data duplicated on two servers and 3rd copy in backup.

    SRX has snapshot and rollback feature and dual image. Should be good enough in most cases. If you want even better redundancy, get 2 and create a cluster.
     
    #11
  12. James Verbunk

    James Verbunk New Member

    Joined:
    Apr 13, 2018
    Messages:
    5
    Likes Received:
    0
    I'm definitely keeping a hardware firewall. One misconfiguration on the hypervisor or vlan could lead to exposure. No need to have the added pressure for me.

    I like the SRX345 hardware, especially the docsis mini-pim and asics but as @vangoose said I want to avoid chicken and egg (internal routing doesnt work bc DHCP cant come up which cant come up bc internal routing is down etc. Still, I'll look around for replacements that have API so I can get into software defined services. I guess my hold up would be security based services (suricata). DNS/DHCP/Certificates I can run elsewhere but suricata should be inline.

    It's frustrating that pfSense makes it so easy but those services are critical and run on the gatekeeper. Worried too that progress on pfSense seems slowing in favor of tnsr , not sure if there is writing on the wall there.

    At one point there was a tool from juniper that reformatted suricata/snort rulesets into theirs... but links are broken now. Can anyone say if the license is for the engine or rules access? Any workarounds here?

    J
     
    #12
  13. ReturnedSword

    ReturnedSword Active Member

    Joined:
    Jun 15, 2018
    Messages:
    170
    Likes Received:
    36
    This isn't meant as a dig, as @Rand__ deffo knows his stuff, but I agree @vangoose about critical services being on physical machines at home. At home I have not the budget, nor the time to worry about chicken and egg situations. A matter of personal preference for me I guess. In the enterprise this is mostly avoided due to redundancy across locations or separated infrastructure.

    @James Verbunk I run pfSense at home. Many moons ago I dabbled in some Juniper and Cisco stuff, but eventually went open source, ending up on pfSense after m0n0wall died. Quite a few enthusiasts are using OPNSense now, but while I gripe that pfSense is moving too slowly in terms of features/integration (possibly due to Netgate's focus on TNSR as you suggested), I complain that OPNSense moves too fast without proper testing. Can't have all the things I suppose... So here I am running pfSense.
     
    #13
  14. Cheddoleum

    Cheddoleum Member

    Joined:
    Feb 19, 2014
    Messages:
    95
    Likes Received:
    20
    For a few years my router was containerized on a linux platform that I used for a number of networking purposes. One thing that helped mitigate the kind of situation you're referring to is a second machine on the network, plumbed into the switch fabric the same way, that carried a copy of that container, so it could be started instantly if I needed to bring the other one down. A few things like current DHCP lease files would get lost but in practice that actually caused zero problems.

    But nevertheless, yeah, what you said. There's also the "what if I'm traveling and the wife needs to reset the router? Do I want to walk her via FaceTime through an obscure process using terminal sessions?" So I'm back to a dedicated appliance now. And what's more, I avoid confusion of purposes by NOT running other services like VPN on it, for similar reasons.
     
    #14
  15. Evan

    Evan Well-Known Member

    Joined:
    Jan 6, 2016
    Messages:
    2,969
    Likes Received:
    469
    While I use a Meraki for filtering and management of the children’s access and ease of use the point is really valid to make. For the general access an appliance is nice and easy to manage.
    Then just run a virtual pfsense or whatever software as a lab router and can easily be virtual.
     
    #15

Share This Page