Enterprise routers/firewall vs pfSense

James Verbunk

New Member
Apr 13, 2018
6
0
1
15
Hey Everyone,

I'm hoping to gather some opinions / experience for or against replacing my Watchguard XTM5 running pfSense with a Juniper SRX345.

I'm sure some of you are running a combo of these at home and work. What pain points would I have?

Some considerations,
- SRX345 has no active license for features but I think there is a hardware feature unlocked (like full speed ports or something)
SRX has the DOCSIS mini-pim and it works. I can pull down a dhcp address. Haven't configured past that.
- pfSense is running a good deal of services, dhcp, DNS, suricata, tls cert manager, acupsd. I would need to replicate these functions.
- planning on upgrading from juniper 2x ex2200 and 1x ex4200 to 2x icx 6610-24p to match existing ruckus H510 APs using the excellent 6610 guide on STH (seriously, wow)
- this has WAF credits to account for. :)

What do you think?
 

klui

Active Member
Feb 3, 2019
132
50
28
I run an SRX240.

Why are you migrating away from pfSense to SRX? If pfSense meets your needs and you want a HW upgrade, then install pfSense on a bigger box. Unless you use the licensed features of SRX, you won't be installing anything significant on it. Other than DHCP/DNS, you will need to rely on another machine/VM to perform Suricata and other functions.

Learning curve on the SRX is quite high and there are a lot of little things you need to be aware of to make the platform resilient/reliable. The SRX 300s are stuck at 1GB so you will need to use L3 switches to perform some filtering if you have a faster-than-1 GB network.
 
  • Like
Reactions: Aluminat

James Verbunk

New Member
Apr 13, 2018
6
0
1
15
Its only a small bit for a HW bump. More that I wanted to try the docsis mini-pim / learn some new methods. The SRX is the last stop before WAN so it is not a huge deal on 1GB speeds.

At the time I picked this up I was trying for Juniper e2e but their Mist APs are cloud hosted only (their edge gear is nonexistant on ebay etc) which is a deal breaker. The ex4200 sounds like a jet engine full time and burns waaaay too much energy as well. I guess I'm Ok with going a different direction but seems a shame. My bad I didn't do enough homework ahead of time.

On the plus side Ruckus is a joy and provide upgrades w/o maintenance. Looking forward to picking up an ICX. :)

-J
 

vangoose

Active Member
May 21, 2019
222
52
28
Canada
I have SRX300 for FW and routing is done in 10G core in stacked ICX7250. My internet goes max 940/940 so 1Gb interface is enough.

SRX has 3 zones, Internet, LAN and DMZ.
My original FW was pfsense but I wanted to build a new one with 10G then scraped the idea. A FW is a FW, no additional roles, everything else like DHCP and DNS, etc. is handled in VMs.

I'm thinking to try multiple routing-instances on SRX.

There are a few things I wouldn't run in VM. Firewall, storage and backup. These should not have dependency on other infrastructures except network.
 

Rand__

Well-Known Member
Mar 6, 2014
4,489
876
113
There are a few things I wouldn't run in VM. Firewall, storage and backup. These should not have dependency on other infrastructures except network.
Significantly simpler to do HA and Backup/Snapshots in a VM though :)
 

Deslok

Well-Known Member
Jul 15, 2015
1,102
120
63
30
deslok.dyndns.org
I have SRX300 for FW and routing is done in 10G core in stacked ICX7250. My internet goes max 940/940 so 1Gb interface is enough.

SRX has 3 zones, Internet, LAN and DMZ.
My original FW was pfsense but I wanted to build a new one with 10G then scraped the idea. A FW is a FW, no additional roles, everything else like DHCP and DNS, etc. is handled in VMs.

I'm thinking to try multiple routing-instances on SRX.

There are a few things I wouldn't run in VM. Firewall, storage and backup. These should not have dependency on other infrastructures except network.
I rather like having my firewall in a VM, it opens up a lot of options for redundancy and keeps traffic internal to my vm hosts without bouncing everything through a switch. Nightly checkpoints are great for botched config changes as well.
 

IamSpartacus

Well-Known Member
Mar 14, 2016
2,273
548
113
I've gone back and forth on the VM or physical box route. I do like the flexibility of VM's but I've settled on the hardware route as the one things I value above all else is not having my network go down when my VM box(es) go down/have to be taken down.
 

IamSpartacus

Well-Known Member
Mar 14, 2016
2,273
548
113
No prob with your old 3 node vsan cluster;)
4 node, get your facts straight :p. But yes, obviously if you're running a large cluster that almost never goes down you're fine. Now that I've downsized down to a single AIO server, no chance I'd run my firewall in a VM. Probably wouldn't even with 2 servers.
 

Rand__

Well-Known Member
Mar 6, 2014
4,489
876
113
Ah couldn't remember 100% and to lazy to check :D
And yes, its all about the specific case...
 

vangoose

Active Member
May 21, 2019
222
52
28
Canada
Significantly simpler to do HA and Backup/Snapshots in a VM though :)
We are not talking about enterprise here.

For home, wait for catastrophic failure like power outage. Your HA will have zero benefits., once power is backup, you are going to experience chicken and egg thing. Is yout network up? DNS up? DHCP up? Storage up? Virtual Host up? Some VMs are crashed, I need restore, backup server up?

Been there, done that, will never do it again.

About HA, there are infrastructure layer HA and application layer HA. Many services can use application layer HA which is very straightforward.

HA for storage service is quite complex but do we really need it for home? I have critical data duplicated on two servers and 3rd copy in backup.

SRX has snapshot and rollback feature and dual image. Should be good enough in most cases. If you want even better redundancy, get 2 and create a cluster.
 

James Verbunk

New Member
Apr 13, 2018
6
0
1
15
I'm definitely keeping a hardware firewall. One misconfiguration on the hypervisor or vlan could lead to exposure. No need to have the added pressure for me.

I like the SRX345 hardware, especially the docsis mini-pim and asics but as @vangoose said I want to avoid chicken and egg (internal routing doesnt work bc DHCP cant come up which cant come up bc internal routing is down etc. Still, I'll look around for replacements that have API so I can get into software defined services. I guess my hold up would be security based services (suricata). DNS/DHCP/Certificates I can run elsewhere but suricata should be inline.

It's frustrating that pfSense makes it so easy but those services are critical and run on the gatekeeper. Worried too that progress on pfSense seems slowing in favor of tnsr , not sure if there is writing on the wall there.

At one point there was a tool from juniper that reformatted suricata/snort rulesets into theirs... but links are broken now. Can anyone say if the license is for the engine or rules access? Any workarounds here?

J
 

ReturnedSword

Active Member
Jun 15, 2018
198
48
28
Santa Monica, CA
This isn't meant as a dig, as @Rand__ deffo knows his stuff, but I agree @vangoose about critical services being on physical machines at home. At home I have not the budget, nor the time to worry about chicken and egg situations. A matter of personal preference for me I guess. In the enterprise this is mostly avoided due to redundancy across locations or separated infrastructure.

@James Verbunk I run pfSense at home. Many moons ago I dabbled in some Juniper and Cisco stuff, but eventually went open source, ending up on pfSense after m0n0wall died. Quite a few enthusiasts are using OPNSense now, but while I gripe that pfSense is moving too slowly in terms of features/integration (possibly due to Netgate's focus on TNSR as you suggested), I complain that OPNSense moves too fast without proper testing. Can't have all the things I suppose... So here I am running pfSense.
 

Cheddoleum

Member
Feb 19, 2014
97
22
8
We are not talking about enterprise here.

For home, wait for catastrophic failure like power outage. Your HA will have zero benefits., once power is backup, you are going to experience chicken and egg thing. Is yout network up? DNS up? DHCP up? Storage up? Virtual Host up? Some VMs are crashed, I need restore, backup server up?

Been there, done that, will never do it again.
For a few years my router was containerized on a linux platform that I used for a number of networking purposes. One thing that helped mitigate the kind of situation you're referring to is a second machine on the network, plumbed into the switch fabric the same way, that carried a copy of that container, so it could be started instantly if I needed to bring the other one down. A few things like current DHCP lease files would get lost but in practice that actually caused zero problems.

But nevertheless, yeah, what you said. There's also the "what if I'm traveling and the wife needs to reset the router? Do I want to walk her via FaceTime through an obscure process using terminal sessions?" So I'm back to a dedicated appliance now. And what's more, I avoid confusion of purposes by NOT running other services like VPN on it, for similar reasons.
 

Evan

Well-Known Member
Jan 6, 2016
3,060
512
113
But nevertheless, yeah, what you said. There's also the "what if I'm traveling and the wife needs to reset the router? Do I want to walk her via FaceTime through an obscure process using terminal sessions?" So I'm back to a dedicated appliance now. And what's more, I avoid confusion of purposes by NOT running other services like VPN on it, for similar reasons.
While I use a Meraki for filtering and management of the children’s access and ease of use the point is really valid to make. For the general access an appliance is nice and easy to manage.
Then just run a virtual pfsense or whatever software as a lab router and can easily be virtual.