Firewall with large number of interfaces/vlans

Xciter

New Member
Jan 7, 2018
5
0
1
31
First post, so be gentle :)

I am investigating a firewall solution that would enable me to have a large number of interfaces / VLANs behind a firewall. My current go-to solution is pFSense, however due to some limitations of how the pfsense was written the system is mostly unable to deal with more than 128 interfaces. Configuring more results in high CPU load and weird problems with services.

I have checked with their support and they acknowledge the issues, however they currently don't have plans to fix it, even tough they market it as "supporting high number of interfaces(thousands)".

I'm using Ruckus kit for WiFi, which relies on Dynamic-PSK(Cisco has a different abbreviation for the same technology). This results in a VLAN for each user. Changing the network design is not really an option.

Some requirements:
- DNS / DHCP v4/6 / NTP
- IPSec capability
- NAT for IPv4
- IPv6 capable
- Working in either Active/Passive or Active/Active mode
- GU (preferably)

Things I am considering:
- Pure FreeBSD
- Linux with keepalived (No states synchronization)
- Some Cisco devices
- Some Brocade device

I'll be testing the first two options in my lab, however I am somewhat clueless about which part of the portfolio of the two companies I can target.

Suggestions are appreciated.
 

fohdeesha

Kaini Industries
Nov 20, 2016
1,818
1,583
113
29
fohdeesha.com
Have you thought about just terminating all of your interfaces on a layer 3 switch, handling all the VLANs (with an IP/gateway per VLAN, which I'm assuming is how you're set up now), then using a transit link/subnet between the switch and the firewall? a "vlan per customer" (or in your case, wireless user) is quite common, in fact we use it at work with a few thousand customers - they get terminated and aggregated on L3 switches in the field, then aggregated back to our core routing stack (which would be a firewall in your case). I can't imagine trying to terminate them all on the firewall itself
 
  • Like
Reactions: gigatexal

Evan

Well-Known Member
Jan 6, 2016
3,041
505
113
Load balance more than 1 pfsense instance ?

Cisco/Fortinet/<insert favorite commmercial solution here> is probably the best although not cheapest option.

Ruckus doesn’t terminate on an anchor controller ?
 

Xciter

New Member
Jan 7, 2018
5
0
1
31
Have you thought about just terminating all of your interfaces on a layer 3 switch, handling all the VLANs (with an IP/gateway per VLAN, which I'm assuming is how you're set up now), then using a transit link/subnet between the switch and the firewall? a "vlan per customer" (or in your case, wireless user) is quite common, in fact we use it at work with a few thousand customers - they get terminated and aggregated on L3 switches in the field, then aggregated back to our core routing stack (which would be a firewall in your case). I can't imagine trying to terminate them all on the firewall itself
I have tough about it, however my preference would to not deviated from my existing template. I definitely think it would work. I'll give it a go as well.

Load balance more than 1 pfsense instance ?

Cisco/Fortinet/<insert favorite commmercial solution here> is probably the best although not cheapest option.

Ruckus doesn’t terminate on an anchor controller ?
pFSense supports "Active/Passive" setup with states/config/DHCP leases synchronization which actually works pretty well. Regretfully, Ruckus does not terminate on a anchor controller. I have a suspicion they also rely on the aggregation solution offered above.
 

Xciter

New Member
Jan 7, 2018
5
0
1
31
FYI,

Seems pFSense does not support serving DHCP pools which are outside the scope of the locally configured interfaces as well.

I've went with the first suggestion and I can report everything is working as expected, just had to move the DHCP servers to the aggregation switch.
 

BlueLineSwinger

Active Member
Mar 11, 2013
162
58
28
A unique VLAN for each WLAN client? That sounds like a mess.

Any reason you can't use a standard WPA2/802.1x with RADIUS setup?
 

Xciter

New Member
Jan 7, 2018
5
0
1
31
Yes. A bunch of client devices do not support 802.1x. Telling them "Well no WiFi for You" is not an option. :)
 

cheezehead

Active Member
Sep 23, 2012
711
173
43
WI
A unique VLAN for each WLAN client? That sounds like a mess.

Any reason you can't use a standard WPA2/802.1x with RADIUS setup?
No kidding, just doesn't scale...max of 4k clients would be a show stopper for me.

Yes. A bunch of client devices do not support 802.1x. Telling them "Well no WiFi for You" is not an option. :)
Go hybrid with dual SSIDs....802.1x for devices that support and non-802.1x for those that don't...or claim they do but really don't.

Going forward, only order hardware support 802.1x.

What is the point for the per-user isolation? User identification or do you have 1,000 users with 1,000 different security role combinations?
 

fohdeesha

Kaini Industries
Nov 20, 2016
1,818
1,583
113
29
fohdeesha.com
max 4k clients per L3 termination** (and I really hope they're not terminating 4000+ vlan/customers on one switch). However I agree for wifi clients, not the best solution out there
 

Evan

Well-Known Member
Jan 6, 2016
3,041
505
113
MAC table size handled by the switches becomes an issue if you terminate a lot on one switch, just keep that in mind.
 

Xciter

New Member
Jan 7, 2018
5
0
1
31
No kidding, just doesn't scale...max of 4k clients would be a show stopper for me.



Go hybrid with dual SSIDs....802.1x for devices that support and non-802.1x for those that don't...or claim they do but really don't.

Going forward, only order hardware support 802.1x.

What is the point for the per-user isolation? User identification or do you have 1,000 users with 1,000 different security role combinations?
The point is that there is a separate network per apartment(can be one or more users in each apartment). So on the wired side each apartment gets a isolated L2 network with a couple of wired ports, which can also be accessible via the WiFi using D-PSK. This way we keep things nice end tidy.

We had run an 802.1x network before and You would be surprised by the amount of support requests received. Chromecasts, Android TV, Playstation and Xbox are not really working with 802.1x among many other devices.

MAC table size handled by the switches becomes an issue if you terminate a lot on one switch, just keep that in mind.
I'll keep that in mind. Technically the only added MAC addresses should be the L3 VLAN interfaces. Otherwise it's the same number as if I was not terminating the VLANs on the switch.
 

cheezehead

Active Member
Sep 23, 2012
711
173
43
WI
We had run an 802.1x network before and You would be surprised by the amount of support requests received. Chromecasts, Android TV, Playstation and Xbox are not really working with 802.1x among many other devices.
Not surprised, using 802.1x with a couple thousand concurrent users in a heavy byod scenario. Using a different platform which handles end user device registration for the "special" devices, allowing for them to onboard with 802.1x providing a virtual layer-2 segment for miracast and other upnp/broadcast style home use integrations while users still sit in /22's. This avoids the massive interface/vlan counts. Every enterprise wireless platform has it's pluses and minuses. The biggest drawback to the one I'm using is the complexity vs Ruckus is pretty easy to setup.
 

BlueFox

Well-Known Member
Oct 26, 2015
918
409
63
On the Cisco side, an ISR4451-X or an ASR1002-X could work, but are not cheap compared to some white box server running pfSense. Budget option would be a 7206VXR with NPE-G2, but it's EOL. Been a few years since I've had to manage anything Cisco, so there might be better options that I'm unaware of.