Firewall with large number of interfaces/vlans

Discussion in 'Networking' started by Xciter, Feb 14, 2019.

  1. Xciter

    Xciter New Member

    Joined:
    Jan 7, 2018
    Messages:
    5
    Likes Received:
    0
    First post, so be gentle :)

    I am investigating a firewall solution that would enable me to have a large number of interfaces / VLANs behind a firewall. My current go-to solution is pFSense, however due to some limitations of how the pfsense was written the system is mostly unable to deal with more than 128 interfaces. Configuring more results in high CPU load and weird problems with services.

    I have checked with their support and they acknowledge the issues, however they currently don't have plans to fix it, even tough they market it as "supporting high number of interfaces(thousands)".

    I'm using Ruckus kit for WiFi, which relies on Dynamic-PSK(Cisco has a different abbreviation for the same technology). This results in a VLAN for each user. Changing the network design is not really an option.

    Some requirements:
    - DNS / DHCP v4/6 / NTP
    - IPSec capability
    - NAT for IPv4
    - IPv6 capable
    - Working in either Active/Passive or Active/Active mode
    - GU (preferably)

    Things I am considering:
    - Pure FreeBSD
    - Linux with keepalived (No states synchronization)
    - Some Cisco devices
    - Some Brocade device

    I'll be testing the first two options in my lab, however I am somewhat clueless about which part of the portfolio of the two companies I can target.

    Suggestions are appreciated.
     
    #1
  2. fohdeesha

    fohdeesha Kaini Industries

    Joined:
    Nov 20, 2016
    Messages:
    1,195
    Likes Received:
    975
    Have you thought about just terminating all of your interfaces on a layer 3 switch, handling all the VLANs (with an IP/gateway per VLAN, which I'm assuming is how you're set up now), then using a transit link/subnet between the switch and the firewall? a "vlan per customer" (or in your case, wireless user) is quite common, in fact we use it at work with a few thousand customers - they get terminated and aggregated on L3 switches in the field, then aggregated back to our core routing stack (which would be a firewall in your case). I can't imagine trying to terminate them all on the firewall itself
     
    #2
    gigatexal likes this.
  3. Evan

    Evan Well-Known Member

    Joined:
    Jan 6, 2016
    Messages:
    2,681
    Likes Received:
    391
    Load balance more than 1 pfsense instance ?

    Cisco/Fortinet/<insert favorite commmercial solution here> is probably the best although not cheapest option.

    Ruckus doesn’t terminate on an anchor controller ?
     
    #3
  4. Xciter

    Xciter New Member

    Joined:
    Jan 7, 2018
    Messages:
    5
    Likes Received:
    0
    I have tough about it, however my preference would to not deviated from my existing template. I definitely think it would work. I'll give it a go as well.

    pFSense supports "Active/Passive" setup with states/config/DHCP leases synchronization which actually works pretty well. Regretfully, Ruckus does not terminate on a anchor controller. I have a suspicion they also rely on the aggregation solution offered above.
     
    #4
  5. Xciter

    Xciter New Member

    Joined:
    Jan 7, 2018
    Messages:
    5
    Likes Received:
    0
    FYI,

    Seems pFSense does not support serving DHCP pools which are outside the scope of the locally configured interfaces as well.

    I've went with the first suggestion and I can report everything is working as expected, just had to move the DHCP servers to the aggregation switch.
     
    #5
  6. BlueLineSwinger

    BlueLineSwinger Active Member

    Joined:
    Mar 11, 2013
    Messages:
    142
    Likes Received:
    52
    A unique VLAN for each WLAN client? That sounds like a mess.

    Any reason you can't use a standard WPA2/802.1x with RADIUS setup?
     
    #6
  7. Xciter

    Xciter New Member

    Joined:
    Jan 7, 2018
    Messages:
    5
    Likes Received:
    0
    Yes. A bunch of client devices do not support 802.1x. Telling them "Well no WiFi for You" is not an option. :)
     
    #7
  8. cheezehead

    cheezehead Active Member

    Joined:
    Sep 23, 2012
    Messages:
    684
    Likes Received:
    160
    No kidding, just doesn't scale...max of 4k clients would be a show stopper for me.

    Go hybrid with dual SSIDs....802.1x for devices that support and non-802.1x for those that don't...or claim they do but really don't.

    Going forward, only order hardware support 802.1x.

    What is the point for the per-user isolation? User identification or do you have 1,000 users with 1,000 different security role combinations?
     
    #8
  9. fohdeesha

    fohdeesha Kaini Industries

    Joined:
    Nov 20, 2016
    Messages:
    1,195
    Likes Received:
    975
    max 4k clients per L3 termination** (and I really hope they're not terminating 4000+ vlan/customers on one switch). However I agree for wifi clients, not the best solution out there
     
    #9
  10. Evan

    Evan Well-Known Member

    Joined:
    Jan 6, 2016
    Messages:
    2,681
    Likes Received:
    391
    MAC table size handled by the switches becomes an issue if you terminate a lot on one switch, just keep that in mind.
     
    #10
  11. Xciter

    Xciter New Member

    Joined:
    Jan 7, 2018
    Messages:
    5
    Likes Received:
    0
    The point is that there is a separate network per apartment(can be one or more users in each apartment). So on the wired side each apartment gets a isolated L2 network with a couple of wired ports, which can also be accessible via the WiFi using D-PSK. This way we keep things nice end tidy.

    We had run an 802.1x network before and You would be surprised by the amount of support requests received. Chromecasts, Android TV, Playstation and Xbox are not really working with 802.1x among many other devices.

    I'll keep that in mind. Technically the only added MAC addresses should be the L3 VLAN interfaces. Otherwise it's the same number as if I was not terminating the VLANs on the switch.
     
    #11
  12. cheezehead

    cheezehead Active Member

    Joined:
    Sep 23, 2012
    Messages:
    684
    Likes Received:
    160
    Not surprised, using 802.1x with a couple thousand concurrent users in a heavy byod scenario. Using a different platform which handles end user device registration for the "special" devices, allowing for them to onboard with 802.1x providing a virtual layer-2 segment for miracast and other upnp/broadcast style home use integrations while users still sit in /22's. This avoids the massive interface/vlan counts. Every enterprise wireless platform has it's pluses and minuses. The biggest drawback to the one I'm using is the complexity vs Ruckus is pretty easy to setup.
     
    #12
  13. BlueFox

    BlueFox Active Member

    Joined:
    Oct 26, 2015
    Messages:
    584
    Likes Received:
    202
    On the Cisco side, an ISR4451-X or an ASR1002-X could work, but are not cheap compared to some white box server running pfSense. Budget option would be a 7206VXR with NPE-G2, but it's EOL. Been a few years since I've had to manage anything Cisco, so there might be better options that I'm unaware of.
     
    #13
Similar Threads: Firewall large
Forum Title Date
Networking Firewall Solution with nice Live packet filter view? Jun 21, 2019
Networking Personal Firewalls with AD-Integration Jun 1, 2019
Networking Virtual Firewall with or without SR-IOV - max performance Mar 31, 2019
Networking Firewall with good management for many policies Feb 23, 2019
Networking Dedicated pfSense/firewall hardware solution for mid/late 2018? Sep 7, 2018

Share This Page