I was hoping someone here with some pfSense experience could help me with some understanding as I go to try something out in my home lab.
I'm looking to see if I can't reduce some physical equipment (and thus U space, power, cooling, etc) and go with a virtual only firewall solution.
In my environment, I have a C6100 based cluster with SAN that runs all the cluster/SAN type requirements as expected. Then there is a C2100 with tons of disk that runs my media server as well as the secondary node of anything that has a primary on the C6100 cluster and needs to be available. This lets me kick everything down to a bare minimum C2100 and turn off the C6100, some of the switching, the SAN, etc, and keep the lights on, as it were.
I'm looking to do similar with two HA firewall VM's - one in the cluster and one of the C2100.
It seems to me that I could do all of this with VLAN's and simple:
* Bring the internet in on a switch port as a VLAN99 perhaps for untrusted/red/external (Internet)
* have any existing VLAN's be handled with multiple vNIC's in the firewall VM
* have any required intra-firewall connectivity for heartbeat/clustering.
It looks like pfSense can do a pretty good job of this, in theory.
This thread - https://forums.servethehome.com/index.php?threads/dual-failover-pfsense-with-bridged-wan.3345/ - suggests that something similarish can be done. It also talks about needing a number of IP's from the ISP side - Router1/Router2/RouterVirtual - which makes sense and I can accomodate. It would be more ideal though, if it just presented as one IP to the outside world, as it would make it more portable to me.
Any tips or tricks or gotchas? Am I better off just trying to do this with hardware instead - which I'd like to avoid if I could.
Thanks in advance!
I'm looking to see if I can't reduce some physical equipment (and thus U space, power, cooling, etc) and go with a virtual only firewall solution.
In my environment, I have a C6100 based cluster with SAN that runs all the cluster/SAN type requirements as expected. Then there is a C2100 with tons of disk that runs my media server as well as the secondary node of anything that has a primary on the C6100 cluster and needs to be available. This lets me kick everything down to a bare minimum C2100 and turn off the C6100, some of the switching, the SAN, etc, and keep the lights on, as it were.
I'm looking to do similar with two HA firewall VM's - one in the cluster and one of the C2100.
It seems to me that I could do all of this with VLAN's and simple:
* Bring the internet in on a switch port as a VLAN99 perhaps for untrusted/red/external (Internet)
* have any existing VLAN's be handled with multiple vNIC's in the firewall VM
* have any required intra-firewall connectivity for heartbeat/clustering.
It looks like pfSense can do a pretty good job of this, in theory.
This thread - https://forums.servethehome.com/index.php?threads/dual-failover-pfsense-with-bridged-wan.3345/ - suggests that something similarish can be done. It also talks about needing a number of IP's from the ISP side - Router1/Router2/RouterVirtual - which makes sense and I can accomodate. It would be more ideal though, if it just presented as one IP to the outside world, as it would make it more portable to me.
Any tips or tricks or gotchas? Am I better off just trying to do this with hardware instead - which I'd like to avoid if I could.
Thanks in advance!
