[pfSense] Replacing CheckPoint Firewall-1 with pfSense

Fri Nov 25 08:50:39 EST 2011

On 2011-11-23 23:43, Daniel Davis wrote:

>>
>> We are thinking about running a redundant (CARP) setup with one pfSense
>> on our VMWare cluster, and one on a physical, separate machine.
>
> I would not recommend a hybrid physical/virtual CARP cluster as CARP is entirely network reliant. In a physical CARP cluster best practice is to dedicate a network interface on each machine for CARP with a crossover cable between them so that even in the event of a switch failure they can still talk and elect a master. You would need a dedicated NIC per host, an additional physical switch and additional vswitches to achieve the same sort of resiliency in a mixed physical/virtual configuration. This can get expensive and adds additional points of failure, but without it you run the risk of ending up with two masters (i.e. split brain) if the connectivity between your physical and virtual networks were to fail. vmWare HA is your friend here, it will remove the possibility of a split brain fo
>   r you if both hosts are running in the cluster. HA is not network reliant (as long as you are using a separate storage network), it uses a combination of network and shared data store heartb
>   eats to monitor hosts and VMs. One host can lose network connectivity, CARP will failover the firewalls, the cluster will detect a host isolation response and restart the failed VM on another host, all very orderly and controlled with less than a couple of seconds of downtime and no physical intervention.
>
> We use two firewalls with CARP in a vSphere cluster, works very nicely.
>
> The things to remember if you go with the two virtual machines are:
>
> 	1. Make sure you follow the instructions for CARP and ESX/ESXi from the wiki.
> 	2. Change the host that ESXi pings to determine its network availability. If you leave this as the default gateway, the ESX host that is hosting the master node will never fail over even in the event of a network outage, as it will still be able to ping the VM. This must be something that is highly available, we use the address of the stacked switches in our blade chassis. See http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1002478
>
> If you can tolerate a minute or two of downtime in the event of a host failure you could even consider a single pfSense VM and just trust vmWare HA to do the failover.

I'm pretty sure that we could live with a few minutes of downtime, so 
that would save the carp setup.  However, I would reserve the 2 other IP 
addresses in all my subnets in case.

>
>>
>> Concerns:
>>
>> 1- NAT Reflexion - We don't have a split-DNS setup.  CheckPoint does
>> seem to manage NAT Reflexion perfectly.
>>
>> 2- Ease to migrate the configuration to pfSense - I would set a pfSense
>> VM in parallel and start migrating all the rules manually, but I'm
>> scared about missing some or seeing a situation where the Firewall-1
>> can
>> do it and not pfSense.
>>
>> 3- Backups.  Are automated backups (of the config, at least) possible
>> even w/o a service contract?
>>
>> Can people share their experience with this kind of scenario?
>>
>> Don't hesitate if you need more info.
>>
>> Thanks,
>>
>> Ugo
>
>
> pfSense works well for the most part, the Snort package has had a few issues in the past but once it is working it works well, NAT reflection works fine and see the wiki for automated backups (http://doc.pfsense.org/index.php/Remote_Config_Backup). The VPN options are excellent so I don't think you'll have any issues there. IPv6 is still not supported but this was not an issue in our case.
>

Great thanks.  I thought there was problems for NAT reflection for port 
above 500, but is it port range over 500 ports instead?  I wouldn't need 
that.  All my internet-facing servers expose 1 to a few ports.

> As you will find out, the free support provided on the mailing list is often better than the help you get from most CCSP's.

:)

Thanks,

Ugo