hello everyone

I am plenning to install gateway in office with 150 machines. I have 2 sources of internet connection one with statis and another with dynamic IP. static IP is used to access web resources from outside on IIS server in office. my question is my dear people which firewall to implement. I need to configure redundant and load balanced connection from that sources. I googled and found pfsense tried on virtual lab, now planning to install in production network. can you advice some other products or does anyone knows performance of pfsense in poduction?

Thanks

Hello and welcome to LQ, hope you like it here.


On the surface your question looks dead simple but then again asking for input when you've already planned to install a product in your production network is either bad research, bad planning or whatever else not good. So to make things better manageable for yourself and management you should IMHO split out planning and research as follows:
0) Gather specs and requirements. This is where you start. You may have existing hardware or not. You may encounter existing products to (re-)evaluate. You need to know what requirements the router / firewall needs to conform to. This should always include DMZ capabilities and may be a simple PPS target but could also include failiver capabilities, antivirus, Intrusion Detection (including IPS and DLP buzzwords), UI requirements et cetera. Based on that you will also want to look at what a maintenance SLA would look like because there's nothing worse than a device sitting in a rack with nobody doing anything with it.
1) Do research, select say 3 products then performance test each. What you select depends on requirements and offerings. You may want to look at pfsense or Vyatta but maybe also offerings by Microtik, Cisco, Juniper etc, etc depending on budget and requirements. Definging a (performance) test plan then allows you to objectively compare all products selected.
2) Select solution then configure redundant load balanced connection and network separation (IIS in DMZ) and whatever the product requires.


Yes, you can take short cuts but they will almost always come back to haunt you (or if you're a real good BOFH: your management ;-p)

1 members found this post helpful.

thank you man so much for your advices! I will see Vyatta also. you are right I will gether more info, dig more, but now for sure I will need firewall, proxy, DC and file server. It is windows env so I installed serner-samba AD 2008 forest-domain level joined PCs working well for now without problems.

Hello Paul2015, welcome to LQ!

I'm not an expert on pfSense in prod environments, but I have it running at home in a VM on an ESXi server I built and it is fantastic. The level of network control it gives me is amazing, and the performance is also excellent. It provides 3 isolated subnets and keeps my servers segregated from my testing environment and LAN. I replaced a $300 Modem/router from Time Warner Cable with my pfSense VM on excellent hardware and I couldn't be happier. It increased my intranet speed by 10x (12MB/s to 120MB/s limited by the drives) and usually runs with very little resource usage. *Disclaimer, I am NOT running it in a prod environment, but my friends and family are harder on my home network than an office full of business connections, barring 150 video conferences at once.

pfSense also has all of the options that you mentioned: supports load-balancing on multiple WAN interfaces with interface weighting options and allows fine-grained control of all network environmental access. Addon packages for pfSense will give you IDS and proxy capabilities too. Since you're talking about running a virtual pfSense I'd like to point out that you might be saving yourself quite a bit of time if something goes wrong by having quick backups of your VM in place. pfSense is running in a 6GB VM for me and I can restore it from a backup in about a minute.

A few other notes: you're going to see unSpawn everywhere, and he's usually right.

Cisco and Juniper are industry leading for a reason. Buying a subscription product might cost more up front and every month, but you have to weigh that against how many outages you want to survive on your own. You're not always paying for a better product, sometimes you're paying for hand-holding and it's totally worth it. I would NOT have jumped into pfSense if I had to configure it for the first time for my business by myself.

Lastly: if you install it in a VM at least be aware that some people consider that an increased attack surface. If you use ESXi you should do some simple research to move your hypervisor management network off the network(s) you're using for business traffic. I have mine completely isolated on a separate network (separate interface, vswitch, and cord) so that it's unexposed. The issue there is where you can manage it from, I took the hit and have to manage it locally. That's overkill and you can have reasonably secure setups that aren't as extreme. I realize I just threw a lot of points at you with little detail but I don't usually get to contribute here and pfSense on ESXi is the one thing I can usually begin to answer. I'd love to help if I can!

I used Vyatta for six seconds in college, didn't even finish installing it before someone else took over. So... I can tell you it definitely exists

1 members found this post helpful.

thantk you all for your replies and for your help. this is the best forum I ever joined and you guys are brilliant!