pfSense and Untangle on multiple network zones

N

nuclearsnake

Limp Gawd
Joined
Mar 8, 2003
Messages
445
Hi everyone,

I'm starting work on a new project - to remove the old linux based iptables firewalls from the office and implement a dual redundant firewall with failover. A side project is to also have some sort of web content protection and SMTP anti-spam/anti-virus in house.

I first looked into Untangle to do everything, routing, dual-wan, source based nat, firewall, anti-spam, etc, but the costs are just to high once we started adding up all the modules we were going to require to make this work.

My next idea was to use pfSense and the networking core; routing, firewall, etc, and use Untangle in bridge mode between the pfSense boxes and the rest of the networks.

The trouble I'm getting into is the following; Seeing as we have multiple subnets, how would I configure one Untangle box to do the filtering between each of the source and destination networks?

Example: WAN -> pfSense -> Untangle -> LAN is easy and simple to do, but when you also have two DMZ networks connected to the potential pfSense box, how would I tie the same Untangle box into it without needing 2NICs in Untangle for each different zone?

So far, the best thought I've had was to build two ESXi servers, each with one pfsense, one untangle, then using virtual switches to tie the untangle boxes into the networks.

I hope this made some sense...
 
how is untangle too expensive? the only module you would have to buy is the wan balancer. That's like a few hundred dollars.

Also, how are you going to have the DMZ interfaces setup on the pfSense box? Were you going to use multiple NICs, one for each DMZ, LAN and WAN interfaces?

With you looking at setting up two ESXi servers I'm failing to see how this is cheaper than buying a decent appliance and throwing untangle on it with professional support and WAN balancer....
 
I do agree that Untangle is not to expensive, but it is more expensive then our current solution (0.00$).

I've already tried to make the case for the increase in spending, to which I was told the reason to bring in the anti-spam is that we're going to cancel our contract with our current external anti-spam company to save money...

Anyway, we'd also need the Wan Failover module along with the Policy Manager. I know the Policy Manager is approved, but I can't get the okay for the WAN parts as pfSense can do it it for free and better.

We already have some spare servers we can ESXi as we just finished a migration to newer hardware freeing up some older Dell poweredge stuff.

And yes, multiple physical NICs. The boxes have two intergrated, one will be used for the heartbeat between each machine, and the other for the 1st DMZ (Guest Wifi)
Then there's the 4 port Intel card;
Specifically;
2 x WAN
1 x LAN
1 x DMZ
 
I'm jumping on the same boat as the Captain here. To me it's sad someone doesn't want to spend a buck or 2 just for simplicity. PFsense may do the wan balancing and wan failover, but your just adding an extra layer of complexity that isn't needed. Ya ok your going to tell me well I've got esxi, again extra layer of complexity.

I know that I feel strongly about noting virtualizing your core firewall, just because it makes me nervous. Same that your using older hardware. Does that older hardware still have warranty, and if it does how long? How much are you going to have to pay in renewals to keep the warranty current. So.. With that said what if you don't have a warranty on that box. You going to assume the responsibility if / when it craps out? I wouldn't.

By the time your going to look a newer hardware, or current hardware I would imagine that you have paid for your untangle appliance, policy manager, and both wan pieces.
 
You can probably do everything with virtual nics to bridge the pfsense LAN to the Untangle's WAN. Not sure about the DMZ though. What I've done in the past is just set the DMZ on the UT bridge and then set the packet filter so there is not traffic allowed between DMZ and LAN. Otherwise I don't think you can get the UT to filter your DMZ traffic on the pfSense firewall.

I'd still rather do everything on the UT box.
 
You must log in or register to reply here.
Back
Top