So I have an idea I've been wanting to plan out and I'd like some input.
I have a few sites with a pfSense firewall (Unifi equipment) and a few with a USG for a firewall. While I would much rather prefer pfSense for the power it has, and it's ability to handle many things much better(Snort, pfblocker, other utilities) I also like the USG's dpi abilities with traffic statistics and the ability to have client traffic statistics.
There's been much talk about a passthrough feature for the USG to be able to get the DPI data and nice graphs but I've had another method in mind that I haven't tried out and am trying to think through. I'll explain some of my network as best as possible and give some reasons and and thoughts I've had.
At one site I have a 10G network, Unifi 48 port with a 16 XG core, like 60 devices in all, 30 switches and 30 AP's spanning a 110)k sq foot, with a few hundred devices every day. I have it set with the pfSense for the router that has a 20G LAGG to the core Unifi 16XG but it only has a 1G ethernet uplink to the fibre GPON. I like having the more powerful pfSense, netgate 2600xd or something like that (it has an 8 core 2.4 atom or something but was discontinued about a year ago, still works and receives official support) as the core to do the routing, IPS, and a few other things.
I have several vlans on my network and some externally available devices/services.
I've been thinking about putting the pfSense router behind the USG. for the following reasone and thinking:
- I would like the overall traffic stats
- Better monitoring of traffic per client
- Application Usage stats
- Usage over time
- Possibly better features in the future for IPS than available on pfSense(cough... maybe... at least a prettier dashboard)
I know that's not a whole lot and maybe I could do something similar with and elk stack or something like that but I haven't really gotten that far(yet), and is the reason for my post.
Steps I would take:
- Turn off NAT on the pfSense and make the wan(with vlans) have addresses of x.x.x.2 for each subnet(vlan)
- Make the Unifi connect to the WAN and have LAN(vlan) addresses of x.x.x.1
- set a static route on the pfSense, or up stream gateway, for the internet to x.x.x.1 interface on the USG
- Set the gateway address in the DHCP servers to x.x.x.2 for the pfsense to do the internal routing
Doing this should, I think, use the pfSense for all internal routing, cross vlan and such, and if it's bound for the internet send it to the USG with the original clients information so the usg can keep track of the traffic and do the statistics and make the onnections. My internal routing would only traverse the pfSense and have good throughput (remember 10 GIG) while any internet bound connections would have another hop pfSense => USG that would still be the 1G copper connection that I still have to the internet.
I know it could cause a little latency in the internet connections but I'm not thinking it would be that bad, and I would get the benefit of having a single dashboard for my entire network.
If any of this makes sense or you have any questions or suggestions I'm all ears.
If you've tried this, know this wont work, think there's other software that I would benefit more from, or know a better way please let me know
.... I don't think I've earned junior admin....
No comments:
Post a Comment