This morning, I rolled out pfsense at our biggest site. It was actually the third try, but that’s not pfsense’s fault. A combination of a bad hub and an extremely long arp timeout period on the ISP’s switch scrubbed the first two attempts. (It was really scary to hear the ISP tech say “Sure I can clear the arp cache for you…can you tell me what to type?” Egads!) All in all it went well. One thing I forgot about was access to remote subnets on our WAN. I purposely left them out of the routing table on the firewall thinking I’d use IPSEC tunnels as a failover mechanism to our WAN. Unfortunately, I completely forgot that they get to the DMZ from the inside to see our website. A few quick static routes fixed that in short order.
My biggest surprise was the fact that I disabled bogon login detection on a previous attempt at getting things running so I had to turn that back on. Turns out that doing that will reset the state table and break everyone’s existing connections! Luckily I found that early during the scheduled downtime so no one was the wiser.
Right now I’m backing up the config as I make changes so I need to automate the backup on a scheduled basis like I did with the PIX. I’m sure I can work something out with Cattools for this.
All in all a successful venture. Two more sites to go and all our firewalls will be pfsense!
Posts
3 comments:
I love pfSense also. Have been using it for 2 years now after having used Cisco, PacketShaper, BigIP and Checkpoint's Firewall at a much larger office.
Just wondered if you were able to use Cattools to automate your backups of pfSense or if you did something else? I am going to give Cattools a try and check it out but just wondered.
Honestly I haven't had time to mess with it. I don't change it all that much so I've been backing up manually. However, I plan to buy a support contract and use the paid backup piece...just haven't gotten around to it yet.
I would like to subscribe for this weblog to get latest updates.
Post a Comment