Monday, October 05, 2009

Another successful pfsense rollout

This morning, I rolled out pfsense at our biggest site.  It was actually the third try, but that’s not pfsense’s fault.  A combination of a bad hub and an extremely long arp timeout period on the ISP’s switch scrubbed the first two attempts.  (It was really scary to hear the ISP tech say “Sure I can clear the arp cache for you…can you tell me what to type?” Egads!) All in all it went well.  One thing I forgot about was access to remote subnets on our WAN. I purposely left them out of the routing table on the firewall thinking I’d use IPSEC tunnels as a failover mechanism to our WAN.  Unfortunately, I completely forgot that they get to the DMZ from the inside to see our website.  A few quick static routes fixed that in short order.

My biggest surprise was the fact that I disabled bogon login detection on a previous attempt at getting things running so I had to turn that back on.  Turns out that doing that will reset the state table and break everyone’s existing connections!  Luckily I found that early during the scheduled downtime so no one was the wiser.

Right now I’m backing up the config as I make changes so I need to automate the backup on a scheduled basis like I did with the PIX.  I’m sure I can work something out with Cattools for this.

All in all a successful venture.  Two more sites to go and all our firewalls will be pfsense!

3 comments:

kentk said...

I love pfSense also. Have been using it for 2 years now after having used Cisco, PacketShaper, BigIP and Checkpoint's Firewall at a much larger office.

Just wondered if you were able to use Cattools to automate your backups of pfSense or if you did something else? I am going to give Cattools a try and check it out but just wondered.

Rolfsa said...

Honestly I haven't had time to mess with it. I don't change it all that much so I've been backing up manually. However, I plan to buy a support contract and use the paid backup piece...just haven't gotten around to it yet.

HGH Los Angeles said...

I would like to subscribe for this weblog to get latest updates.