1: The Hardware and Topology

I know it’s been a while since I initially announced this project, but unfortunately this is a “side project” and my day job needs to take priority.

First of all I thought i would show you the hardware that we will be using for this project, along with the topology that we intend to deploy in order to provide our tenants with a second to none service.

First of all lets talk about the topology. I have created a diagram to depict this, available here, but I will attempt to explain the theory behind each section.

First of all we get our Internet connection from our ISP’s data centre via two disparate gigabit private fibre circuits that are fed from two separate BT exchanges. These circuits terminate into two separate “presentation” switches on our site to create a resilient Internet connection.

It is from these switches that our corporate firewalls are fed, and also where we will be connecting our pfSense box. We currently have 32 public IP’s that can be bound to by any device plugged into these switches, providing it passes the security checks when it is plugged in of course.

On the tenant side of the pfSense box we will link to a switch (or two). To prevent each tenant from seeing each other , and to prevent to them from binding to each others external IP’s we intend to use the PPPoE Server feature of pfSense for authentication. This will also allow us to track how much bandwidth each tenant uses.

Here are a few pics of the server we will be running pfSense from.

IBM x3550

To the rear of the server you can see six gigabit LAN interfaces (the seventh is an on board management port and cannot be used for networking). Just to the right there are two power supplies.

For testing we are using a Cisco C2960PD-8TT-L switch which is an eight port 10/100 switch with one Gigabit uplink port. The switch is powered via POE on the uplink port and is completely silent.

We are still unsure of the configuration we will be using on our pfSense box at the moment but over the next few weeks we will be testing various setup, each of which will be documented by me on this blog.

If you have any suggestions on this project then please share them in the comments!


Installing / Configuring and Administering pfSense as a multi-tenant firewall

I am about to embark on a mission… A mission to provide uncontested but limited Internet connectivity to our tenants. To do this I have decided to deploy pfSense, and I will be documenting each step for both our reference here at work, and in the hope that it will help somebody do something similar in the future.

To start with, we needed a specification of what we need the system to do. Here it is.

  • The firewall must serve multiple tenants (up to 50+)
  • The firewall must give each tenant their own external IP
  • The firewall must prevent each of the tenants from seeing each others’ networks
  • The firewall must allow us to limit the amount of bandwidth each tenant can utilize (otherwise they have free reign of our dual redundant gigabit fibre connections)
  • The firewall must allow us to filter out certain traffic such as p2p
  • The firewall must allow us to set data caps for each tenant
  • The firewall must let us create a DMZ for each tenant if required
  • The firewall must allow us to configure network services for each tenant (DHCP, DNS, etc)
  • The firewall must allow each tenant to have their own VPN connection if required
  • The firewall must allow us to report on bandwidth utilization and data transfer usage on a per-tenant basis

This may seem a tall order for one box, but with pfsense it is absolutely possible providing the hardware is capable of it. for our firewall we are going to re-deploy one of our old servers which was decommissioned during our virtualization project. The server used to be one of our domain controllers and it performed well while it was in service. I believe it will perform well as firewall as well. Its spec is below.

  • IBM x3550 1u Server
  • 2x Dual core Xeon processors
  • 4GB Ram
  • 2 x 76GB SAS disks in a RAID 1 (mirrored) configuration
  • 2x On board Intel Pro/1000 Gigabit NIC’s
  • 1x Dual port Intel Pro/1000 Gigabit NIC
  • N+1 Power supplies

As you can see the server isn’t wanting when it comes to specs for the purpose it will be used for. It was slightly higher speced but parts have since been “pinched” for other projects. If this project goes well then we will be looking to build another similar firewall using our other domain controller of the same spec and cluster them for both resilience and load balancing.

I will be starting this project this afternoon so check back for updates, step-by-step guides and images of the entire process during “Project FireServer”.

Part 1 – The Hardware and Topology ->>>