I am about to embark on a mission… A mission to provide uncontested but limited Internet connectivity to our tenants. To do this I have decided to deploy pfSense, and I will be documenting each step for both our reference here at work, and in the hope that it will help somebody do something similar in the future.
To start with, we needed a specification of what we need the system to do. Here it is.
- The firewall must serve multiple tenants (up to 50+)
- The firewall must give each tenant their own external IP
- The firewall must prevent each of the tenants from seeing each others’ networks
- The firewall must allow us to limit the amount of bandwidth each tenant can utilize (otherwise they have free reign of our dual redundant gigabit fibre connections)
- The firewall must allow us to filter out certain traffic such as p2p
- The firewall must allow us to set data caps for each tenant
- The firewall must let us create a DMZ for each tenant if required
- The firewall must allow us to configure network services for each tenant (DHCP, DNS, etc)
- The firewall must allow each tenant to have their own VPN connection if required
- The firewall must allow us to report on bandwidth utilization and data transfer usage on a per-tenant basis
This may seem a tall order for one box, but with pfsense it is absolutely possible providing the hardware is capable of it. for our firewall we are going to re-deploy one of our old servers which was decommissioned during our virtualization project. The server used to be one of our domain controllers and it performed well while it was in service. I believe it will perform well as firewall as well. Its spec is below.
- IBM x3550 1u Server
- 2x Dual core Xeon processors
- 4GB Ram
- 2 x 76GB SAS disks in a RAID 1 (mirrored) configuration
- 2x On board Intel Pro/1000 Gigabit NIC’s
- 1x Dual port Intel Pro/1000 Gigabit NIC
- N+1 Power supplies
As you can see the server isn’t wanting when it comes to specs for the purpose it will be used for. It was slightly higher speced but parts have since been “pinched” for other projects. If this project goes well then we will be looking to build another similar firewall using our other domain controller of the same spec and cluster them for both resilience and load balancing.
I will be starting this project this afternoon so check back for updates, step-by-step guides and images of the entire process during “Project FireServer”.