Re: [pfSense-discussion] optimal way for a colo setup
I guess he means this one: http://www.supermicro.com/products/chassis/1U/515/SC515-280U.cfm -lsf On Mon, Nov 9, 2009 at 2:11 PM, Eugen Leitl wrote: > On Mon, Nov 09, 2009 at 11:28:46PM +1100, Aristedes Maniatis wrote: > >> What you describe is exactly what we are in the process of rolling out, >> although we are using a different (higher powered) Supermicro server. They >> make a nice 1RU (half depth) unit with 4 NICs on the front panel. > > Interesting -- do you have the model number? I can't find it offhand. > >> I don't think the private IP space will make it that much harder to recover >> from, unless you lose both your firewalls at once. And on the plus side you >> get to pass that stupid NAT requirement in the PCI DSS if you have to >> handle credit cards. > > -- > Eugen* Leitl http://leitl.org";>leitl http://leitl.org > __ > ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org > 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE > > - > To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com > For additional commands, e-mail: discussion-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > > - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] optimal way for a colo setup
On Mon, Nov 9, 2009 at 8:09 AM, Eugen Leitl wrote: > >> generally prefer getting a smaller WAN block and having the larger >> internal block routed to you, then you can use a combination of NAT > > So you have a small address space just for the firewalls WANs and > other stuff, and get the networks handled to you? Using which protocol, > BGP? > No routing protocols. The routing is done upstream by the provider. > So how does the layout look like WAN and LAN side? Which addresses > do the hosts on the LAN side have, private IPs (e.g. 10.x.x.x)? > You can have some interfaces with private, some with public, all private, all public, whatever you want to use. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] optimal way for a colo setup
On Mon, Nov 09, 2009 at 11:28:46PM +1100, Aristedes Maniatis wrote: > What you describe is exactly what we are in the process of rolling out, > although we are using a different (higher powered) Supermicro server. They > make a nice 1RU (half depth) unit with 4 NICs on the front panel. Interesting -- do you have the model number? I can't find it offhand. > I don't think the private IP space will make it that much harder to recover > from, unless you lose both your firewalls at once. And on the plus side you > get to pass that stupid NAT requirement in the PCI DSS if you have to > handle credit cards. -- Eugen* Leitl http://leitl.org";>leitl http://leitl.org __ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] optimal way for a colo setup
On Mon, Nov 09, 2009 at 07:54:57AM -0500, Chris Buechler wrote: > Lots of options there - they're discussed in depth in the book. I Alas -- Amazon.com estimates delivery for early January 2010. No way to purchase an electronic copy I could get hold of earlier than January? > generally prefer getting a smaller WAN block and having the larger > internal block routed to you, then you can use a combination of NAT So you have a small address space just for the firewalls WANs and other stuff, and get the networks handled to you? Using which protocol, BGP? Sorry for the dumb questions, I still completely blow at networking. > and routed public IPs as needed, and easily add additional IP space in So how does the layout look like WAN and LAN side? Which addresses do the hosts on the LAN side have, private IPs (e.g. 10.x.x.x)? > the future if needed. I don't like bridging in a serious colo > environment, because of the complications possible with relying on > STP, or hacks on the firewall. I would never setup the network with a > design consideration that you can use it if the firewalls fail, that's > why you have redundant firewalls. Well, I don't have redundant firewalls in place yet. Of course by the time I will add a second Ethernet line from the router I will have enough critical systems up so that service down time should be down at a minimum. -- Eugen* Leitl http://leitl.org";>leitl http://leitl.org __ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] optimal way for a colo setup
On Mon, Nov 9, 2009 at 7:17 AM, Eugen Leitl wrote: > > I've built a 1.2.3RC3 box on beforementioned Supermicro > dual-core Atom box with an Intel dual-port server NIC > and a 2 GByte Transcend DoM (some 200 EUR the Supermicro > kit, 35 EUR memory, and 100 EUR the dual-port Intel > NIC, the DoM is some 20-30 EUR IIRC). > > All four NICs (onboard Realteks and Intel) are apparently > fully functional. > The box is reasonably quiet, and probably not underventilated > if it's not sandwiched between two other rackmounts (it > does have enough fan headers on the motherboard to rectify > that potential problem, though no fan mounts; hotglue would > probably do). > > I've assigned WAN and LAN to the Intel NIC, and will use > the Realteks for pfsync, redundancy and the like. > > Now the question, assuming I have a /24 network on WAN, what is > the optimal routing setup if I want to go carp+pfsync > eventually fully redundant? I'm currently running two > mini-ITX C3 boxes in a poor man's failover setup, both > as transparent bridges, with one disabled through STP > or other loop-detection feature. > > So what do I do with my /24? Private IP space behind > LAN, and 1:1 for every address? (That would be pretty > difficult to recover from should my firewall die, right > now every box has public IPs and can be fully routed > even though then directly exposed to the hostile > Internet). > Lots of options there - they're discussed in depth in the book. I generally prefer getting a smaller WAN block and having the larger internal block routed to you, then you can use a combination of NAT and routed public IPs as needed, and easily add additional IP space in the future if needed. I don't like bridging in a serious colo environment, because of the complications possible with relying on STP, or hacks on the firewall. I would never setup the network with a design consideration that you can use it if the firewalls fail, that's why you have redundant firewalls. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] optimal way for a colo setup
On 9/11/09 11:17 PM, Eugen Leitl wrote: So what do I do with my /24? Private IP space behind LAN, and 1:1 for every address? (That would be pretty difficult to recover from should my firewall die, right now every box has public IPs and can be fully routed even though then directly exposed to the hostile Internet). What you describe is exactly what we are in the process of rolling out, although we are using a different (higher powered) Supermicro server. They make a nice 1RU (half depth) unit with 4 NICs on the front panel. I don't think the private IP space will make it that much harder to recover from, unless you lose both your firewalls at once. And on the plus side you get to pass that stupid NAT requirement in the PCI DSS if you have to handle credit cards. Ari -- --> ish http://www.ish.com.au Level 1, 30 Wilson Street Newtown 2042 Australia phone +61 2 9550 5001 fax +61 2 9550 4001 GPG fingerprint CBFB 84B4 738D 4E87 5E5C 5EFA EF6A 7D2E 3E49 102A - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense-discussion] optimal way for a colo setup
I've built a 1.2.3RC3 box on beforementioned Supermicro dual-core Atom box with an Intel dual-port server NIC and a 2 GByte Transcend DoM (some 200 EUR the Supermicro kit, 35 EUR memory, and 100 EUR the dual-port Intel NIC, the DoM is some 20-30 EUR IIRC). All four NICs (onboard Realteks and Intel) are apparently fully functional. The box is reasonably quiet, and probably not underventilated if it's not sandwiched between two other rackmounts (it does have enough fan headers on the motherboard to rectify that potential problem, though no fan mounts; hotglue would probably do). I've assigned WAN and LAN to the Intel NIC, and will use the Realteks for pfsync, redundancy and the like. Now the question, assuming I have a /24 network on WAN, what is the optimal routing setup if I want to go carp+pfsync eventually fully redundant? I'm currently running two mini-ITX C3 boxes in a poor man's failover setup, both as transparent bridges, with one disabled through STP or other loop-detection feature. So what do I do with my /24? Private IP space behind LAN, and 1:1 for every address? (That would be pretty difficult to recover from should my firewall die, right now every box has public IPs and can be fully routed even though then directly exposed to the hostile Internet). -- Eugen* Leitl http://leitl.org";>leitl http://leitl.org __ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org