August 10th, 2008

A big step towards the FreeBSD migration

Three days ago I finally put in production a new pfSense firewalling system. That solution take over the virtualized Microsoft ISA Server 2006 array, freeing up resources for moving all currently running VMs to the first Virtual Server node. That will let me to rebuild the second host machine with a new instance on FreeBSD 7 for amd64, which will become the “mainframe” container for most of the services delivered by my infrastructure (thanks to the Jail OS virtualization system).

Leveraging the well known OpenBSD PF technology, built on m0n0wall and FreeBSD platforms, pfSense seems to be a very good solution if you need a reliable and fault-tolerant firewalling system at affordable price, since it’s released under open source license terms. In this case I’ve only invested some hours for studing the best deployment method and some money to buy two Soekris net5501 boxes, which have been the natural choice since the moderate throughput managed by my IT systems. These appliances are getting me sleep good at night, thinking that for whatever reason a ISP link failure or an hardware/software problem will happen, there will always be the second node ready to seamlessy (statefully) make all IP traffic go on! 🙂

Obviuosly, pfSense alone won’t ever be able to replace all the L7 features ISA Server was giving me. The most notably absence is a good web reverse proxy system to make all HTTP/S requests made against different hosts (HTTP header names) flow to the corresponding internal web servers. Until I’ll have to publish RPC-over-HTTP Exchange services, I’ll maintain a one-leg proxy only ISA inside my net, but as soon as I’ll complete the migration to the CommuniGate Pro platform, I’ll replace it with an already proven and high performing NGINX proxy.