Best way to block all traffic from China

[frostfiretulsa]

Hiya all,

This is my first post on this forum... glad I found it tho - seems to be really good for people like me.

I own a small web/VPS hosting company that currently provides service to about 500 clients, the majority of which are in the USA and EU. I have been in business for about 12 years, with my master server's IP and domains staying the same over that period (tho the server has been upgraded twice).

Now... Over the last 6 months (and moreso over the last 2 months) I have noticed a huge increase in hack attempts, the vast majority of which (99%+) are from China IP addresses. When I first started noticing this I wrote a small C# app that runs on my servers that monitor the event log for SQL login failures as well as Simple DNS notifications that a IP was blocked locally (inside the DNS software) for > 15 requests per second over 3 seconds. When detected, the IPs are added to a firewall rule that blocks them for 48 hours. The same app maintains that rule so that expired IPs are removed after 48 hours, etc. Works pretty good... but...

At last count I was getting hit between 10-50 times per second over both DNS and SQL... And while I have not noticed any negative effects on server performance or network traffic (I have quite a bit of bandwidth available), I am worried about this increasing to the point of blocking legitimate server traffic.

Now.. I have grown slowly over the last decade, adding servers as needed here and there, and currently have 10 servers spread across 3 racks at my datacenter, and each server has its own network drop and relies on a software firewall for protection. I am thinking its time to upgrade that a bit... Am going to have them move me to a new rack so all my servers can be together, and want a single gigabit network drop to a hardware firewall, which will then split traffic off to the servers with 10/100 cables (I dont need gigabit to the servers, but need more than 100mb across all 10, if that makes sense).

So... what I am looking for here are ideas on how to do this exactly... I think I have a good plan, but I confess that I am not a network security buff. I am a application developer and I learn quickly with either hardware or software, but I know my knowledge in this area is not up to snuff... so... ideas?

Oh - and another reason for the hardware firewall, as noted in my subject, is that I am considering just blocking all of China's IP addresses from accessing any of my servers over any port other than 80 and 443. Heck, I might even just block them altogether, even HTTP ports. I do not think I have any legitimate traffic from China.

Now, the tough part of that... if I do implement that, I would like to direct blocked HTTP traffic (port 80/443 only) to a website explaining that they are blocked from accessing my servers... possible? What kind of hardware would I need to do that?

If I am totally off base, please let me know that too... my goal here is to block these hack attempts while leaving access to the associated services open.

Thanks much,

Dave

 

[cyr0n_k0r]

Cisco ASA firewall. Do an ACL that explicitly denies IP ranges coming from China.
Add something at the beginning of the ACL that says if traffic matches port 80 or 443 send them to X internal ip address. Have that server run a web page with whatever message you want them to see. (I dont recommend this, if you're going to block the traffic, just block it)

Also, don't let corge come in here and tell you a cisco ASA isn't a firewall
According to him friends don't let friends use Cisco ASA's.

 

[jadams]

http://www.countryipblocks.net/

I guess the first question to ask really is what kind of firewall/router do you have currently? Any business grade router should gave some sort of fucntion to block IP's and rangest.

The above post suggested an ASA. I dont know of a way with an ASA to just specify a country and block it. I sure hope it does. I didnt notice such a thing when I worked with a 5505. The above link I posted says theres almost 4000 ip blocks from china. That could take quite some time to program.

pfsense has a country block function with its pfblocker package. you choose a country. it already has the lists of built in, and it blocks it. They also have a nifty list of top spamming countries. Honestly I block everything except the US, Canada, some of the countries in the caribbean, and the more friendly counties in Europe. No other country really has any business around here

 

[jadams]

oh, and welcome to the board

 

[cyr0n_k0r]

Op mentions he is currently using software firewalls.
And I'm sure a lot of those Chinese IP blocks can be summarized.

 

[RiDDLeRThC]

Astaro firewalls do country blocking and its as simple as checking a box.

 

[frostfiretulsa]

Ya, I already found the list of IPs for China... and I could easily import them to the software firewall, but figure a hardware firewall is a better option now considering my size. It wasnt necessary before... but I am starting to grow faster. Will have at least 3 new servers in the next year.

Looking at the ASA 5505... From the looks of it it seems that might be good enough for what I do... Any reason to move to the next model that any of you can think of?

And... having never used a Cisco ASA... I would assume it would be fairly easy to import those IP blocks? Seems that should be fairly simple...

 

[jadams]

And I'm sure a lot of those Chinese IP blocks can be summarized.

Just as tedious.

 

[Brak710]

You do need to consider your clients. If this was just for your own business, I could completely understand your reasoning.

But by blocking all traffic from china, is there a chance you will be blocking a legit client? Remote access, future expansion, etc?

pfBlocker for pfSense can do this easily and cheaply. Considering you're using software firewalls, pfSense would be a major upgrade. Cisco ASAs would be great if not better, but it isn't cheap nor as easily configured.

 

[frostfiretulsa]

You do need to consider your clients. If this was just for your own business, I could completely understand your reasoning.

But by blocking all traffic from china, is there a chance you will be blocking a legit client? Remote access, future expansion, etc?

pfBlocker for pfSense can do this easily and cheaply. Considering you're using software firewalls, pfSense would be a major upgrade. Cisco ASAs would be great if not better, but it isn't cheap nor as easily configured.

I have considered this... and I do not think so. About having legitimate clients from China that is. I only host about 50 websites, and of them the biggest are US only service companies - with "local" websites to their cities - very regional. My largest endeavor is my VPS company, but I lease to people in the SEO business only, and after checking my server logs I dont have anyone connecting from China... so I think it would be rare to have a legitimate client from there - and to be honest, I would rather do without that client and not have to worry about them being able to brute force my passwords, not to mention trying so hard that they make my servers unavailable. Its a fair tradeoff I think. Too bad China has so many hackers right now.

As to the price of the ASA... $600 give or take is not that expensive. I would rather spend up to $1000 and make sure I do it right. I do not want to have to do this all over again next year or the year after - best to get what I need now, not worry about a few bucks.

I am not at all familiar with pfBlocker et all... How do they measure up against the Cisco ASA 5505? Which is better?

Dave

 

[jadams]

I am not at all familiar with pfBlocker et all... How do they measure up against the Cisco ASA 5505? Which is better?

Dave

pfblocker is a package available in pfsense. www.pfsense.org. Its a firewall operating system that runs on FreeBSD. I actually replaced a 5505 with pfsense about a year ago and I couldnt have been happier. This was mostly because I was nor familiar with the ASA and didnt feel comfortable managing it.

pfsense is pretty easy to setup. its compatible with a very broad range of hardware and scales very well with it. It can run on rinky dink Pentium 2/3 systems all the way up to server class hardware. Its quite easy to manage. If you do have problems the forums are a good place to get answers for free. If you want a support contract they do offer paid support. The admins on the board claim that a live person answers the phone when you call. Gotta love that.

 

[MrGuvernment]

even if you block them, you can still be DDoS so blocking them wont stop them from taking your site(s) down if they wanted to

 

[frostfiretulsa]

pfblocker is a package available in pfsense. www.pfsense.org. Its a firewall operating system that runs on FreeBSD. I actually replaced a 5505 with pfsense about a year ago and I couldnt have been happier. This was mostly because I was nor familiar with the ASA and didnt feel comfortable managing it.

pfsense is pretty easy to setup. its compatible with a very broad range of hardware and scales very well with it. It can run on rinky dink Pentium 2/3 systems all the way up to server class hardware. Its quite easy to manage. If you do have problems the forums are a good place to get answers for free. If you want a support contract they do offer paid support. The admins on the board claim that a live person answers the phone when you call. Gotta love that.

Ok,

If I am reading this right, I need to run that on a server... so I assume it would be something like one NIC would connect to the datacenters Vlan, and the other NIC would go out to a switch to connect the servers to it... yes?

The only problem I have with that is it would cost a LOT more... not only another server, but the monthly hosting for that server, whereas a hardware firewall is free to add to the cage for me since I have so many servers already. Would the increased capacity/usability etc of the pfSense solution be worth the extra expense? Figure $600+ for the server (cheapest rack mount from Dell), plus $69/mo for hosting at my datacenter.

Keep in mind I am not local to the datacenter, so I have to order Dell servers and have them shipped to the datacenter, and I set everything up via iDrac... I live in Thailand now and maintain everything remotely.... so no building a cheap rack appliance for me :/ (which sucks, because prior to moving here my hardware costs were half what they are now and MUCH more powerful with more storage. I love supermicro )

Am also not much of a *nix fan... I run Windows 2008 R2 on all my servers... and have never used FreeBSD, and only have minor experience with that type of OS...but if the overall performance is worth it, I am willing to learn.

 

[frostfiretulsa]

even if you block them, you can still be DDoS so blocking them wont stop them from taking your site(s) down if they wanted to

Aye, I know that... but it seems thats not their game for the time being.

More than likely they did a port scan and found a listening (and unsecured) SQL Server and posted my IP to a forum or something for hackers. Just a guess, but likely a good one. Same goes for the DNS server. There are not many people doing it... usually 1-2 IPs at any given time, each sending 10-15 requests per second. Once banned they keep on for about 10 minutes, then it stops for a few minutes and another IP takes over. The SQL attack is just a brute force attempt to figure out the "sa" password... but its a complex password, so its fairly safe... and I ban them after 1-2 attempts... but so far they are not sending enough traffic to actually take my sites down, and I dont think they will. Its not a vindictive type action - just trying to get in my database, likely to try to find credit card numbers or some such... tho I dont store any of those anyway - I use PayPal exclusively and only store paypal IDs and Subscription IDs. Nothing that can be of any use to a hacker.

 

[athlon1.2]

Look into snort with a paid ruleset it will be able to not only block those invalid requests but look for malicious SQL, HTTP, etc traffic.

 

[Macco]

A Cisco 5505 might be a bit under powered for what you need. The ethernet ports on it are only 10/100. The 5510 is the smallest one Cisco makes with gigabit ports, but max firewall through put is quite a bit less. @ ~$2250 it's also quite a bump up from the 5505 in price. Not sure how much actual throughput you need but if you plan to use all of your gigabit link you're looking at some pretty big money going Cisco.

http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html#~mid-range

Quite a few other companies make firewalls that could be suitable as well. Palo Alto, Juniper, Sonicwall in addition the plenty of open source ones like pfSense. Juniper SRX 210/220 or Sonicwall NSA 240/2400 could be a better option for you depending on your throughput needs and expected growth.

 

[frostfiretulsa]

To be honest I never looked at what my servers are doing so far as bandwidth.

I can say that even the busiest of them use only about 2TB per month, so figure about 20TB per month max across the whole rack - and that is very generous. Many of my servers do not even use 100MB/mo.

I think I could live with a 100mb/s single feed to the whole cage and not loose any performance, but ... well.. being a techie the idea of having the gigabit drop was kinda cool lol.

In any case, even at 100mb/s if my math is right it would take about 2/3 of the month to use up that 20TB, so while I may be getting close to cap with those numbers, it should be ok. Still tho, thats one of the reasons I made this thread - to check little things like this to see which would be the best solution for me. Sounds like I should be leaning toward a custom solution like pfsense.

 

[jadams]

Ok,

If I am reading this right, I need to run that on a server... so I assume it would be something like one NIC would connect to the datacenters Vlan, and the other NIC would go out to a switch to connect the servers to it... yes?

The only problem I have with that is it would cost a LOT more... not only another server, but the monthly hosting for that server, whereas a hardware firewall is free to add to the cage for me since I have so many servers already. Would the increased capacity/usability etc of the pfSense solution be worth the extra expense? Figure $600+ for the server (cheapest rack mount from Dell), plus $69/mo for hosting at my datacenter.

Keep in mind I am not local to the datacenter, so I have to order Dell servers and have them shipped to the datacenter, and I set everything up via iDrac... I live in Thailand now and maintain everything remotely.... so no building a cheap rack appliance for me :/ (which sucks, because prior to moving here my hardware costs were half what they are now and MUCH more powerful with more storage. I love supermicro )

Am also not much of a *nix fan... I run Windows 2008 R2 on all my servers... and have never used FreeBSD, and only have minor experience with that type of OS...but if the overall performance is worth it, I am willing to learn.

Your reservations are legitimate.

I find it kind of retarded they will allow you to add a hardware firewall for free, but will charge you to add a server thats running as a firewall. I mean it is technically another server, but it is also a hardware firewall.

And dont worry about not knowing FreeBSD. The interface is web based. There is a shell for the more advanced diagnostics but for the most part you wont be using it.

Someone also mentioned snort in this thread. pfsense just so happens to have a snort package as well. I've always used their free ruleset. Not sure how much better the paid ones are.

 

[Tha_Bomb]

I can also vouch for pfSense. I've never used a Cisco appliance, but I know the cost/performance is out of this world for pfSense. People get hundreds of Mbit/sec on Pentium 4 setups with 256-512MB RAM. Many large corps use them for internal routers with the firewall turned off, and even more use them for gateway routers. They do BGP through a stable package and OSPF through a "beta" package, although every package I've used, even the "alpha" ones were completely stable for my use.

I use it at my parents home/office, and I can't recommend it enough. I was running a 50Mbit connection (including Bittorrent) with a lot of packages for a little bit there and I never saw over 5-10% CPU (P4 2.66). You can try it out as your home router on an old POS computer from your garage (like a Pentium 2 or 3) if you want to get more comfortable with it. Everything is web-based, and everything works amazingly well.

One guy with a P3 1GHz and 200 users, plus 2 public servers. Says he can double the load with no problem:

http://forum.pfsense.org/index.php?topic=5444.0

They "recommend" a hardware firewall if you have over 3Gbit/sec or 1 million pps. lol.

http://www.pfsense.org/index.php?option=com_content&task=view&id=71&Itemid=81

You can also get a thinly-disguised "server" that looks like a standard firewall to throw in your rack. Just look for a "pfSense appliance"

Like here: http://www.hacom.net/kb/comparison-hacom-appliances-cisco-asa-firewalls

1.6Gbit/sec for $700 ($900 for the 1u version)

One of the only real considerations I can think of is (unless something changed recently) the FreeBSD Routing/Firewall engine will only use 1 CPU core. Therefore, you won't see any gain from anything more than a dual-core CPU. (1 for routing/firewall, 1 left for everything else)

I love pfSense, so my opinion is obviously biased. Take it for what it's worth to you.

 

[feffrey]

Cisco ASA and Juniper SRX are both good hardware firewalls.

 

[jadams]

One of the only real considerations I can think of is (unless something changed recently) the FreeBSD Routing/Firewall engine will only use 1 CPU core. Therefore, you won't see any gain from anything more than a dual-core CPU. (1 for routing/firewall, 1 left for everything else)
.

I believe in the future with release 2.1 utilizing FreeBSD9 it will have full multicore support.

I could be wrong. But i thought I read this on their forums.

 

[Tha_Bomb]

Sweet! That should sent performance through the roof with all these 16 and 32-way servers nowadays.

 

[Brak710]

Truthfully, a large portion of pfSenses performance issues people notice are not CPU related and rather NIC related. The same exact system will have 3-4x better throughput with Intel server NICs over crappy Realtek NICs.

Having large (multiple) CPU power really will only help with large packages that have to filter and watch a huge data stream. For normal routing and firewalling, you don't need much more power to work at near-line-speed.

 

[jadams]

Sweet! That should sent performance through the roof with all these 16 and 32-way servers nowadays.

Truthfully, a large portion of pfSenses performance issues people notice are not CPU related and rather NIC related. The same exact system will have 3-4x better throughput with Intel server NICs over crappy Realtek NICs.

Having large (multiple) CPU power really will only help with large packages that have to filter and watch a huge data stream. For normal routing and firewalling, you don't need much more power to work at near-line-speed.

After posting a thread on the pfsense board they said therse no plans till after 2013.

Brak, try not to think about routing 100GB/sec through a pfsense with a 16 core Xeon system. But try to think about ~DOUBLING the throughput on an Atom system. Or actually being able to run an Atom system with a decent set of packages.

Throughput is tied directly to cpu frequency. which means so is power consumption and so is heat. True multicore support would allow us to run much cooler, lower power systems.

 

[frostfiretulsa]

Ok,

Lets punch this up a notch real fast. I have a idea, which may or may not work.

My VPS software is Parallels Virtuozzo Containers for Windows - and I run it on Windows 2008 R2 Enterprise. I currently have 5 VPS servers each hosting 71 VPS containers (355 containers total).

Now... I also have a 2U "backup server" whos only function is a external hard drive. It has Windows 2008 Standard R2, but it just sits there - does no processing at all. It has 3 drive arrays - well, 1 standalone drive that contains windows and 2 RAID-1 arrays that I use for backup storage for the VPS servers.

Now, the reason for the detail and history is this: It is VERY difficult to get Virtuozzo to use a network drive for backups. It took me days to get it working, and in the end the trick was to make the network user (Administrator) with the same password across all the servers... so that browsing to \\<backup server IP>\d$ (the D drive) opens the folder without need for authentication. Hope that makes sense - and it should to anyone in windows networking

The backup server is connected to the other servers by way of a private LAN, and it currently does not have internet access at all... but it does have 2 NICs. What I am slowly getting to here is the thought of using that server as the firewall... Do any of you know if I will have problems accessing those network drives in the same manner (e.g. \\<IP>\drive$\ ) under FreeBSD, if I were to install that OS on that server?

Again, I am not at all familiar with FreeBSD... so need someone with knowledge of that OS as well as windows networking to give a yea or nay for the idea... I could do without the backup server for a day or 2 if needed, but would rather not lose it for long if possible. To that end... any good FreeBSD tutorial/primers anyone can suggest? Perhaps I will play with it in a VM the next couple days just as a test.

 

[Tha_Bomb]

Does the backup server have hyper v? You could (possibly) do it in a vm. I know there are prepackaged vmware images you can just drop in and get pfsense. I forget what they call them.

And pfsense doesn't run FreeBSD except for the base operating system. Its very customized for pfsense and everything is handled by either an extremely simplified command prompt (with options and explanations) or the web GUI (for any real customizing). You don't need to know FreeBSD or even *nix at all.

 

[frostfiretulsa]

Does the backup server have hyper v? You could (possibly) do it in a vm. I know there are prepackaged vmware images you can just drop in and get pfsense. I forget what they call them.

And pfsense doesn't run FreeBSD except for the base operating system. Its very customized for pfsense and everything is handled by either an extremely simplified command prompt (with options and explanations) or the web GUI (for any real customizing). You don't need to know FreeBSD or even *nix at all.

I can install anything I need/want on that server... tho it only has 4GB of RAM, and windows 2008 R2 is a RAM hog... so if things would work without windows in the mix I think performance would be much better.

Since pfSense has a customized version of FreeBSD, then I guess I need to know if that (pfsense) will allow access to those drives? In windows they show up as drives H and I, and while I do not need the drive letters to be the same, I would like the drive name (e.g. share name) to be the same - they are "stor_a" and "stor_b"... Is that possible with pfSense at all?

Dave

 

[Tha_Bomb]

I wouldn't try to share drives from a pfsense box. I would install pfsense in a VM and give it 256MB of ram or so. It doesn't take much. This way you achieve two critical things: 1. You don't mess up your working configuration. That could be a nightmare. And 2. You achieve your goal of adding a firewall, but not another server. If you can add ram to that server, that would be better, but its not necessary since pfsense really doesn't require much. Even if you need 512mb, server r2 should be ok with 3.5gb if you're just sharing files.

 

[Tha_Bomb]

I'm running pfsense right now with 512mb of ram and it says 32% used, but there aren't many states atm. It can use swap if necessary as well. Just monitor it, and you can assign it more ram fairly easily, although changing VM settings on the firewall would require you to be on-site.

 

[frostfiretulsa]

I admit I am new to the whole network security thing... but something just seems.... wrong? about running such a critical app in a VM. What happens if the VM crashes? All access to all my servers would be lost.

The likelihood of a dedicated pfSense server crashing would be low I believe - while I am not a linux (*nix) fan, I am quick to admit that they are MUCH more stable than windows. Windows on the other hand does crash from time to time - and VMs are inherently less stable than the underlying windows install - making a crash even more likely.

Any input on this... ?

Any way to mitigate that possibility?

And... well, how would that work exactly? Say I have the 2 NICs on the server set to one that comes in and one out to a LAN - how do I place the VM in line between them to act as the firewall? Bah, I have way too much to learn about this stuff.

 

[Tha_Bomb]

I have a windows 2000 server VM that runs 5-6000 hours at a time. It's way more reliable than the host OS. It just sits there and serves up files. If I ever need to reboot the server it's on (win2008 r2) it starts back up as soon as the OS loads on the server. It sounds like a strange setup, but it will probably work better than you think. Or you can do vmware bare-metal for both. I believe (never tried it) that you can virtualize a server in-place from a hard drive.

I would run the firewall in a VM, but that's me.

The logistics are no problem. You can assign the incoming (internet) NIC directly to the VM, and you can set up a virtual adapter (all automatic) with the other NIC so it can be accessed with both OSes. If you have a spare install of win server to mess around with, you can figure this out in about 5 minutes. It's really easy to do all this stuff, I've found. It only gets complicated when you're trying to do SQL servers or other high-performane applications in the VMs. A low-bandwidth firewall shouldn't be too much of a problem. The only thing that you might get hung up on is the drivers for the virtual adapters ad such. That part is definitely better to do without a VM, but it shouldn't be too much of a problem.

 

[athlon1.2]

If you run snort as I recommended you will need lots of ram for good performance. And thinking about it sure blocking China might make your logs look nicer, but is it really going to protect your network from compromise? I think it will be more of a false sense of security.

 

[frostfiretulsa]

If you run snort as I recommended you will need lots of ram for good performance. And thinking about it sure blocking China might make your logs look nicer, but is it really going to protect your network from compromise? I think it will be more of a false sense of security.

RAM is no problem really - its cheap, especially on that box.

As to being more secure - of course it will be. Currently there are about 2-4 attempts per IP to log in to SQL Server with SA getting thru to the server before I block the traffic. The reason for that is the first attempt has to fail before the event log entry gets written, and I use that event log (via a log monitor) to fire off the blocking code - before it actually fires 1-2 more attempts get thru (takes about half a second after the first fail before I block the IP). Now assuming it is a single hacker using a botnet to make the attempts, if one of the attempts happens to crack the password, the hacker will know it... and use a fresh IP to successfully log in and dig thru my databases. While I do not save any financial info, I do have personal info of hundreds of thousands of people on there. Not good. I have secured the password as good as possible, but even the most complex password IS crackable.

If I block all of it - or even get this snort which may be able to detect that type of thing itself - the server will be much more secure. At the same time setting something like this up will simplify my network greatly. Currently I have 3 vLans on my various different drops at the datacenter - and as part of this I will combine them in to a single Vlan, which will be easier to manage as well as allowing me to share my IPs across all servers, which will be nice.

 

[jadams]

I've installed SAMBA on my pfsense box before. This is a package that talks the Windows SMB protocol for file sharing. Its NOT a standard package in pfsense. Its not like installing the other packages which are just a click of the mouse button in the webgui. Its all done from the shell. I wanted to do this to quickly get to the log files and config files for backup. Installing it wasnt that difficult. Configuring is another story. The whole realm of linux share permissions baffles me. Thats a completely different thread.

The_Bomb suggested virtualizing it, and first mentioned Hyper-V. In my test lab I have a problem with pfsense in Hyper-V and the NIC's not automatically starting on system startup. Normally one NIC would start, but the other wouldnt. This is a known issue over on the forums. It has to do with the drivers for some NIC's. Mine are Intel Pro's that seem to have this issue. Their suggestion/workaround is a simple script that runs at start that will bring down both NICs and then bring them back up. Theres a package called AutoExec (i think thats the name) that does this. The script only has to contain a few lines.

ifconfig r01 down
ifconfig ro1 up
ifconfig ro2 down
ifconfig ro2 up

He also suggested vmware. If at all possible Id go this route. Never had any issues with pfsense in vmware in my labs.

There are various places you can purchase a prebuilt pfsense system. What exactly does your host consider to be a hardware firewall and another server? Where does that distincion lay? I mean if you look at a prebuilt supermicro system it has the same phsyical specs as an ASA5510. Would they really consider something like this a SERVER and want to charge you for it when its the exact same thing as a "standard" hardware firewall?

Does it need to be prebuilt from the manufacturer? Does it need to havea their logo on it? Id try to get them to explain that one to you a little better.

 

[frostfiretulsa]

You know, its funny... I asked them just that same question... and they gave a pretty good answer. They said even if its a 1U dell server, if its only function is that of a firewall, I would get firewall pricing - which is a good policy in my book. Very fair.

Problem is the server I am thinking about using is my backup server, and they know that (its name is backup.<my domain>.com, which is stenciled on the front and back of the server (all my servers have that so that there is no confusion during any reboot or maintenance requests lol). But since I am already paying the server fee for that one, it wont matter.. if I can get this working.

I have never used VMWare outside of my development environment before... but I will play with it and see what I can see. I have asked my datacenter to go ahead and throw a network drop on to the server so I can get it fully updated and start tinkering (it has no internet access at the moment - being only a internal backup server).

Will update this thread once I figure all that out.

Oh...and as far as pfsense goes... I created a local VM and installed it... and it failed to start up twice, then caught on the 3rd try. Not very encouraging. No errors during install, but had some during the first 2 startups. Nothing I understood tho.

 

[frostfiretulsa]

btw, as I said I am not a VMware guru - I use Parallels for the most part... What VMWare product would be best for this? I know nothing about their server/datacenter line... would Workstation work for what I want to do?

 

[jadams]

You know, its funny... I asked them just that same question... and they gave a pretty good answer. They said even if its a 1U dell server, if its only function is that of a firewall, I would get firewall pricing - which is a good policy in my book. Very fair.

Problem is the server I am thinking about using is my backup server, and they know that (its name is backup.<my domain>.com, which is stenciled on the front and back of the server (all my servers have that so that there is no confusion during any reboot or maintenance requests lol). But since I am already paying the server fee for that one, it wont matter.. if I can get this working.

I have never used VMWare outside of my development environment before... but I will play with it and see what I can see. I have asked my datacenter to go ahead and throw a network drop on to the server so I can get it fully updated and start tinkering (it has no internet access at the moment - being only a internal backup server).

Will update this thread once I figure all that out.

Oh...and as far as pfsense goes... I created a local VM and installed it... and it failed to start up twice, then caught on the 3rd try. Not very encouraging. No errors during install, but had some during the first 2 startups. Nothing I understood tho.

If they will give you the firewall pricing for a 1U then I'd just go with that. Thats what you wanted to do anyway wasnt it? I wouldnt go messing around with an already working backup server and attempt to install something else on top of it.

pfsense install failed twice? no errors? what install image were you using? this in a hyper-v vm or vmware? Thats really weird. The only time i've had those installs fail was when I tried installing it from a failing USB CD/DVD drive.

 

[frostfiretulsa]

It was in a local VM (Virtual PC), and the image was pfSense-2.0.1-RELEASE-i386.iso.

And yes, they will give me firewall pricing... but I do want to at least play with this idea of using the backup server. Its always galled me that I had a perfectly powerful server just sitting there doing nothing but playing external harddrive. I could have just as easily dropped a couple USB drives in the rack for all that server is doing right now. I would feel much better about it were I to be able to get this functional and stable - I am a huge fan of optimizing hardware usage.

 

[Tha_Bomb]

This might help: http://forum.pfsense.org/index.php?topic=44568.0

Apparently, you have to use the "Legacy" NICs in Hyper-V.

If you want to use VMWare, I believe ESX/ESXi would be what you want. It's bare-metal, so you would also virtualize the backup server. I have no real-world experience with VMWare (maybe someone with some experience can speak up here) but it appears ESXi is a stripped-down version, and ESX is Linux-based and includes a management toolkit of some sort. Maybe someone else can clarify further. I'm pretty sure they're both a free download, though.

 

[lizardking009]

The likelihood of a dedicated pfSense server crashing would be low I believe - while I am not a linux (*nix) fan, I am quick to admit that they are MUCH more stable than windows. Windows on the other hand does crash from time to time - and VMs are inherently less stable than the underlying windows install - making a crash even more likely.

Oh come on. When was the last time that you had any machine completely crash when the problem wasn't hardware or drivers? VMs are the same way. If your hypervisor supports the OS you're running, then its solid. If not, you're going to have problems because of the emulated hardware or drivers.