Virtualizing Smoothwall (edge firewall and content filtering)
-
So I've had more than a few issue with Smoothwall and updates as well as reboots taking me nearly an hour to complete. So I am contemplating virtualizing Smoothwall on it's current hardware with Xenserver, it would be the only guest OS on the hardware, and would have 80%+ of the resources.
The idea here is that this would get me the ability to take a snapshot before an update, and if it goes belly up I could easily restore the snapshot in minutes as opposed to the hour+ it takes to do a new install and restore settings etc. On top that I get the ability to clone the smoothwall, move it off to a non-production server and test updates and other things when they come up. And it would also allow me to make periodic backups of the server and in the case of a complete hardware meltdown I could have a stand in up and running in minutes on any available hardware I had on hand.
My Smoothwall is on the edge of my network right now, the internet plugs right into one of it's interfaces, not sure if that makes a difference. Also, for the curious the hardware in question is a HP DL385 Gen8 server, with a single processor (8 cores) and 16Gb of RAM. If I go the virtualized route I'd double the RAM at minimum, and would consider adding another 8 core processor (so 16 cores in total).
So I am wondering:
- Anyone else done something like this with their edge router?
- What are some reasons NOT to do this?
- Any idea on how hardened Xen server is? Would it be possible from someone or something to compromise the host since one of it's interfaces would be plugged directly onto the internet?
- What do you guys think of this idea in general?
-
Please tell me this server does something other than just run this.
That's a lot of power consumption for a firewall. Personally I'd ditch it for an Edge Router Lite or ER-X or a USG. All of these are from Ubiquiti and run from $55-130.
It's a tiny box, power consumption will be next to nothing, and you can repurpose the whole server as a XS box.
-
@Dashrender said in Virtualizing Smoothwall (edge firewall and content filtering):
Please tell me this server does something other than just run this.
That's a lot of power consumption for a firewall. Personally I'd ditch it for an Edge Router Lite or ER-X or a USG. All of these are from Ubiquiti and run from $55-130.
It's a tiny box, power consumption will be next to nothing, and you can repurpose the whole server as a XS box.
That depends on how he is using it. It is a lot, but if he is doing full UTM functionality, that takes power.
If he is just doing routing, then yeah.
-
It's usually better to keep it on hardware. The host has outside access before the firewall/UTM has any control over the network.
-
This box is our firewall, heuristic content filtering, internet traffic logging (by user and by client) and UTM for around 3500 devices, so yeah I need the power and RAM for what it does. https://us.smoothwall.com/web-filtering/ for more info on all it does.
We rely on quite a few internet based service, and if this box goes down it is extremely disruptive. And the benefits I'd get from virtualizing are immense for this purpose. Being able to minimize my downtime via snapshots and/or migration between hosts of different hardware profiles are not things that I can easily dismiss. And then there is the fringe benefit of being able to export a snapshot, throw it onto a test server and then be able to thoroughly test updates and config changes is a pretty big too.
So I guess what I am trying to work out is are the tradeoffs worth it.
-
@stacksofplates said in Virtualizing Smoothwall (edge firewall and content filtering):
It's usually better to keep it on hardware. The host has outside access before the firewall/UTM has any control over the network.
Even if I have multiple interfaces, one that will be dedicated to public/internet and one for internal/management? This seems to boil down to how well the host handles isolation of the traffic, which is probably pretty good I think.
-
@jrc said in Virtualizing Smoothwall (edge firewall and content filtering):
@stacksofplates said in Virtualizing Smoothwall (edge firewall and content filtering):
It's usually better to keep it on hardware. The host has outside access before the firewall/UTM has any control over the network.
Even if I have multiple interfaces, one that will be dedicated to public/internet and one for internal/management? This seems to boil down to how well the host handles isolation of the traffic, which is probably pretty good I think.
Virtualizing a router is fine. I have done it and know others that have as well. You do not need to worry about host access to the NIC on the WAN side if the host is not configured to use it. That is kind of the point of it.
-
@JaredBusch said in Virtualizing Smoothwall (edge firewall and content filtering):
@jrc said in Virtualizing Smoothwall (edge firewall and content filtering):
@stacksofplates said in Virtualizing Smoothwall (edge firewall and content filtering):
It's usually better to keep it on hardware. The host has outside access before the firewall/UTM has any control over the network.
Even if I have multiple interfaces, one that will be dedicated to public/internet and one for internal/management? This seems to boil down to how well the host handles isolation of the traffic, which is probably pretty good I think.
Virtualizing a router is fine. I have done it and know others that have as well. You do not need to worry about host access to the NIC on the WAN side if the host is not configured to use it. That is kind of the point of it.
I was always under this impression, but Scott made it sound like this wasn't recommended. I had done this until a while ago when he said that.
-
@stacksofplates said in Virtualizing Smoothwall (edge firewall and content filtering):
@JaredBusch said in Virtualizing Smoothwall (edge firewall and content filtering):
@jrc said in Virtualizing Smoothwall (edge firewall and content filtering):
@stacksofplates said in Virtualizing Smoothwall (edge firewall and content filtering):
It's usually better to keep it on hardware. The host has outside access before the firewall/UTM has any control over the network.
Even if I have multiple interfaces, one that will be dedicated to public/internet and one for internal/management? This seems to boil down to how well the host handles isolation of the traffic, which is probably pretty good I think.
Virtualizing a router is fine. I have done it and know others that have as well. You do not need to worry about host access to the NIC on the WAN side if the host is not configured to use it. That is kind of the point of it.
I was always under this impression, but Scott made it sound like this wasn't recommended. I had done this until a while ago when he said that.
It depends on your needs. The OP needs a beefy edge device because of the use case. There is not a problem with virtualizing it on the current hardware as long as he still gets the performance he needs.
What is recommended against by me (I do not recall what @scottalanmiller said that you are referencing), is to never try to virtualize your router on your standard production hypervisor. This is because you have no access to anything if it goes down. That is a bad place to be in.
-
@JaredBusch said in Virtualizing Smoothwall (edge firewall and content filtering):
@stacksofplates said in Virtualizing Smoothwall (edge firewall and content filtering):
@JaredBusch said in Virtualizing Smoothwall (edge firewall and content filtering):
@jrc said in Virtualizing Smoothwall (edge firewall and content filtering):
@stacksofplates said in Virtualizing Smoothwall (edge firewall and content filtering):
It's usually better to keep it on hardware. The host has outside access before the firewall/UTM has any control over the network.
Even if I have multiple interfaces, one that will be dedicated to public/internet and one for internal/management? This seems to boil down to how well the host handles isolation of the traffic, which is probably pretty good I think.
Virtualizing a router is fine. I have done it and know others that have as well. You do not need to worry about host access to the NIC on the WAN side if the host is not configured to use it. That is kind of the point of it.
I was always under this impression, but Scott made it sound like this wasn't recommended. I had done this until a while ago when he said that.
It depends on your needs. The OP needs a beefy edge device because of the use case. There is not a problem with virtualizing it on the current hardware as long as he still gets the performance he needs.
What is recommended against by me (I do not recall what @scottalanmiller said that you are referencing), is to never try to virtualize your router on your standard production hypervisor. This is because you have no access to anything if it goes down. That is a bad place to be in.
Ok I'll go back to using that as an option then. It's nice to be able to scale the router up as needed (within the host limits of course).
Here is what I was referencing :
-
@stacksofplates said in Virtualizing Smoothwall (edge firewall and content filtering):
@JaredBusch said in Virtualizing Smoothwall (edge firewall and content filtering):
@stacksofplates said in Virtualizing Smoothwall (edge firewall and content filtering):
@JaredBusch said in Virtualizing Smoothwall (edge firewall and content filtering):
@jrc said in Virtualizing Smoothwall (edge firewall and content filtering):
@stacksofplates said in Virtualizing Smoothwall (edge firewall and content filtering):
It's usually better to keep it on hardware. The host has outside access before the firewall/UTM has any control over the network.
Even if I have multiple interfaces, one that will be dedicated to public/internet and one for internal/management? This seems to boil down to how well the host handles isolation of the traffic, which is probably pretty good I think.
Virtualizing a router is fine. I have done it and know others that have as well. You do not need to worry about host access to the NIC on the WAN side if the host is not configured to use it. That is kind of the point of it.
I was always under this impression, but Scott made it sound like this wasn't recommended. I had done this until a while ago when he said that.
It depends on your needs. The OP needs a beefy edge device because of the use case. There is not a problem with virtualizing it on the current hardware as long as he still gets the performance he needs.
What is recommended against by me (I do not recall what @scottalanmiller said that you are referencing), is to never try to virtualize your router on your standard production hypervisor. This is because you have no access to anything if it goes down. That is a bad place to be in.
Ok I'll go back to using that as an option then. It's nice to be able to scale the router up as needed (within the host limits of course).
Here is what I was referencing:
He specifically mentions this use case as acceptable. A one to one dedicated piece of hardware.
-
@JaredBusch said in Virtualizing Smoothwall (edge firewall and content filtering):
@stacksofplates said in Virtualizing Smoothwall (edge firewall and content filtering):
@JaredBusch said in Virtualizing Smoothwall (edge firewall and content filtering):
@stacksofplates said in Virtualizing Smoothwall (edge firewall and content filtering):
@JaredBusch said in Virtualizing Smoothwall (edge firewall and content filtering):
@jrc said in Virtualizing Smoothwall (edge firewall and content filtering):
@stacksofplates said in Virtualizing Smoothwall (edge firewall and content filtering):
It's usually better to keep it on hardware. The host has outside access before the firewall/UTM has any control over the network.
Even if I have multiple interfaces, one that will be dedicated to public/internet and one for internal/management? This seems to boil down to how well the host handles isolation of the traffic, which is probably pretty good I think.
Virtualizing a router is fine. I have done it and know others that have as well. You do not need to worry about host access to the NIC on the WAN side if the host is not configured to use it. That is kind of the point of it.
I was always under this impression, but Scott made it sound like this wasn't recommended. I had done this until a while ago when he said that.
It depends on your needs. The OP needs a beefy edge device because of the use case. There is not a problem with virtualizing it on the current hardware as long as he still gets the performance he needs.
What is recommended against by me (I do not recall what @scottalanmiller said that you are referencing), is to never try to virtualize your router on your standard production hypervisor. This is because you have no access to anything if it goes down. That is a bad place to be in.
Ok I'll go back to using that as an option then. It's nice to be able to scale the router up as needed (within the host limits of course).
Here is what I was referencing:
He specifically mentions this use case as acceptable. A one to one dedicated piece of hardware.
Ahi misunderstood what that meant. When we had that discussion that is how I had it set up, but somehow thought he meant something else.
-
Yeah, this will be a dedicated piece of hardware with the hypervisor on it and just a single VM, the Smoothwall install. Nothing else, and it will not be tied into my existing pool, it will be, for the most part stand alone.
As to the point of no access if things go down, I don't see that as a major issue, because if things go down like that, then I will need to be on site, in which case I would have physical access to the server and will then be able to fix it from there if needed.
This device is how my network is connected to the internet, so if it goes down I have zero remote access, with or without it being virtualized.
-
@jrc said in Virtualizing Smoothwall (edge firewall and content filtering):
Yeah, this will be a dedicated piece of hardware with the hypervisor on it and just a single VM, the Smoothwall install. Nothing else, and it will not be tied into my existing pool, it will be, for the most part stand alone.
As to the point of no access if things go down, I don't see that as a major issue, because if things go down like that, then I will need to be on site, in which case I would have physical access to the server and will then be able to fix it from there if needed.
This device is how my network is connected to the internet, so if it goes down I have zero remote access, with or without it being virtualized.
Correct, but when people put these on the main hypervisor, it just seems to cause problems because they forget, or update piece X and break it, or some other random thing.
-
@jrc said in Virtualizing Smoothwall (edge firewall and content filtering):
Yeah, this will be a dedicated piece of hardware with the hypervisor on it and just a single VM, the Smoothwall install. Nothing else, and it will not be tied into my existing pool, it will be, for the most part stand alone.
As to the point of no access if things go down, I don't see that as a major issue, because if things go down like that, then I will need to be on site, in which case I would have physical access to the server and will then be able to fix it from there if needed.
This device is how my network is connected to the internet, so if it goes down I have zero remote access, with or without it being virtualized.
If you have an iLo or like option on the server, you could make that available either directly to the internet, or through an ER-X that you VPN into. This would require it's own IP just for that.