Virtualizing Smoothwall (edge firewall and content filtering)
-
This box is our firewall, heuristic content filtering, internet traffic logging (by user and by client) and UTM for around 3500 devices, so yeah I need the power and RAM for what it does. https://us.smoothwall.com/web-filtering/ for more info on all it does.
We rely on quite a few internet based service, and if this box goes down it is extremely disruptive. And the benefits I'd get from virtualizing are immense for this purpose. Being able to minimize my downtime via snapshots and/or migration between hosts of different hardware profiles are not things that I can easily dismiss. And then there is the fringe benefit of being able to export a snapshot, throw it onto a test server and then be able to thoroughly test updates and config changes is a pretty big too.
So I guess what I am trying to work out is are the tradeoffs worth it.
-
@stacksofplates said in Virtualizing Smoothwall (edge firewall and content filtering):
It's usually better to keep it on hardware. The host has outside access before the firewall/UTM has any control over the network.
Even if I have multiple interfaces, one that will be dedicated to public/internet and one for internal/management? This seems to boil down to how well the host handles isolation of the traffic, which is probably pretty good I think.
-
@jrc said in Virtualizing Smoothwall (edge firewall and content filtering):
@stacksofplates said in Virtualizing Smoothwall (edge firewall and content filtering):
It's usually better to keep it on hardware. The host has outside access before the firewall/UTM has any control over the network.
Even if I have multiple interfaces, one that will be dedicated to public/internet and one for internal/management? This seems to boil down to how well the host handles isolation of the traffic, which is probably pretty good I think.
Virtualizing a router is fine. I have done it and know others that have as well. You do not need to worry about host access to the NIC on the WAN side if the host is not configured to use it. That is kind of the point of it.
-
@JaredBusch said in Virtualizing Smoothwall (edge firewall and content filtering):
@jrc said in Virtualizing Smoothwall (edge firewall and content filtering):
@stacksofplates said in Virtualizing Smoothwall (edge firewall and content filtering):
It's usually better to keep it on hardware. The host has outside access before the firewall/UTM has any control over the network.
Even if I have multiple interfaces, one that will be dedicated to public/internet and one for internal/management? This seems to boil down to how well the host handles isolation of the traffic, which is probably pretty good I think.
Virtualizing a router is fine. I have done it and know others that have as well. You do not need to worry about host access to the NIC on the WAN side if the host is not configured to use it. That is kind of the point of it.
I was always under this impression, but Scott made it sound like this wasn't recommended. I had done this until a while ago when he said that.
-
@stacksofplates said in Virtualizing Smoothwall (edge firewall and content filtering):
@JaredBusch said in Virtualizing Smoothwall (edge firewall and content filtering):
@jrc said in Virtualizing Smoothwall (edge firewall and content filtering):
@stacksofplates said in Virtualizing Smoothwall (edge firewall and content filtering):
It's usually better to keep it on hardware. The host has outside access before the firewall/UTM has any control over the network.
Even if I have multiple interfaces, one that will be dedicated to public/internet and one for internal/management? This seems to boil down to how well the host handles isolation of the traffic, which is probably pretty good I think.
Virtualizing a router is fine. I have done it and know others that have as well. You do not need to worry about host access to the NIC on the WAN side if the host is not configured to use it. That is kind of the point of it.
I was always under this impression, but Scott made it sound like this wasn't recommended. I had done this until a while ago when he said that.
It depends on your needs. The OP needs a beefy edge device because of the use case. There is not a problem with virtualizing it on the current hardware as long as he still gets the performance he needs.
What is recommended against by me (I do not recall what @scottalanmiller said that you are referencing), is to never try to virtualize your router on your standard production hypervisor. This is because you have no access to anything if it goes down. That is a bad place to be in.
-
@JaredBusch said in Virtualizing Smoothwall (edge firewall and content filtering):
@stacksofplates said in Virtualizing Smoothwall (edge firewall and content filtering):
@JaredBusch said in Virtualizing Smoothwall (edge firewall and content filtering):
@jrc said in Virtualizing Smoothwall (edge firewall and content filtering):
@stacksofplates said in Virtualizing Smoothwall (edge firewall and content filtering):
It's usually better to keep it on hardware. The host has outside access before the firewall/UTM has any control over the network.
Even if I have multiple interfaces, one that will be dedicated to public/internet and one for internal/management? This seems to boil down to how well the host handles isolation of the traffic, which is probably pretty good I think.
Virtualizing a router is fine. I have done it and know others that have as well. You do not need to worry about host access to the NIC on the WAN side if the host is not configured to use it. That is kind of the point of it.
I was always under this impression, but Scott made it sound like this wasn't recommended. I had done this until a while ago when he said that.
It depends on your needs. The OP needs a beefy edge device because of the use case. There is not a problem with virtualizing it on the current hardware as long as he still gets the performance he needs.
What is recommended against by me (I do not recall what @scottalanmiller said that you are referencing), is to never try to virtualize your router on your standard production hypervisor. This is because you have no access to anything if it goes down. That is a bad place to be in.
Ok I'll go back to using that as an option then. It's nice to be able to scale the router up as needed (within the host limits of course).
Here is what I was referencing :
-
@stacksofplates said in Virtualizing Smoothwall (edge firewall and content filtering):
@JaredBusch said in Virtualizing Smoothwall (edge firewall and content filtering):
@stacksofplates said in Virtualizing Smoothwall (edge firewall and content filtering):
@JaredBusch said in Virtualizing Smoothwall (edge firewall and content filtering):
@jrc said in Virtualizing Smoothwall (edge firewall and content filtering):
@stacksofplates said in Virtualizing Smoothwall (edge firewall and content filtering):
It's usually better to keep it on hardware. The host has outside access before the firewall/UTM has any control over the network.
Even if I have multiple interfaces, one that will be dedicated to public/internet and one for internal/management? This seems to boil down to how well the host handles isolation of the traffic, which is probably pretty good I think.
Virtualizing a router is fine. I have done it and know others that have as well. You do not need to worry about host access to the NIC on the WAN side if the host is not configured to use it. That is kind of the point of it.
I was always under this impression, but Scott made it sound like this wasn't recommended. I had done this until a while ago when he said that.
It depends on your needs. The OP needs a beefy edge device because of the use case. There is not a problem with virtualizing it on the current hardware as long as he still gets the performance he needs.
What is recommended against by me (I do not recall what @scottalanmiller said that you are referencing), is to never try to virtualize your router on your standard production hypervisor. This is because you have no access to anything if it goes down. That is a bad place to be in.
Ok I'll go back to using that as an option then. It's nice to be able to scale the router up as needed (within the host limits of course).
Here is what I was referencing:
He specifically mentions this use case as acceptable. A one to one dedicated piece of hardware.
-
@JaredBusch said in Virtualizing Smoothwall (edge firewall and content filtering):
@stacksofplates said in Virtualizing Smoothwall (edge firewall and content filtering):
@JaredBusch said in Virtualizing Smoothwall (edge firewall and content filtering):
@stacksofplates said in Virtualizing Smoothwall (edge firewall and content filtering):
@JaredBusch said in Virtualizing Smoothwall (edge firewall and content filtering):
@jrc said in Virtualizing Smoothwall (edge firewall and content filtering):
@stacksofplates said in Virtualizing Smoothwall (edge firewall and content filtering):
It's usually better to keep it on hardware. The host has outside access before the firewall/UTM has any control over the network.
Even if I have multiple interfaces, one that will be dedicated to public/internet and one for internal/management? This seems to boil down to how well the host handles isolation of the traffic, which is probably pretty good I think.
Virtualizing a router is fine. I have done it and know others that have as well. You do not need to worry about host access to the NIC on the WAN side if the host is not configured to use it. That is kind of the point of it.
I was always under this impression, but Scott made it sound like this wasn't recommended. I had done this until a while ago when he said that.
It depends on your needs. The OP needs a beefy edge device because of the use case. There is not a problem with virtualizing it on the current hardware as long as he still gets the performance he needs.
What is recommended against by me (I do not recall what @scottalanmiller said that you are referencing), is to never try to virtualize your router on your standard production hypervisor. This is because you have no access to anything if it goes down. That is a bad place to be in.
Ok I'll go back to using that as an option then. It's nice to be able to scale the router up as needed (within the host limits of course).
Here is what I was referencing:
He specifically mentions this use case as acceptable. A one to one dedicated piece of hardware.
Ahi misunderstood what that meant. When we had that discussion that is how I had it set up, but somehow thought he meant something else.
-
Yeah, this will be a dedicated piece of hardware with the hypervisor on it and just a single VM, the Smoothwall install. Nothing else, and it will not be tied into my existing pool, it will be, for the most part stand alone.
As to the point of no access if things go down, I don't see that as a major issue, because if things go down like that, then I will need to be on site, in which case I would have physical access to the server and will then be able to fix it from there if needed.
This device is how my network is connected to the internet, so if it goes down I have zero remote access, with or without it being virtualized.
-
@jrc said in Virtualizing Smoothwall (edge firewall and content filtering):
Yeah, this will be a dedicated piece of hardware with the hypervisor on it and just a single VM, the Smoothwall install. Nothing else, and it will not be tied into my existing pool, it will be, for the most part stand alone.
As to the point of no access if things go down, I don't see that as a major issue, because if things go down like that, then I will need to be on site, in which case I would have physical access to the server and will then be able to fix it from there if needed.
This device is how my network is connected to the internet, so if it goes down I have zero remote access, with or without it being virtualized.
Correct, but when people put these on the main hypervisor, it just seems to cause problems because they forget, or update piece X and break it, or some other random thing.
-
@jrc said in Virtualizing Smoothwall (edge firewall and content filtering):
Yeah, this will be a dedicated piece of hardware with the hypervisor on it and just a single VM, the Smoothwall install. Nothing else, and it will not be tied into my existing pool, it will be, for the most part stand alone.
As to the point of no access if things go down, I don't see that as a major issue, because if things go down like that, then I will need to be on site, in which case I would have physical access to the server and will then be able to fix it from there if needed.
This device is how my network is connected to the internet, so if it goes down I have zero remote access, with or without it being virtualized.
If you have an iLo or like option on the server, you could make that available either directly to the internet, or through an ER-X that you VPN into. This would require it's own IP just for that.
