Virtualizing Smoothwall (edge firewall and content filtering)
-
@stacksofplates said in Virtualizing Smoothwall (edge firewall and content filtering):
It's usually better to keep it on hardware. The host has outside access before the firewall/UTM has any control over the network.
Even if I have multiple interfaces, one that will be dedicated to public/internet and one for internal/management? This seems to boil down to how well the host handles isolation of the traffic, which is probably pretty good I think.
-
@jrc said in Virtualizing Smoothwall (edge firewall and content filtering):
@stacksofplates said in Virtualizing Smoothwall (edge firewall and content filtering):
It's usually better to keep it on hardware. The host has outside access before the firewall/UTM has any control over the network.
Even if I have multiple interfaces, one that will be dedicated to public/internet and one for internal/management? This seems to boil down to how well the host handles isolation of the traffic, which is probably pretty good I think.
Virtualizing a router is fine. I have done it and know others that have as well. You do not need to worry about host access to the NIC on the WAN side if the host is not configured to use it. That is kind of the point of it.
-
@JaredBusch said in Virtualizing Smoothwall (edge firewall and content filtering):
@jrc said in Virtualizing Smoothwall (edge firewall and content filtering):
@stacksofplates said in Virtualizing Smoothwall (edge firewall and content filtering):
It's usually better to keep it on hardware. The host has outside access before the firewall/UTM has any control over the network.
Even if I have multiple interfaces, one that will be dedicated to public/internet and one for internal/management? This seems to boil down to how well the host handles isolation of the traffic, which is probably pretty good I think.
Virtualizing a router is fine. I have done it and know others that have as well. You do not need to worry about host access to the NIC on the WAN side if the host is not configured to use it. That is kind of the point of it.
I was always under this impression, but Scott made it sound like this wasn't recommended. I had done this until a while ago when he said that.
-
@stacksofplates said in Virtualizing Smoothwall (edge firewall and content filtering):
@JaredBusch said in Virtualizing Smoothwall (edge firewall and content filtering):
@jrc said in Virtualizing Smoothwall (edge firewall and content filtering):
@stacksofplates said in Virtualizing Smoothwall (edge firewall and content filtering):
It's usually better to keep it on hardware. The host has outside access before the firewall/UTM has any control over the network.
Even if I have multiple interfaces, one that will be dedicated to public/internet and one for internal/management? This seems to boil down to how well the host handles isolation of the traffic, which is probably pretty good I think.
Virtualizing a router is fine. I have done it and know others that have as well. You do not need to worry about host access to the NIC on the WAN side if the host is not configured to use it. That is kind of the point of it.
I was always under this impression, but Scott made it sound like this wasn't recommended. I had done this until a while ago when he said that.
It depends on your needs. The OP needs a beefy edge device because of the use case. There is not a problem with virtualizing it on the current hardware as long as he still gets the performance he needs.
What is recommended against by me (I do not recall what @scottalanmiller said that you are referencing), is to never try to virtualize your router on your standard production hypervisor. This is because you have no access to anything if it goes down. That is a bad place to be in.
-
@JaredBusch said in Virtualizing Smoothwall (edge firewall and content filtering):
@stacksofplates said in Virtualizing Smoothwall (edge firewall and content filtering):
@JaredBusch said in Virtualizing Smoothwall (edge firewall and content filtering):
@jrc said in Virtualizing Smoothwall (edge firewall and content filtering):
@stacksofplates said in Virtualizing Smoothwall (edge firewall and content filtering):
It's usually better to keep it on hardware. The host has outside access before the firewall/UTM has any control over the network.
Even if I have multiple interfaces, one that will be dedicated to public/internet and one for internal/management? This seems to boil down to how well the host handles isolation of the traffic, which is probably pretty good I think.
Virtualizing a router is fine. I have done it and know others that have as well. You do not need to worry about host access to the NIC on the WAN side if the host is not configured to use it. That is kind of the point of it.
I was always under this impression, but Scott made it sound like this wasn't recommended. I had done this until a while ago when he said that.
It depends on your needs. The OP needs a beefy edge device because of the use case. There is not a problem with virtualizing it on the current hardware as long as he still gets the performance he needs.
What is recommended against by me (I do not recall what @scottalanmiller said that you are referencing), is to never try to virtualize your router on your standard production hypervisor. This is because you have no access to anything if it goes down. That is a bad place to be in.
Ok I'll go back to using that as an option then. It's nice to be able to scale the router up as needed (within the host limits of course).
Here is what I was referencing :
-
@stacksofplates said in Virtualizing Smoothwall (edge firewall and content filtering):
@JaredBusch said in Virtualizing Smoothwall (edge firewall and content filtering):
@stacksofplates said in Virtualizing Smoothwall (edge firewall and content filtering):
@JaredBusch said in Virtualizing Smoothwall (edge firewall and content filtering):
@jrc said in Virtualizing Smoothwall (edge firewall and content filtering):
@stacksofplates said in Virtualizing Smoothwall (edge firewall and content filtering):
It's usually better to keep it on hardware. The host has outside access before the firewall/UTM has any control over the network.
Even if I have multiple interfaces, one that will be dedicated to public/internet and one for internal/management? This seems to boil down to how well the host handles isolation of the traffic, which is probably pretty good I think.
Virtualizing a router is fine. I have done it and know others that have as well. You do not need to worry about host access to the NIC on the WAN side if the host is not configured to use it. That is kind of the point of it.
I was always under this impression, but Scott made it sound like this wasn't recommended. I had done this until a while ago when he said that.
It depends on your needs. The OP needs a beefy edge device because of the use case. There is not a problem with virtualizing it on the current hardware as long as he still gets the performance he needs.
What is recommended against by me (I do not recall what @scottalanmiller said that you are referencing), is to never try to virtualize your router on your standard production hypervisor. This is because you have no access to anything if it goes down. That is a bad place to be in.
Ok I'll go back to using that as an option then. It's nice to be able to scale the router up as needed (within the host limits of course).
Here is what I was referencing:
He specifically mentions this use case as acceptable. A one to one dedicated piece of hardware.
-
@JaredBusch said in Virtualizing Smoothwall (edge firewall and content filtering):
@stacksofplates said in Virtualizing Smoothwall (edge firewall and content filtering):
@JaredBusch said in Virtualizing Smoothwall (edge firewall and content filtering):
@stacksofplates said in Virtualizing Smoothwall (edge firewall and content filtering):
@JaredBusch said in Virtualizing Smoothwall (edge firewall and content filtering):
@jrc said in Virtualizing Smoothwall (edge firewall and content filtering):
@stacksofplates said in Virtualizing Smoothwall (edge firewall and content filtering):
It's usually better to keep it on hardware. The host has outside access before the firewall/UTM has any control over the network.
Even if I have multiple interfaces, one that will be dedicated to public/internet and one for internal/management? This seems to boil down to how well the host handles isolation of the traffic, which is probably pretty good I think.
Virtualizing a router is fine. I have done it and know others that have as well. You do not need to worry about host access to the NIC on the WAN side if the host is not configured to use it. That is kind of the point of it.
I was always under this impression, but Scott made it sound like this wasn't recommended. I had done this until a while ago when he said that.
It depends on your needs. The OP needs a beefy edge device because of the use case. There is not a problem with virtualizing it on the current hardware as long as he still gets the performance he needs.
What is recommended against by me (I do not recall what @scottalanmiller said that you are referencing), is to never try to virtualize your router on your standard production hypervisor. This is because you have no access to anything if it goes down. That is a bad place to be in.
Ok I'll go back to using that as an option then. It's nice to be able to scale the router up as needed (within the host limits of course).
Here is what I was referencing:
He specifically mentions this use case as acceptable. A one to one dedicated piece of hardware.
Ahi misunderstood what that meant. When we had that discussion that is how I had it set up, but somehow thought he meant something else.
-
Yeah, this will be a dedicated piece of hardware with the hypervisor on it and just a single VM, the Smoothwall install. Nothing else, and it will not be tied into my existing pool, it will be, for the most part stand alone.
As to the point of no access if things go down, I don't see that as a major issue, because if things go down like that, then I will need to be on site, in which case I would have physical access to the server and will then be able to fix it from there if needed.
This device is how my network is connected to the internet, so if it goes down I have zero remote access, with or without it being virtualized.
-
@jrc said in Virtualizing Smoothwall (edge firewall and content filtering):
Yeah, this will be a dedicated piece of hardware with the hypervisor on it and just a single VM, the Smoothwall install. Nothing else, and it will not be tied into my existing pool, it will be, for the most part stand alone.
As to the point of no access if things go down, I don't see that as a major issue, because if things go down like that, then I will need to be on site, in which case I would have physical access to the server and will then be able to fix it from there if needed.
This device is how my network is connected to the internet, so if it goes down I have zero remote access, with or without it being virtualized.
Correct, but when people put these on the main hypervisor, it just seems to cause problems because they forget, or update piece X and break it, or some other random thing.
-
@jrc said in Virtualizing Smoothwall (edge firewall and content filtering):
Yeah, this will be a dedicated piece of hardware with the hypervisor on it and just a single VM, the Smoothwall install. Nothing else, and it will not be tied into my existing pool, it will be, for the most part stand alone.
As to the point of no access if things go down, I don't see that as a major issue, because if things go down like that, then I will need to be on site, in which case I would have physical access to the server and will then be able to fix it from there if needed.
This device is how my network is connected to the internet, so if it goes down I have zero remote access, with or without it being virtualized.
If you have an iLo or like option on the server, you could make that available either directly to the internet, or through an ER-X that you VPN into. This would require it's own IP just for that.