Hey All,
I've never used the built in firewall features on our clusters, so these are probably pretty newbie questions.
Today, we put a pair of HA pfsense firewalls in front of all of our clusters, on these firewalls we bind the pubic IP's and port forward to containers and VM's that are on private IP address space. The majority of our workloads are all port nat'd inbound with tons of sessions and about 10Gb/s of constant traffic bi-directional, 7x24x365.
Most VM's are outbound NAT'd to share a common IP, but there are a few cases where a certain VM uses a dedicated outbound IP.
For example:
Firewall Public IP port 1234 -> VM1 Private IP 1234
Firewall Public IP port 1235 -> VM2 Private IP 1235
This allows us to migrate a VM to a different node in the cluster without having to touch firewalls on the VM or PVE cluster.
The reason I am looking to possibly change this up is that we are putting a heavy load on the PFsense boxes even though they are beefy R640 24 core machines, they still sit around 70% utilized. No other features are enabled, no IDS/IPS, no FW logging, etc. Basically a giant NAT box.
I'm trying to understand if we can accomplish the same sort of functionality using the built in PVE cluster wide firewall rules and bypass the PFSense firewalls. I also have read that Linux kernels are much faster with NAT'ing then the PFSense boxes. We used to run Sophos UTM, which is based on Linux, and the same traffic would barely break a sweat on the Sophos FW's, sadly Sophos EOL'd the UTM product and I'm not a fan of the replacement options they have.
If it is doable, the FW/Nat rules have to be on the cluster side so I don't have to do those on a per VM or per node basis.
Thank you for any feedback.
I've never used the built in firewall features on our clusters, so these are probably pretty newbie questions.
Today, we put a pair of HA pfsense firewalls in front of all of our clusters, on these firewalls we bind the pubic IP's and port forward to containers and VM's that are on private IP address space. The majority of our workloads are all port nat'd inbound with tons of sessions and about 10Gb/s of constant traffic bi-directional, 7x24x365.
Most VM's are outbound NAT'd to share a common IP, but there are a few cases where a certain VM uses a dedicated outbound IP.
For example:
Firewall Public IP port 1234 -> VM1 Private IP 1234
Firewall Public IP port 1235 -> VM2 Private IP 1235
This allows us to migrate a VM to a different node in the cluster without having to touch firewalls on the VM or PVE cluster.
The reason I am looking to possibly change this up is that we are putting a heavy load on the PFsense boxes even though they are beefy R640 24 core machines, they still sit around 70% utilized. No other features are enabled, no IDS/IPS, no FW logging, etc. Basically a giant NAT box.
I'm trying to understand if we can accomplish the same sort of functionality using the built in PVE cluster wide firewall rules and bypass the PFSense firewalls. I also have read that Linux kernels are much faster with NAT'ing then the PFSense boxes. We used to run Sophos UTM, which is based on Linux, and the same traffic would barely break a sweat on the Sophos FW's, sadly Sophos EOL'd the UTM product and I'm not a fan of the replacement options they have.
If it is doable, the FW/Nat rules have to be on the cluster side so I don't have to do those on a per VM or per node basis.
Thank you for any feedback.
Last edited: