search

CCI-MOC / ops-issues

2 stars 0 forks source link

Buy Network Firewall for ESI core network #995

Closed hakasapl closed 1 year ago

hakasapl commented 1 year ago

Could we buy 1x of these netgate firewalls: https://shop.netgate.com/products/1541-max-pfsense?variant=32156884369523

Should be the 32G config with the 4x SFP+ addon card.

joachimweyl commented 1 year ago

Blocked on having a meeting with Scott

taramoran commented 1 year ago

@joachimweyl to confirm, I shouldn't order until you all meet w Scott?

joachimweyl commented 1 year ago

Correct. @msdisme would like to meet with Scott first. The meeting is scheduled for the 23rd.

msdisme commented 1 year ago

@hakasapl MAX or RAID model? plan to use pfsense or TAC?

hakasapl commented 1 year ago

Didn't realize there was a raid model. Let's do these parameters:

This link should get you to that config: https://shop.netgate.com/products/1541-raid-pfsense?variant=39280942743667

msdisme commented 1 year ago

Fundamentally all agree - we shoudl do this. I want to figure out timing based on when we have enough credits with Flax vs. straight purchase - will discuss with @neclinton monday morning

msdisme commented 1 year ago

Order placed - moving to in review till it gets here : Netgate ORDER SO23-95568

hakasapl commented 1 year ago

Purchased and arrived

naved001 commented 3 weeks ago

@hakasapl maybe I am little to ask this, but did we only order a single firewall? I have been reading up their documentation, and apparently we can run a pair of these for high availability. Now, I don't see that specific model available to purchase, and their documentations say that for HA configuration the hardware must match (though I am seeing if there are workarounds).

hakasapl commented 3 weeks ago

@naved001 We only bought one but adding another will always be possible. The software itself doesn't even need to support HA if all we're looking for is redundancy and not more bandwidth (which I think is the case for public networks). In that case we would have both firewalls peer with a provider and setup VRRP on either the firewalls or the adjacent switch, which will give us the redundancy.

Since the software supports HA too we can likely do more fancy things like HA vpn and such, but the most important requirement of HA public networks can be fulfilled without the firewalls necessarily supporting it.

naved001 commented 3 weeks ago

@hakasapl okay, ultimately I'd like to use the firewalls for NAT for some internal networks, and run a VPN to access various IPMI networks as well.

hakasapl commented 3 weeks ago

@naved001 yeah makes sense. I guess we're blocked on BU network for that still but I will circle back