pfsense on watchguard

Where there’s smoke…

As you folks have read I am using a WatchGuard XTM 5 Series as hardware firewall with pfsense. After running this in production for quite a while now I come to the conclusion that I can really, really recommend this setup. It is rock solid and working like a charm. This does not need to fear any commercial high end (and high cost) appliances out there.

Quick disclaimer: This howto is intended for the seasoned SysAdmin. There is no hand holding on installing pfsense or how to install or remove hardware. You’ll only get the pointers in this howto. I doubt beginners will buy and maintain hardware firewalls. Also this will void your warranty. But since the XTM5 are legacy production anyway you probably are not covered by any warranties anways.

Not only does this run pfsense without major modifications, it also is highly mod-able with lots of goodness. The default configuration of the XTM5 are as follows:

  • Celeron 440 2GHz CPU
  • 1GB of Ram
  • 1x 100Mbit Port
  • 6x 1gb Port
  • Onboard CF Card Slot

…There’s fire

By default the XTM boots from its internal CF Card that you could use to flash pfsense on it. But we do not want amateur level Firewall, we want a real trusted one. But before we get into modding the XTM, let me share some word of advice regarding what Model you want to get your hands on. You want a XTM 5 Series, period. The Series 5 comes in several models itself:

Read More

Datacenter move completed

Hey folks,

during the past 30 days we moved all the Hardware to a different data center (and provider). We tried to make the migration as seamless as possible but at some point everyone got hurt in the process.

Regarding IP ranges

Our new IP ranges are as follows:

IPv6: 2a01:1f8:2000::/48

Wait, IPv6? That’s right: We moved all servers to use IPv6 as primary address, with a fallback to IPv4 if needed. We also have some (minor) Servers running IPv6 only; but fear not, no production servers. You do not need to change anything on your end.

While on the matter of re-doing the entire thing I bought a new firewall, a WatchGuard XTM5 ( I upgraded the rather weak Celeron CPU to a Intel Core2Duo E5700 and increased the memory to 4gb. This is, for a firewall, beyond anything you can imagine. Its’ also fancy red, looking awfully sexy for a firewall (in my techie-opinion):

The firewall is running pfsense now, running (among other things) GeoIP-Block (No more Nigerian Spam), Snort (with subscription) and several other things. Even at full usage of the Up-link port the CPU of the firewall does not exceed 70%– and no packets dropped.

Beware the Dog! If your computer is doing an aggressive port scan or other nasty thing you will get blocked off the network for 1 hour. If you get bitten by accident, please contact me above (after the block is lifted) giving me your IP. I will look up the logs and adjust the firewall accordingly.

Regarding Power

I also picked up another Server, a used SuperMicro with 16 cpus and 24gb of ram. Not much, but the 4x4tb hard disks make a great Server to use for backups. For the most part it is identical with the main server: two power supplied, hardware raid doing RAID10, IPMI et all. In a worst case scenario this Server can run most of the important Servers as the main server does.

Regarding Backups

All your files, emails and whatnot hosted on this network are secured by hourly backups with Bareos, which data is stored on the other hardware. Daily Backups done and moved off-site and weekly dumps off all hardware to an encrypted hardware disk This means that if there is a catastrophic hardware failure the other server can (for the most part) pick up the load. If a plane crashes into the data center, the off-site data will still be available. If some freak software bug arises that wipes all the XenServers clean we have local attached backups and can get back online within a jiffy.
Bottom line: Your data is pretty much safe.

Sorry about the downtimes in the past 30 days. I hope your endurance paid off!