At the moment I am setting up a internal routing infrastructure for the small university I work at. We have about 10-15 Vlans and a strong need to separate those (public student's network vs management, etc). As solutions to the problem I looked at the free version of Astaro / Sophos UTM and PFSense.
As the budget is tight I cannot afford the "Network Security" subscription fee Sophos charges anually and therefore features such as HA and even processing on multiple CPU cores are deactivated. I am really in love with the GUI of Sophos, though. Its very intuitive and even fun to build firewall rules with that thing. It is so intuitive and friendly on the eye that I can hands down throw out the firewall documentation altogether because it is self documenting (grouping of rules, possibility of commenting, rules are numbers). Alas, I can't use it because the featureset of the free edition is a big hindrance.
PFSense on the other hand - meh. Very sluggish, workflow is cumbersome, you cannot define services but only port aliases, no overview of all the rules you define, etc. The binding of rules to NIC interfaces and floating rules is a mess. It does the job, but it seems it's optimized for usage in edge firewall scenarios with few internal networks where it actually makes sense to bind rules to a specific NIC. I however need a GUI that allows for lots and lots of rules that match multiple NIC interfaces (all internal networks may connect to a central DHCP server for example).
-Any suggestions on how to make better use of PFSense? I was thinking of something in the direction of FWBuilder http://www.fwbuilder.org/ where you define the FW rules outside of the regular GUI.
-How do you document your firewall rules? How do you keep it manageable?
-Or maybe you know an alternative to PFSense?
I'd be glad for suggestions. I believe PFSense will become quite a maintenance problem when the number of rules starts to grow?
↧
PFSense 2: Firewall GUI workarounds / suggestions
↧