You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cloudstack.apache.org by Vivek Kumar <vi...@indiqus.com> on 2020/04/29 19:38:37 UTC
Pfsense like external firewall with CloudStack
Hello Folks,
Have someone ever tried to deploy a pfsense or any other virtual firewall appliance under a VPC to extend the security feature. Let’s say if I want to use site-to-site between my tiers and remote destination and I don’t want to use VR for site-to-site. Has someone tried that scenario ?
Let me give an use case, I have a VPC with multiple Tier and VMs running, I am using a old version of CloudStack 4.7.1 with XenServer 7.0 in this we don’t have options to choose options like IKE Hash SHA256,384,512 and same for ESP Hash , IKE DH group 14,15,16 ( which is pretty much available in 4.13 ). So I want to establish a site-2-site using these security parameters which doesn’t exist in my version of CloudStack. Is there any way to achieve it for my older version ? So I wanted to check if someone has worked on this scenario and use any third party firewall appliance.
Vivek Kumar
RE: Pfsense like external firewall with CloudStack
Posted by Alex Mattioli <Al...@shapeblue.com>.
Hi Vivek,
You mean that you want the virtual appliance to be in a network in one of the VPC tiers?
If so, am not sure how that would work, maybe StaticNAT works, but your routing will be quite messy. I always placed the FW virtual appliance in a Guest Network by itself and set that to be on the same VLAN of the Private Gateway.
Cheers,
Alex
Alex.Mattioli@shapeblue.com
www.shapeblue.com
3 London Bridge Street, 3rd floor, News Building, London SE1 9SGUK
@shapeblue
-----Original Message-----
From: Vivek Kumar <vi...@indiqus.com>
Sent: 30 April 2020 10:54
To: users@cloudstack.apache.org
Subject: Re: Pfsense like external firewall with CloudStack
Hello Alex,
Thanks for the response.
I have implemented second case multiple time multiple times when I create s2s between my firewall and end customer’s device, and then extend the connectivity from firewall to VR via Private Gateway and that works pretty perfect. But in this particular case we can’t use firewall so that’s why I wanted to use any virtually appliance under a VPC which can give me any alternative, So how do we achieve the connectivity of Virtual appliance since Tier will use the private subnet so if I use the Static NAT with PFsense will it work ? Because in pfsense it will always identified as a private IP.
Vivek Kumar
This message is intended only for the use of the individual or entity to which it is addressed and may contain information that is confidential and/or privileged. If you are not the intended recipient please delete the original message and any copy of it from your computer system. You are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited unless proper authorization has been obtained for such action. If you have received this communication in error, please notify the sender immediately. Although IndiQus attempts to sweep e-mail and attachments for viruses, it does not guarantee that both are virus-free and accepts no liability for any damage sustained as a result of viruses.
> On 30-Apr-2020, at 2:11 PM, Alex Mattioli <Al...@shapeblue.com> wrote:
>
> Hi Vivek,
> I've actually done exactly that with both PaloAlto and Checkpoint firewalls. In one case created the VPC with a "public" IP in the same network as the FW's Inside interface, which is a bit too much work to be honest (and can get messy).
> In another case in a POC I just used the VPC's Private Gateway function to connect it to the FW, which could then be either physical or virtual.
>
> Cheers,
> Alex Mattioli
>
> Alex.Mattioli@shapeblue.com
> www.shapeblue.com
> 3 London Bridge Street, 3rd floor, News Building, London SE1 9SGUK
> @shapeblue
>
>
>
>
> -----Original Message-----
> From: Vivek Kumar <vi...@indiqus.com>
> Sent: 29 April 2020 21:39
> To: users@cloudstack.apache.org
> Subject: Pfsense like external firewall with CloudStack
>
> Hello Folks,
>
> Have someone ever tried to deploy a pfsense or any other virtual firewall appliance under a VPC to extend the security feature. Let’s say if I want to use site-to-site between my tiers and remote destination and I don’t want to use VR for site-to-site. Has someone tried that scenario ?
>
> Let me give an use case, I have a VPC with multiple Tier and VMs running, I am using a old version of CloudStack 4.7.1 with XenServer 7.0 in this we don’t have options to choose options like IKE Hash SHA256,384,512 and same for ESP Hash , IKE DH group 14,15,16 ( which is pretty much available in 4.13 ). So I want to establish a site-2-site using these security parameters which doesn’t exist in my version of CloudStack. Is there any way to achieve it for my older version ? So I wanted to check if someone has worked on this scenario and use any third party firewall appliance.
>
>
>
> Vivek Kumar
>
>
Re: Pfsense like external firewall with CloudStack
Posted by Vivek Kumar <vi...@indiqus.com>.
Hello Alex,
Thanks for the response.
I have implemented second case multiple time multiple times when I create s2s between my firewall and end customer’s device, and then extend the connectivity from firewall to VR via Private Gateway and that works pretty perfect. But in this particular case we can’t use firewall so that’s why I wanted to use any virtually appliance under a VPC which can give me any alternative, So how do we achieve the connectivity of Virtual appliance since Tier will use the private subnet so if I use the Static NAT with PFsense will it work ? Because in pfsense it will always identified as a private IP.
Vivek Kumar
This message is intended only for the use of the individual or entity to which it is addressed and may contain information that is confidential and/or privileged. If you are not the intended recipient please delete the original message and any copy of it from your computer system. You are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited unless proper authorization has been obtained for such action. If you have received this communication in error, please notify the sender immediately. Although IndiQus attempts to sweep e-mail and attachments for viruses, it does not guarantee that both are virus-free and accepts no liability for any damage sustained as a result of viruses.
> On 30-Apr-2020, at 2:11 PM, Alex Mattioli <Al...@shapeblue.com> wrote:
>
> Hi Vivek,
> I've actually done exactly that with both PaloAlto and Checkpoint firewalls. In one case created the VPC with a "public" IP in the same network as the FW's Inside interface, which is a bit too much work to be honest (and can get messy).
> In another case in a POC I just used the VPC's Private Gateway function to connect it to the FW, which could then be either physical or virtual.
>
> Cheers,
> Alex Mattioli
>
> Alex.Mattioli@shapeblue.com
> www.shapeblue.com
> 3 London Bridge Street, 3rd floor, News Building, London SE1 9SGUK
> @shapeblue
>
>
>
>
> -----Original Message-----
> From: Vivek Kumar <vi...@indiqus.com>
> Sent: 29 April 2020 21:39
> To: users@cloudstack.apache.org
> Subject: Pfsense like external firewall with CloudStack
>
> Hello Folks,
>
> Have someone ever tried to deploy a pfsense or any other virtual firewall appliance under a VPC to extend the security feature. Let’s say if I want to use site-to-site between my tiers and remote destination and I don’t want to use VR for site-to-site. Has someone tried that scenario ?
>
> Let me give an use case, I have a VPC with multiple Tier and VMs running, I am using a old version of CloudStack 4.7.1 with XenServer 7.0 in this we don’t have options to choose options like IKE Hash SHA256,384,512 and same for ESP Hash , IKE DH group 14,15,16 ( which is pretty much available in 4.13 ). So I want to establish a site-2-site using these security parameters which doesn’t exist in my version of CloudStack. Is there any way to achieve it for my older version ? So I wanted to check if someone has worked on this scenario and use any third party firewall appliance.
>
>
>
> Vivek Kumar
>
>
RE: Pfsense like external firewall with CloudStack
Posted by Alex Mattioli <Al...@shapeblue.com>.
Hi Vivek,
I've actually done exactly that with both PaloAlto and Checkpoint firewalls. In one case created the VPC with a "public" IP in the same network as the FW's Inside interface, which is a bit too much work to be honest (and can get messy).
In another case in a POC I just used the VPC's Private Gateway function to connect it to the FW, which could then be either physical or virtual.
Cheers,
Alex Mattioli
Alex.Mattioli@shapeblue.com
www.shapeblue.com
3 London Bridge Street, 3rd floor, News Building, London SE1 9SGUK
@shapeblue
-----Original Message-----
From: Vivek Kumar <vi...@indiqus.com>
Sent: 29 April 2020 21:39
To: users@cloudstack.apache.org
Subject: Pfsense like external firewall with CloudStack
Hello Folks,
Have someone ever tried to deploy a pfsense or any other virtual firewall appliance under a VPC to extend the security feature. Let’s say if I want to use site-to-site between my tiers and remote destination and I don’t want to use VR for site-to-site. Has someone tried that scenario ?
Let me give an use case, I have a VPC with multiple Tier and VMs running, I am using a old version of CloudStack 4.7.1 with XenServer 7.0 in this we don’t have options to choose options like IKE Hash SHA256,384,512 and same for ESP Hash , IKE DH group 14,15,16 ( which is pretty much available in 4.13 ). So I want to establish a site-2-site using these security parameters which doesn’t exist in my version of CloudStack. Is there any way to achieve it for my older version ? So I wanted to check if someone has worked on this scenario and use any third party firewall appliance.
Vivek Kumar