Re: Using a seprarte router other than the virtual router
indeed, some features are missing in the VR. If you have other public ip range available, I would suggest - create a shared network with the public ips - create pfsense vm with WAN on the shared network and LANs on l2/isolated network - Configure dhcp/dns in pfsense vm if needed. If you want to use port forwarding or load balancer, you can create rules in pfsense manually. If you want to use DNAT, add a secondary ip on shared network to the pfsense vm, then configure 1:1 nat in pfsense vm. We have plan to support VNF providers and replace VR with VNF appliance so that some services can be configured automatically. However it highly depends on the api/cli of the software. The pfsense API is not very good. -Wei On Wednesday, May 29, 2024, Marty Godsey wrote: > The VR works fine as a basic NATing firewall, but you can't do advanced > next-gen functions like reverse proxies, SSL offloading, robust rule sets, > IDS/IPS, etc. > > I have been setting it up manually. The other way is to have the users > create their VR but then do a 1to1 NAT or a port forward of all ports to > the virtual pfsense. The “WAN” of the pfsense sits in an isolated subnet. > This does use another VLAN for the “WAN” network and is technically double > NATing, but it works fine. I don’t think it scales the best, though, and > may change it in the future. > > From: Wei ZHOU > Date: Wednesday, May 29, 2024 at 3:18 PM > To: users@cloudstack.apache.org > Subject: Re: Using a seprarte router other than the virtual router > WARNING: This email originated from outside of the organization. Do not > click links or open attachments unless you recognize the sender and know > the content is safe. > > > I know some users deploy a pfsense or Linux vm as gateway in L2 network or > isolated network without source nat. > No matter which software/os is used, users have to configure the vms > manually. Some features (e.g static nat, pf,lb, userdata) are not supported > either. > I think VR is still the best option with most supported services so far. > What is the purpose of the router ? Gateway or other service provider? > > -Wei > > On Wednesday, May 29, 2024, Marty Godsey wrote: > > > Hello All, > > > > What is the best way, or how are you providing a router for customers > that > > is not a virtual router? For example, if I have someone who wants to use > > PfSense for their router instead of the virtual router, what’s the best > way > > to do this and make it as seamless as possible for the customer? > > > > I can see ways to do it, but I am curious to know how other people > perform > > this function. > > > > Thanks in advance. > > >
Re: Using a seprarte router other than the virtual router
The VR works fine as a basic NATing firewall, but you can't do advanced next-gen functions like reverse proxies, SSL offloading, robust rule sets, IDS/IPS, etc. I have been setting it up manually. The other way is to have the users create their VR but then do a 1to1 NAT or a port forward of all ports to the virtual pfsense. The “WAN” of the pfsense sits in an isolated subnet. This does use another VLAN for the “WAN” network and is technically double NATing, but it works fine. I don’t think it scales the best, though, and may change it in the future. From: Wei ZHOU Date: Wednesday, May 29, 2024 at 3:18 PM To: users@cloudstack.apache.org Subject: Re: Using a seprarte router other than the virtual router WARNING: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. I know some users deploy a pfsense or Linux vm as gateway in L2 network or isolated network without source nat. No matter which software/os is used, users have to configure the vms manually. Some features (e.g static nat, pf,lb, userdata) are not supported either. I think VR is still the best option with most supported services so far. What is the purpose of the router ? Gateway or other service provider? -Wei On Wednesday, May 29, 2024, Marty Godsey wrote: > Hello All, > > What is the best way, or how are you providing a router for customers that > is not a virtual router? For example, if I have someone who wants to use > PfSense for their router instead of the virtual router, what’s the best way > to do this and make it as seamless as possible for the customer? > > I can see ways to do it, but I am curious to know how other people perform > this function. > > Thanks in advance. >
Re: Using a seprarte router other than the virtual router
I know some users deploy a pfsense or Linux vm as gateway in L2 network or isolated network without source nat. No matter which software/os is used, users have to configure the vms manually. Some features (e.g static nat, pf,lb, userdata) are not supported either. I think VR is still the best option with most supported services so far. What is the purpose of the router ? Gateway or other service provider? -Wei On Wednesday, May 29, 2024, Marty Godsey wrote: > Hello All, > > What is the best way, or how are you providing a router for customers that > is not a virtual router? For example, if I have someone who wants to use > PfSense for their router instead of the virtual router, what’s the best way > to do this and make it as seamless as possible for the customer? > > I can see ways to do it, but I am curious to know how other people perform > this function. > > Thanks in advance. >
Re: Using a seprarte router other than the virtual router
Hi, I would give the customer his own vlan for this, or 2 in case they need public and private. -- Jimmy From: Marty Godsey Date: Wednesday, 29 May 2024 at 19:33 To: users@cloudstack.apache.org Subject: Using a seprarte router other than the virtual router Hello All, What is the best way, or how are you providing a router for customers that is not a virtual router? For example, if I have someone who wants to use PfSense for their router instead of the virtual router, what’s the best way to do this and make it as seamless as possible for the customer? I can see ways to do it, but I am curious to know how other people perform this function. Thanks in advance.
