Hi Sai, Thanks for your advice, i think i probably take your advice for the load balancer implementation. thanks a lot!
Have a good day! From: CE Ang --- sai <[EMAIL PROTECTED]> wrote: > My preffered solution would be Internet --> pfSense > ---->LAN/DMZ but I > think the main problem you have is the migration of > a Live network. > > You could have the OpenVPN work on pfSense. Also it > can do all the Nat > stuff. Adding the Netscreen and IPcop will only make > the network more > complicated without makeing it more secure, IMHO. > However you know > your circumstances better. > > If you are new to IPcop and pfSense then I would > suggest that you > focus on one distro - go for Ipcop or go for > pfSense. Learning about > both on a live production network is not going to > help you sleep at > night. > > pfsense is much newer than IPcop but the vision of > the developers is > amazing. There are rough edges here, but its a > really great product. I > would suggest that you dump the IPcop and go for > the pfSense. You > will learn a lot more and end up with a much more > powerful firewall. > > What I usually do is install pfSense but keep the > old firewall around. > If the net admin sees a problem then he can put > the old firewall > back in again just by switching cables. There are > almost always > problems because this is the nature of networking, > but you shjould be > able to cope because the pfsense is REALLY > excellent. > > sai > > On 1/30/07, AngChorEng <[EMAIL PROTECTED]> > wrote: > > > > > > Hi Sai, > > > > Do you have any other recommendation for better > solution, please advice. > > > > Thank you. > > > > > > From: > > > > CE Ang > > > ----- Original Message ----- > > > From: AngChorEng > > > To: support@pfsense.com > > > Sent: Monday, January 29, 2007 3:51 PM > > > Subject: Fw: [pfSense Support] Pfsense load > balancer > > > and fail over for outgoing traffic > > > > > > > > > Hi Sai, > > > > > > Yes, from Internet --> pfSense ----> Netscreen > ----> > > > Lan, DMZ, > > > > > > For DMZ internal server, it is still ok to use > > > static route. the traffic can be routed in only > > > using one layer port mapping from PFSENSE > instead of > > > two layer of port mapping, however, for LAN, > static > > > route is not recommended because of port mapping > is > > > still preference for security concern, please > > > correct me if i am wrong > > > > > > My main concern is , i do have one OPENVPN > server > > > (IPCOP)sitting after the netscreen firewall > which is > > > using port mapping method, the authentication is > > > taken place after going through the netscreen > with > > > allow port 1194, let me explain my existing > senario > > > and workflow, from Internet --> pfSense ----> > > > Netscreen ----> Cisco core switch > 4507R------>VLAN > > > server farm( IPCOP OPEN VPN), it is how my > remote > > > user like senior manager, CEO get access to > company > > > resource. below is the option for your review, > > > > > > Solution 1) Actually, i am thinking to replace > my > > > netscreen firewall to IPCOP( we called it IPCOP > A), > > > and migrate the exisiting OPEN VPN policy from > the > > > box to IPCOP A, that would be centralize as > whole, > > > with the new workflow, from Internet --> pfSense > > > ----> IPCOP A plus OPEN VPN---------> LAN in > multi > > > vlan > > > > > > Solution 2) Alternatively, pfSense ----> > Netscreen > > > ----> Cisco core switch--------> VLAN server > farm( > > > OPENVPN), but it is require two layer of port > > > mapping. > > > > > > Solution 3) Pfsense-------> Pfsense with > > > OPENVPN-------> LAN in multi vlan > > > > > > if i pick the solution 2, that would be easier > for > > > the implementation, i still can sustain the > > > netscreen and OPENVPN box and just concentrate > on > > > PFSENSE in front end and port mapping, but, what > is > > > the impact of two layer of port mapping, the > reason > > > is, migrating OPEN VPN policy and replacing a > > > firewall is a nightmare. now, i am struggling to > the > > > implementation of PFSENSE because of the impact > > > reflected to the whole network infracstructure, > > > please advice me if i am wrong, > > > > > > Please let me know if i am confusing you, i can > > > explain it in more detail, Thank you. > > > > > > > > > From: > > > > > > CE Ang > > > > > > --- sai <[EMAIL PROTECTED]> wrote: > > > > > > > Internet --> pfSense ----> Netscreen ----> > Lan, > > > DMZ > > > > Is this what you mean? > > > > > > > > Yes, this can be done. It means that you do > > > NATting > > > > twice, which is > > > > not good, but it is workable. You just need a > new > > > > private subnet > > > > between the pfSense ----> Netscreen > > > > > > > > It might be easier to just replace the > Netscreen > > > so > > > > that if something > > > > is messed up you can put the Netscreen back in > and > > > > your network works > > > > again. > > > > > > > > sai > > > > > > > > On 1/29/07, AngChorEng <[EMAIL PROTECTED]> > > > > wrote: > > > > > > > > > > > > > > > Hi Sai, > > > > > > > > > > Thanks for your message, i had successfully > > > > installed the PFSENSE with > > > > > lastest snap, thank you. > > > > > > > > > > By the way, do you come cross a solution > with > > > two > > > > layer of port mapping via > > > > > two firewall, let me brief you my network > > > > infracstructure, so that, you can > > > > > understand my question, currently, i have > one > > > > netscreen firewall as a front > > > > > end box to control all the in/out bound of > all > > > the > > > > traffic even port mapping > > > > > to internal server by using pulic IP. the > reason > > > > of putting a new box in > === message truncated ===