Netgate Blog

Netgate pfSense Plus - An Out-of-Band Data Center Use Case

pfSense® Plus is well known for its edge connectivity use cases, where traffic needs to securely flow from users to the Internet / cloud and vice versa. Less well known, perhaps, is that it is just as powerful for intranet applications. We thought our readers might find this story useful - one in which Netgate® itself uses pfSense Plus and the Netgate XG-7100 for out-of-band network access and control application.

As most of our users are aware, it takes a fast, reliable, and secure content distribution network (CDN) to deliver software releases to the global user base of pfSense CE and pfSense Plus. While users actively access our software distribution servers when each new release becomes available, there is an entire ‘behind-the-scenes’ network that prepares those servers for the job of software delivery. While the network infrastructure and server farms are well-designed and robust, things can still go awry. When they do, our IT staff needs reliable remote access to address matters quickly. Truck rolls are not popular with anyone.

Here’s a glimpse into how pfSense Plus provides cost-effective, secure, high-performance out-of-band network access:

pfSense Plus Out-of-Band Performance

We maintain software distribution services in both Austin, Texas and New Jersey. As the above diagram shows, each set of servers is connected by a top-of-rack switch to a pair of XG-1541 firewalls. The firewalls are configured with Common Address Redundancy Protocol (CARP) - an automatic failover / redundancy protocol that shares a common IP address among multiple hosts, in this case, pfSense Plus firewalls - to provide failover redundancy. The XG-1541 firewalls are in turn connected to another switch which provides a high speed uplink - via a pair of TNSR routers - to the Internet. This represents the ‘data path’ over which all customer software distribution is fulfilled.

The goal here is to provide secure out-of-band access to Intelligent Platform Management Interface (IPMI) connections on each network device. IPMI enables central control and monitoring of server hardware status (temperature, power consumption, voltage, etc.) and server log data. As well, IPMI enables server access when an operating system is not installed, or is malfunctioning.

To be efficient and safe, remote firewall configuration work must be both fast and highly secure. IPsec provides secure out-of-band access to the IPMI ports. The XG-7100s - inherently equipped with QAT offload - enable IPsec AES-GCM connections to run at speeds as high as 1.78 Gbps.

With the XG-7100’s internal switch, remote IT workers can connect via IPMI to as many as eight servers. Mobile/remote access is easy and fast for our IT staff - even if they just need to roll out of bed and get to it. No need for costly, frustrating, time-consuming truck rolls.

Networks are complex. And “Murphy” is ever present. Believe us, we know. Reliable distribution of software and updates for our customers is a must for our business. But every business has stretched IT resources who need fast and secure remote access to critical network infrastructure - whether down the street or thousands of miles away - when calamity hits. pfSense Plus offers a fast, secure and very cost-effective solution for IT remote access use cases.