# Firewall, load balancing and services



## Gherardo (Apr 26, 2014)

Hello,
I'd like to receive some advice on what would be the better solution.

First of all here's the situation:
at work we have 15-20 computers and the network is mostly used to connect to the ouside world (web surfing and mail). There are no in-house servers and the connection is just an ADSL with a router-firewall and few switches.

Given that the number of people using the network have increased over time, there's now need for more bandwidth and to install a server with few services (SMB, Apache, FTP).
So here's the big question: what to do now considering it's a small company and the money is really an issue?

One option would be to get a second xDSL and load balance the two WANs using pfSense. But since we're planning on buying a new server and it won't be stressed much, it would be nice to have it running daemons and  be a firewall both at the same time.

I'd like to be able to use both FreeBSD and pfSense on the same server but I'm not sure how (from what I read the latter is based on FreeBSD 8, so I cannot jail pfSense on a FreeBSD 9 or 10 install).

What would you do?

Use just one server to do everything (and how: one VM per service?)
Or use one PC for pfSense and one as a server (with FreeBSD)?
Or just forget the load balancing idea and go for one bigger bandwidth?
Or maybe there's an obvious solution I didn't think about?

Thanks in advance for any input.


----------



## phoenix (Apr 28, 2014)

You should never run services on a firewall, unless you have very specific reasons to do so.  Keep network security separate from user services.  They do 2 very different jobs, with very different security needs, and there's rarely ever a need to combine them.

Get a small box with lots of NIC ports and run your packet filter/routing on there.  Use pfSense if you like a web-based admin tool.  Use FreeBSD if you're comfortable with command-line management.

Get a separate server to run all your other services.  If it's accessible from the Internet, then create a separate DMZ network (use a separate NIC on the firewall) and stick the server on there.  Give it a private IP, and NAT all access to it (even from your LAN).


----------

