USG will pass internet to the 10G switch on a WAN vlan… pfsense will be running on each proxmox host in HA mode (either pfsense HA or proxmox HA) with its WAN interface on that WAN vlan. Now internet always flows and I can suffer the loss of a prox node.
Will this work? Is it dumb and should I reevaluate my life choices?
So let’s say you were adamant on making this work. How would YOU do it?
If I use routing on the USG, will my 10g network be bottlenecked when routing between vlans?
If I use pfsense as the edge router instead of USG and just use the USG for the charts/graphs and disable nat… are there security concerns hooking my WAN line directly into a vlan mapped port on the switch?
I really would like to keep pfsense virtual but want to get away from internet dying when I bounce node 1.
The 16XG does not do intervlan routing so the USG becomes the bottleneck for 10G traffic. Connecting the WAN directly to a VLAN adds complexity but as long as no flaws exist in the implementation it can be secure. I have never tried disabling NAT on the USG so I am uncertain if/how it can be done.
I’ve found a few guides on disabling it and it doesn’t seem too difficult.
Do you have a list of common implementation flaws on connecting WAN directly to a VLAN? Or a link to a resource? I’d like to do it correctly the first time.
I think as long as the port I connect to is tagged with the correct VLAN, the 10g dac cables are trunks, and pfSense has its wan interface on that VLAN as well; then it should all go well.
Honestly if I go this route and get it working; then I don’t really need a USG since pfSense will be highly available and my problem will be solved. Just I recently switched everything over to Ubiquiti and am really interested in the “single pane of glass” metrics for everything on the Unifi Controller.
I find the metrics from the UDM/USG quite useless because they lack time series and detail. I don’t have a guide because it’s more about don’t make a mistake such as improperly tagging the port.
