What You'll Build
- pfSense firewall as network gateway and security layer
- Coolify master server for orchestration and management
- Multiple worker nodes for application deployment
- Secure internal network with proper firewall rules
- Load balancing and high availability setup
Prerequisites
Before starting, ensure you have:
Server Requirements
- โข Active RamNode account
- โข Ability to deploy multiple VPS
- โข Minimum 3 public IP addresses
- โข Access to control panel
Technical Knowledge
- โข Linux system administration
- โข Docker & containerization
- โข Network configuration
- โข Firewall management
Resource Requirements
- โข pfSense VM: 2 CPU cores, 4GB RAM, 20GB storage
- โข Coolify Master: 4 CPU cores, 8GB RAM, 50GB storage
- โข Worker Nodes: 2-4 CPU cores, 4-8GB RAM, 30GB+ storage each
2
Architecture Design
Network topology overview:
Network Topology
Internet
โ
โโโโโผโโโโ
โpfSenseโ (Public IP: xxx.xxx.xxx.1)
โGatewayโ
โโโโโฌโโโโ
โ Internal Network: 10.10.10.0/24
โ
โโโ Coolify Master (10.10.10.10)
โโโ Worker Node 1 (10.10.10.20)
โโโ Worker Node 2 (10.10.10.21)
โโโ Worker Node N (10.10.10.2x)Service Distribution
- pfSense: Network gateway, firewall, VPN endpoint
- Coolify Master: Web UI, orchestration, database
- Worker Nodes: Application containers, load balancing
3
Deploy pfSense VPS
Order and configure pfSense VPS:
Server Specifications
- โข Location: Choose closest to your users
- โข OS: FreeBSD 13 or Latest
- โข CPU: 2 cores minimum
- โข RAM: 4GB minimum
- โข Storage: 20GB SSD
- โข Network: Request 2 IP addresses minimum
๐ Note: Write down your primary and secondary IP addresses. Configure reverse DNS if needed. Ensure you have console access via VNC.
4
Deploy Coolify Master Server
Order master server VPS:
Master Server Specs
- โข OS: Ubuntu 22.04 LTS
- โข CPU: 4 cores
- โข RAM: 8GB
- โข Storage: 50GB SSD
- โข Network: 1 public IP address
Connect and Update
ssh root@your-master-ip
# Update system
apt update && apt upgrade -y
# Install essential packages
apt install -y curl wget git htop ufw fail2ban5
Deploy Worker Node VPS
Repeat for each worker node (recommended: 2-3 nodes minimum):
Worker Node Specs
- โข OS: Ubuntu 22.04 LTS
- โข CPU: 2-4 cores
- โข RAM: 4-8GB
- โข Storage: 30GB+ SSD
- โข Network: Public IP optional (can use pfSense NAT)
Basic Worker Setup
# Connect via SSH
ssh root@worker-ip
# Update and prepare
apt update && apt upgrade -y
apt install -y curl wget docker.io docker-compose
systemctl enable docker
systemctl start docker6
pfSense Configuration
Configure pfSense firewall:
Initial pfSense Setup
1. Access VNC Console from RamNode control panel
2. Boot from FreeBSD installer and follow pfSense installation wizard
Network Configuration
WAN Interface: vtnet0 (Primary RamNode IP)
LAN Interface: vtnet1 (10.10.10.1)
WAN IP: Use DHCP or static (your primary RamNode IP)
LAN IP: 10.10.10.1/24
DHCP Range: 10.10.10.100-10.10.10.200Web Interface Access
pfSense Web Login
URL: https://10.10.10.1
Default Login: admin/pfsense๐ Security: Immediately change the default admin password to a strong password after first login!
Configure Firewall Rules
Navigate to: Firewall โ Rules โ LAN
- โข Allow LAN to any (default)
- โข Allow HTTP/HTTPS to Coolify Master
- โข Allow SSH between internal hosts
- โข Block unnecessary outbound traffic
Port Forward Rules
Navigate to: Firewall โ NAT โ Port Forward
Create Port Forwards
HTTP (80) โ Coolify Master (10.10.10.10:80)
HTTPS (443) โ Coolify Master (10.10.10.10:443)
SSH (2222) โ Coolify Master (10.10.10.10:22)
Coolify Dashboard (8000) โ Master (10.10.10.10:8000)Docker Swarm Ports
Allow these ports for Docker Swarm communication:
Swarm Communication Ports
Port 2377/tcp (cluster management)
Port 7946/tcp+udp (node communication)
Port 4789/udp (overlay network)7
Configure Master Server Network
Configure static networking for pfSense:
Edit Netplan Configuration
nano /etc/netplan/01-netcfg.yamlNetplan Configuration
network:
version: 2
ethernets:
eth0:
dhcp4: false
addresses:
- 10.10.10.10/24
gateway4: 10.10.10.1
nameservers:
addresses:
- 8.8.8.8
- 1.1.1.1Apply Configuration
# Apply network configuration
netplan apply
# Verify connectivity
ping 8.8.8.8
ping 10.10.10.18
Install Docker and Coolify
Install Docker on the master server:
Install Docker
# Install Docker
curl -fsSL https://get.docker.com | sh
# Add user to docker group
usermod -aG docker $USER
# Start and enable Docker
systemctl enable docker
systemctl start docker
# Verify installation
docker --version
docker-compose --versionInitialize Docker Swarm
Setup Docker Swarm
# Initialize Docker Swarm
docker swarm init --advertise-addr 10.10.10.10
# Save the worker join token (you'll need this later)
docker swarm join-token workerInstall Coolify
Download and Install Coolify
# Create coolify directory
mkdir -p /opt/coolify
cd /opt/coolify
# Download Coolify installer
curl -fsSL https://cdn.coollabs.io/coolify/install.sh | bashConfigure Coolify Environment
nano /opt/coolify/.envCoolify Environment Variables
APP_URL=https://your-domain.com
APP_NAME=Coolify
DB_PASSWORD=your-secure-database-password
REDIS_PASSWORD=your-secure-redis-password
PUSHER_APP_KEY=your-pusher-key
PUSHER_APP_SECRET=your-pusher-secretStart Coolify Services
# Start Coolify
cd /opt/coolify
docker-compose up -d
# Verify services are running
docker-compose psโ Access Coolify Dashboard at: http://10.10.10.10:8000 or through pfSense port forward
9
Configure Worker Nodes
For each worker node, configure network and join swarm:
Worker Network Configuration
nano /etc/netplan/01-netcfg.yamlWorker Netplan Config
network:
version: 2
ethernets:
eth0:
dhcp4: false
addresses:
- 10.10.10.2X/24 # Replace X with node number (20, 21, etc.)
gateway4: 10.10.10.1
nameservers:
addresses:
- 8.8.8.8
- 1.1.1.1Apply and Install Docker
netplan apply
# Install Docker
curl -fsSL https://get.docker.com | sh
systemctl enable docker
systemctl start dockerJoin Docker Swarm
Join Swarm as Worker
# Use the token from master server
docker swarm join --token SWMTKN-1-xxxx 10.10.10.10:2377Verify from Master
# On master server, verify nodes
docker node lsAdd to Coolify Dashboard
In Coolify, navigate to Servers โ Add Server
Worker Node Details
Name: worker-01
IP Address: 10.10.10.20
Port: 22
User: rootConfigure SSH Access
# On master server, copy SSH key to worker
ssh-copy-id root@10.10.10.20
# Test connection
ssh root@10.10.10.20 "docker --version"10
Configure DNS and Load Balancing
pfSense DNS Configuration
Navigate to: Services โ DNS Resolver
Add Host Overrides
coolify.local โ 10.10.10.10
worker1.local โ 10.10.10.20
worker2.local โ 10.10.10.21Install HAProxy
Navigate to: System โ Package Manager
- 1. Search for: haproxy
- 2. Install HAProxy package
Configure HAProxy
Navigate to: Services โ HAProxy
Backend Configuration
Name: coolify_backend
Servers:
- 10.10.10.10:80
- 10.10.10.20:80
- 10.10.10.21:80
Health Check: HTTPFrontend Configuration
Name: web_frontend
Listen Address: WAN Interface
Port: 80, 443
Default Backend: coolify_backendSSL/TLS Configuration
Install Certbot on Master
# Install certbot
apt install -y certbot
# Generate certificates
certbot certonly --standalone -d your-domain.comNavigate to: System โ Cert Manager in pfSense to import SSL certificates and apply to HAProxy frontend
11
Security Hardening
SSH Hardening
Edit SSH Configuration
nano /etc/ssh/sshd_configRecommended SSH Settings
Port 2222
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
AllowUsers coolify-adminFirewall Configuration
Configure UFW on Each Server
ufw default deny incoming
ufw default allow outgoing
ufw allow from 10.10.10.0/24 to any port 22
ufw allow from 10.10.10.0/24 to any port 2376
ufw enableDocker Daemon Security
Configure Docker Daemon
nano /etc/docker/daemon.jsonDocker Security Configuration
{
"hosts": ["unix:///var/run/docker.sock"],
"tls": true,
"tlscert": "/etc/docker/server-cert.pem",
"tlskey": "/etc/docker/server-key.pem",
"tlsverify": true,
"tlscacert": "/etc/docker/ca.pem"
}๐ Security Best Practices: Block all inbound except HTTP/HTTPS/SSH, limit SSH access to specific IPs, enable intrusion detection (Snort/Suricata), configure rate limiting, and enable DDoS protection.
12
Setup Monitoring
Install monitoring stack on master server:
Create Monitoring Directory
mkdir -p /opt/monitoring
cd /opt/monitoringCreate Docker Compose
nano docker-compose.ymlMonitoring Stack Configuration
version: '3.8'
services:
prometheus:
image: prom/prometheus
ports:
- "9090:9090"
volumes:
- ./prometheus.yml:/etc/prometheus/prometheus.yml
grafana:
image: grafana/grafana
ports:
- "3000:3000"
environment:
- GF_SECURITY_ADMIN_PASSWORD=your-secure-password
node-exporter:
image: prom/node-exporter
ports:
- "9100:9100"Configure Prometheus
nano prometheus.ymlPrometheus Configuration
global:
scrape_interval: 15s
scrape_configs:
- job_name: 'coolify-master'
static_configs:
- targets: ['10.10.10.10:9100']
- job_name: 'worker-nodes'
static_configs:
- targets: ['10.10.10.20:9100', '10.10.10.21:9100']Automated Backups
Create Backup Script
nano /opt/scripts/backup.shBackup Script
#!/bin/bash
# Backup Coolify database
docker exec coolify_db pg_dump -U coolify > /backups/coolify_$(date +%Y%m%d).sql
# Backup Docker volumes
docker run --rm -v coolify_data:/data -v /backups:/backup alpine tar czf /backup/coolify_data_$(date +%Y%m%d).tar.gz /data
# Upload to remote storage (configure as needed)
# rclone copy /backups remote:coolify-backups/Schedule Backup
chmod +x /opt/scripts/backup.sh
crontab -e
# Add: 0 2 * * * /opt/scripts/backup.sh13
Testing and Verification
Verify Network Connectivity
Test Connections
# Check network connectivity
ping 10.10.10.10
telnet 10.10.10.10 2377
# Verify firewall rules
iptables -L
ufw status
# Check Docker Swarm status
docker node ls
docker system eventsVerify Coolify Dashboard
Check Coolify Services
docker-compose ps
docker-compose logs
# Check if services are listening
netstat -tlnp | grep 8000Test Application Deployment
1. Access Coolify dashboard at http://your-pfsense-ip:8000
2. Deploy a test application
3. Verify it's accessible through pfSense
Common Troubleshooting
Connection Issues Between Nodes
Debug Network
# Check network connectivity
ping 10.10.10.10
telnet 10.10.10.10 2377
# Verify firewall rules
iptables -L
ufw status
# Check Docker Swarm status
docker node lsCoolify Dashboard Not Accessible
Check Services
# Check Coolify services
docker-compose ps
docker-compose logs
# Verify port forwarding in pfSense
netstat -tlnp | grep 8000pfSense Performance Issues
Monitor Resources
# Check CPU and memory
top
# Monitor network interfaces
netstat -iCheck firewall logs: Navigate to Status โ System Logs โ Firewall in pfSense
View Logs
Log Commands
# Coolify logs
docker-compose logs -f
docker logs coolify_app
# Docker Swarm logs
docker system events
docker node inspect worker-01Deployment Complete
You now have a robust, scalable infrastructure for running Coolify across multiple servers with proper security and network isolation. The pfSense firewall provides enterprise-grade security, while the multi-server Coolify setup ensures high availability and performance.
Key Benefits Achieved
- โ Security: pfSense firewall with proper rule configuration
- โ Scalability: Multiple worker nodes for application deployment
- โ High Availability: Docker Swarm clustering with automatic failover
- โ Monitoring: Comprehensive monitoring and alerting setup
- โ Backup: Automated backup strategy for data protection
Next Steps
- 1. Configure domain names and SSL certificates
- 2. Set up monitoring alerts and notifications
- 3. Implement automated scaling policies
- 4. Configure additional backup destinations
- 5. Test disaster recovery procedures
Support Resources
- โข Coolify Documentation
- โข pfSense Documentation
- โข Docker Swarm Guide
- โข RamNode Support: Submit ticket through client area
Related Guides
Learn how to set up Coolify on a single server
Complete guide to pfSense firewall configuration