A feasibility question, Fallover, bridge firewalling, etc.

zevlag

Here is my desired network configuration, is it feasible?  Please see my 6 points below.  I'd welcome any comments on what would or would not work.

/–------------\  /--------------\                              
            |   INTERNET   |  |   INTERNET   |                              
            --------------/  --------------/                              
                   |                 |                                      
                   |                 |                                      
             DSL MODEM         GATEWAY ROUTER                                
             xxx.xx.12.174/29  xxx.xx.9.1/24                                
                   gw1              gw2                                      
                    |                |                                      
                    |                |             Available IP Blocks:      
                    |en0             |en1          xxx.xx.9.220-222/24      
                    +----------------+             xxx.xx.12.169-173/29      
                    |    pfSense     |                                      
                    --------+-------                                      
                   /en2      |en3     \en4                                  
                  /          |          \                                    
                 /           |            \                                  
                /            |              \                                
               /             |                \                              
              /              |                  \                            
             /dmz1           |public              \private                  
   webserver                                                                
   xxx.xx.12.171/29           192.168.1.1/24       192.168.15.1/24

1. Bridge en0 with en2 (gw1, dmz1), run a transparent firewall            
   2. NAT en3 and en4 to en1 (public, private to gw2)                        
   3. If gw2 fails, auto fallover only private (en4) to gw1                  
   4. Firewall traffic between en2, en3, en4 (dmz, public, private)          
   5. Run traffic shaping on en3, en4. Not allow any one client to peak      
      connection capacity.  Prioritize protocols/ports.  Give private        
      priority over public.                                                  
   6. Squid Proxy traffic on en3, en4 (public, private) for caching of      
      large downloads.

GruensFroeschli

I dont see any problem except with point5.
Currently you can run the traffic shaper only on 2 interfaces.
In your case you want to run it on 4 interfaces (each WAN, private and public). This is not possible with 1.2.x

The new shaper in 2.0 should be able to do this.
2.0 is still VERY far away.

zevlag

Where are the traffic shaper limitations?  In the GUI? or in elsewhere? ie. is there a way around this?

If the the traffic shaper limitations are show stopper, what are some good alternatives? (I'm willing to roll my own even, I just don't know what distro to start from, linux, bsd, etc…)

GruensFroeschli

@GruensFroeschli:

Currently you can run the traffic shaper only on 2 interfaces.

No workaround.

There was a bounty that lead to the addition of said new shaper.
If i remember correctly everyone commiting to the bounty back then was provided with a howto to get the new shaper running on the current version.
Not sure if you could get that if you donate some money to the developer of the new shaper (ermal).

Where to start for other distros?
Not sure actually.
How much are you willing to pay?