Pfense Newbie, Building Failover Box, Have Questions

orty

First off, this is my first attempt with a BSD firewall, having used Smoothwall, Endian, ipcop, and some other linux-based firewalls in the past. The reason I'm going try pfense? From what it says on the hardware list, it'll work with pretty much any Compaq SCSI hardware I can throw at it, and I have a bunch of Compaq SCSI hardware :) (and getting more is cheap). I can't get any of those other firewalls to work with hardly any Compaq stuff. It also has built-in failover, which is why I'm building this box. It also has a solid community, which is why I'm posting here :)

OK, enough butt-kissing ;)

So basically here's what I'm planning this box for, and my thoughts behind this. Feel free to throw in ideas/comments if anything below sounds silly or stupid or needs to be rethought. This is the first time I've built a failover system like this, so excuse me while I think out loud.

The company I work for shares an internet connection with another seperate company in the same building. They both have physically separate networks (running in the same 192.168.1.x IP space – setup like that long before I started working here) with separate switches and firewalls. Each company's firewall plugs into a small switch that's plugged into a Cisco T1 router that's pushing two separate public IP addresses, one for each network. We also have a backup DSL line that's currently used by a public access WiFi node (running through a ZoneCD firewall), but can be used in case the T1 goes down.

What I'd like to do is use pfense to redirect traffic over the DSL line (or possibly a cable modem line) should the main T1 line go down, basically just being a failover box, not necessarily a firewall (though I'm open to the possibility of having it replace the firewalls if possible).

Here's a lame visio drawing that sort of shows my thinking behind this.

The pfense box is going to be a Compaq Proliant ML350 G2 box. It's currently has a P3 1.266ghz processor, and I'm looking to get another processor to run SMP, as well as a Smart Array 532 card (as it was using Windows' software raid with 4 drives – yikes) and some more RAM (it currently has just 512) and obviously some NICs. I have a line on some cheap parts for these systems, which is why I'm using this.

Neither network is running any services like HTTP, VPN, FTP, etc... . I have a few ports open for a backup server in my office (on the rentals network), but otherwise reliable 'net access is the key (as they run a bunch of web-based applications). I'd like the public wifi to route over the DSL whenever possible, but that's not a requirement (I can throttle the speed of the connections on the ZoneCD firewall).

Thoughts behind all this? Would it be better to just have pfense be my firewall all around or is the layout I'm looking at doing the easiest way (as I have a feeling if I had pfense do it all, I'd have to change the IP range of one of my networks). Would I be able to route the T1 public IPs to different networks from the outside (so requests for 178 goes to one network and 182 goes to the other)?

I'm not a networking wizard, but not afraid to get my hands dirty. Feel free to point and laugh at my thinking all you want -- just make sure you throw something constructive in there as well.

Thanks in advance!
-Jake

clarknova

There's a great howto somewhere around here on multiwan and failover, darned if I can find it at the moment.

Your proposed setup appears to be a good candidate for pfsense. Personally I hate a lot of duplication of hardware, except where redundancy is desired. In your case, the redundancy of having multiple firewalls doesn't really add anything and doesn't really make sense. The only two reasons I can come up with for not eliminating the dd-wrt and sonicwall and just letting pfsense do the firewalling are 1) the two businesses want to control their own firewall and lock the other out without having to worry about the other guy going in and opening holes in their network, or 2) you really don't want to change one of the networks to a unique subnet. In the second case you could remove one firewall and leave the other for NAT.

Other than that I would say you have the kind of plan that pfsense was made for. Now to find that howto…

db

edit: http://doc.pfsense.org/index.php/Multi_WAN_/_Load_Balancing

orty

@clarknova:

There's a great howto somewhere around here on multiwan and failover, darned if I can find it at the moment.

If you can find it, please share :-)
(edit: Thanks :) )

The only two reasons I can come up with for not eliminating the dd-wrt and sonicwall and just letting pfsense do the firewalling are 1) the two businesses want to control their own firewall and lock the other out without having to worry about the other guy going in and opening holes in their network, or 2) you really don't want to change one of the networks to a unique subnet. In the second case you could remove one firewall and leave the other for NAT.

The two companies share the same office space, but they don't want anything communicating across to each other (which is silly as they then complain when they can't print to each other's printers). I'm basically in charge of both firewalls since I took over here and inherited this mess. The only reason I wouldn't want to get rid of the firewalls for both companies is because of the remapping of addresses I'd have to do for client PCs to printers and such (as they do direct IP printing as their file/print server is a piece of junk), but otherwise, I'm not against getting rid of them – and would be all for it if I knew for sure my hardware could handle it. Would require a bit more work, but I'm not against that if the benefits outweigh the negatives.

The one thing I've seen popping up on a few threads is that SMP and failover don't play nice with each other. Is that still the case?

-Jake

clarknova

Check the page on sizing.
http://www.pfsense.org/index.php?option=com_content&task=view&id=52&Itemid=49

I'd say your ML350 G2 @ 1.26 or 1.4 GHz is more than capable of what you're proposing. I don't know about the SMP-failover thing, but I don't see any need in your case for a second CPU, really. My home connection is 5500/640 and my pfsense runs on a soekris net5501 (Geode 500MHz 512 MB). With the pfsense package installed, ssh tunnel active, and torrents seeding, and pfsense's System Overview page on auto-refresh, CPU usage is hovering around 10%, RAM 31%, and 1850 state table entries. With several active torrents I've seen 5000 active states.

You said you're not doing vpn. Unless you're going to install a bunch more packages or have hundreds of concurrent active portal users, I don't see your hardware struggling.

As for the extra routers, if you're already adminning them, then you won't lose any security by getting rid of them and leaving the firewalling to pfsense. Fewer firewalls in the chain means fewer points of failure, and less electricity used for nothing.

db

orty

@clarknova:

I'd say your ML350 G2 @ 1.26 or 1.4 GHz is more than capable of what you're proposing. I don't know about the SMP-failover thing, but I don't see any need in your case for a second CPU, really. My home connection is 5500/640 and my pfsense runs on a soekris net5501 (Geode 500MHz 512 MB).

Good to know. Glad to hear this is lightweight :)

Will probably stick with single CPU unless I can find another CPU dirt cheap. Need to get RAID on the system as well as a redundant power supply (it has a slot for one), some more RAM and some NICs, and we'll be good to go.

Thanks!

kevindd992002

Load balancing works for me like a miracle but I really can't make failover work. When I try to remove 1 / 3 of my WANs sometimes I still can access the Internet sometimes I can't. What could be wrong?

I set up monitor IPs correctly, I'm pretty sure. I have three modems from the same ISP and I use my ISP's DNS servers for monitor IPs for all the three modems, they are different from each other.