PfSense right for me?
-
Hello,
I hope everyone is doing well.
I am responsible for setting up the technology in our new building. The facility has a number of different businesses that all have a common Internet access point.
Our incoming connection will be a cable-modem with 3 static IPs. I have a Proliant ML 370 (Dual Pentium III at 1 Gz each, 1 GB RAM installed and SCSI drives totaling 72.8 GB in) which I would like to run pfSense on.
I am hoping to do the following with pfSense:
-
Have 3 different wireless networks in the building, none of which should be able to connect to each other (all different businesses) and one of them should require a "accept the terms of use before being able to get online" welcome web pages.
-
Have 3 servers hosted on-site that I can 'assign' to the static IPs (again, those should be isolated from the rest of the network)
-
Couple of fileservers and computers spread out through the building that need Internet access via NAT through pfSense, but they all might be different organizations and therefore shouldn't be able to see each other.
-
A "laptop lane" area – basically people can bring their laptops, plug in, and get internet but that's it.
-
Need to be able to run Squidguard with blacklist updates for the entire network.
I was using IPCop in another building which had a far more simple setup and it was working great. However IPCop has not been updated for a long time and has a limit to the number of Network cards/functional units it can have and so I have heard great things about pfSense -- just want to make sure it was right for our application.
Thank you!
-
-
Sorry, forgot to add that we'll also be running a VOIP system through this machine also. We have another server that is hosting and managing the VOIP system, but the incoming/outgoing calls of course will need to go through pfSense.
Thank you.
-
The hardware sizing guide says that your hardware should be fine for up to 100 Mb/s, without packages and VPNs.
-
One interface (or VLAN and a VLAN capable switch) per wireless network and Captive Portal for the last one
-
Another interface (or VLAN and a VLAN capable switch) and VIPs for NAT
-
One interface (or VLAN and a VLAN capable switch) per organisation
-
Another interface (or VLAN and a VLAN capable switch)
-
This may impact your hardware requirement, however with dual CPUs you should still be fine for up to 100 Mb/s.
-
-
Hello,
Thanks for your reply. I put in some questions below:
@Cry:
The hardware sizing guide says that your hardware should be fine for up to 100 Mb/s, without packages and VPNs.
While our whole internal network is gigabit, our connection to the ISP is probably going to max out at 10 Mb/s down and 2 up, so I believe that 100 Mb/s limit you mentioned should be no problem at all, unless I do not understand the speed issues correctly.
@Cry:
- One interface (or VLAN and a VLAN capable switch) per wireless network and Captive Portal for the last one
Just briefly skimmed through the Captive Portal flash tutorial – very slick! Question: Can it be set up without a required username / password but just a "Acceptable Use" policy? Our situation is that we have a conference facility people rent and while they rent they have Internet access (usually about 3-4 hours) but after that it could be turned on/off. Of course a username/password is not that big of a deal but just wanted to know full options.
So based on the different organizations I have, I could be looking for up to 5 NICs in the one machine! Is this a crazy setup I should avoid or not a problem? Conversely, would you recommend a VLAN-capable switch in order to reduce the number of network cards (I don't have a big budget for VLAN switches so wondering about my options).
Thank you very much.
-
While our whole internal network is gigabit, our connection to the ISP is probably going to max out at 10 Mb/s down and 2 up, so I believe that 100 Mb/s limit you mentioned should be no problem at all, unless I do not understand the speed issues correctly.
You should be fine, just keep in mind that your pfSense host has a total throughput limit of about 200 Mb/s (sorry, I typod the figure). That includes all the LAN to LAN communications too. With a total of 12 Mb/s for the Internet that leaves "just" 188 Mb/s for all other comms. The exact figure will depend on many things and it may be higher or lower.
Just briefly skimmed through the Captive Portal flash tutorial – very slick! Question: Can it be set up without a required username / password but just a "Acceptable Use" policy? Our situation is that we have a conference facility people rent and while they rent they have Internet access (usually about 3-4 hours) but after that it could be turned on/off. Of course a username/password is not that big of a deal but just wanted to know full options.
I suspect you'd need a username and password (never used the Captive Portal so don't know), but the documentation may cover it (or it may have been discussed here already - do search the forum). If it doesn't a separate post in the Captive Portal forum should put you on the right track.
So based on the different organizations I have, I could be looking for up to 5 NICs in the one machine! Is this a crazy setup I should avoid or not a problem? Conversely, would you recommend a VLAN-capable switch in order to reduce the number of network cards (I don't have a big budget for VLAN switches so wondering about my options).
You can get 5 port Gbit VLAN capable switches for about $40 - the MikroTik RouterBoard 250GS for example. Whether you take that approach (which is probably cheaper) or use dedicated NICs is entirely up to you.
-
@Cry:
You can get 5 port Gbit VLAN capable switches for about $40 - the MikroTik RouterBoard 250GS for example. Whether you take that approach (which is probably cheaper) or use dedicated NICs is entirely up to you.
Where I live both HP Procurve (1810G-8) and TP-Link have 8 port Gigabit switches that are VLAN capable for under the local equivalent of US$130 (probably cheaper in the US). I have no experience with either but I'm a happy user of HP Procurve 1700-8 (1 Gigabit port, 7 10/100 ports, VLAN capable).
-
No password is required, just select the option for no authentication under the authentication section.
-
Thanks very much to everyone who responded – you have all helped clarify a lot for me and have helped my confidence in pfSense being the correct solution for our needs.
I am hoping to use version 2 of the pfSense -- is there a reason I should not? I believe my situation is fairly straightforward and I shouldn't have an issue hopefully!
Thanks.
-
Hello again,
So due to hardware issues, those Proliant machines are no longer available for me to build the pfSense box. Instead I have this machine:
Pentium 4, 2.6 Ghz (800 FSB), with 512 MB DDR RAM, 160 GB drive, with an Intel d865gbf motherboard.
I will be adding in 5 Intel network adapters.
Will this machine be sufficient for what we have been talking about? I'm guessing the first thing to do is up the RAM, but to how much?
Thank you!
-
You should still be fine. You may want to consider 1 GB of RAM, or more, just because Squid will work better with more memory to play with. If you've got a 32 bit build then you're limited to 4 GB of RAM (from memory).