PfSense with 2 routers and 1 switch

DesertPanther · Jul 29, 2011, 11:01 PM

Hello guys!

pfSense noob is here, and this is my first post in the forums. So bear with me please and apologize if this is not the right place to post my silly questions :)

I am the 'IT guy' in a company that has 60+ employees, all of them needs Internet connectivity, currently they are connected through a series of switches then into a wireless router.

So were getting a new Internet connection from another ISP, and my boss asked me to do a firewall on both of them and make load balance as well. I decided to use pfSense because I heard about how stable it is and have lots of features.

I have a box with 3 Ethernet interfaces, 4GB RAM and dual core processor that will be used as the firewall.

Is it possible to connect the two routers to this machine which will dictate its rules on them and filter all websites/connection except a specific white-list and excluding only several IPs from this list to a central switch that will itself be connected to other switches and a wireless access point?

Please see the attached diagrams so you can understand what I mean :)

Can pfSense act like a DNS server too? I believe that having a DNS server locally will accelerate things other than using the sluggish ISP's DNS or 3rd party servers, am I right?

Another thing that is planned later is making a VPN with another office of our company but located overseas, can pfSense support with such network configuration?

One last questions, though probably unrelated to pfSense directly. Is 'cascading switches' like what I've made in the diagrams a bad idea or not? People for example in Switch 2.1.1.1 and below are reporting sluggish performance in connectivity. Also which are the best Routers/Switches/Wireless APs to do such network?

I really appreciate your input, thanks in advance :)

Figure 1: Current Network.

Figure 2: Suggested Network.

johan.helin · Jul 30, 2011, 8:53 AM

Cascading switches are almost always a bad idea. If i would build a network i would use as few switches as possible to get the number of ports necessary, because switch to switch communication is always a bottleneck when it comes to bandwidth.

stephenw10 · Jul 30, 2011, 2:27 PM

Yes, pfSense can do all of that.
I'm not sure about running a local dns server as opposed to dns forwarding but probably.
You don't say what sort of connection speeds you have. This is key to sizing the hardware correctly.
What sort of VPN bandwidth are you expecting to need?

Steve

Metu69salemi · Jul 30, 2011, 1:01 PM

If you have manageable switches and those or either procurve, catalyst or similar. you can use trunking and lagg between switches, so you can use multiple ports between switches(increasing dataspeed between switches)

DesertPanther · Jul 30, 2011, 1:21 PM

First of all thank you guys for your replies.

I will work on minimizing the switches' layers to at most 3 only.

We currently have 4Mbps connection with supposedly no cap limit, or so the ISP claimed, and we are getting 2Mbps connection from another ISP with no cap too, will be upgraded later to either 8 or 12Mbps but with 400GB cap per month.

I want to make a balance between those so browsing, IMing, emailing would go through the capped connection, while the unlimited one will be for downloads, software updates, uploads, media streaming etc…

stephenw10 · Jul 30, 2011, 2:42 PM

@DesertPanther:

I want to make a balance between those so browsing, IMing, emailing would go through the capped connection, while the unlimited one will be for downloads, software updates, uploads, media streaming etc…

Layer 7 routing, what you are talking about above, is more complex but certainly possible.
You may run into problems where one application ends up using both connections, say sending a file through IM. Some servers see that as a potential security breach.

So a maximum throughput of 16Mbps. Almost any hardware will handle that with ease. Your proposed hardware will have no problem even if you are using all of that for VPN.

Steve

Edit: Actually you could probably achieve almost the same result just using port based routing.

DesertPanther · Jul 30, 2011, 3:17 PM

Will work on the thing once I get the need equipment and will write my results here :)

Just another quick question, when the final version of 2.0 will be released?

Thanks guys!

stephenw10 · Jul 30, 2011, 4:34 PM

@DesertPanther:

When the final version of 2.0 will be released?

When it's ready! ;)

Which should be very soon.

See: http://forum.pfsense.org/index.php/topic,29857.0.html

Steve

kumarnarain · Jul 31, 2011, 1:37 AM

@stephenw10:

@DesertPanther:

When the final version of 2.0 will be released?

When it's ready! ;)

Which should be very soon.

See: http://forum.pfsense.org/index.php/topic,29857.0.html

Steve

Hai
I have an exactly SIMILAR setup in our office already running 1.2.3 and we did a fresh install of 2.0 RC3. I am unable to get load balance up and working.
Here is how our setup is ISP1 on rl0 marked as WAN (DHCP) gives out a public Ip (dynamic ..changes on reboot) and ISP 2 on
rl1 (DHCP) but gives a private ip on 192.168.x.y
Is there a work around to do load balancing here?
Right now we are using only one ISP of the above. I read somewhere that load balancing will work ONLY with static and public Ip. Is that true?
Regards
Kumar

stephenw10 · Jul 31, 2011, 2:33 AM

@kumarnarain:

I read somewhere that load balancing will work ONLY with static and public Ip. Is that true?

No.
Not for outgoing load balancing anyway.
I am using two PPPoE connections here with dynamic IPs.
Currently they are both public IPs but I have had it setup with a separate router and hence a private IP before.
Both setups worked fine with load balancing.

Steve

kumarnarain · Jul 31, 2011, 3:06 AM

@stephenw10:

@kumarnarain:

I read somewhere that load balancing will work ONLY with static and public Ip. Is that true?

No.
Not for outgoing load balancing anyway.
I am using two PPPoE connections here with dynamic IPs.
Currently they are both public IPs but I have had it setup with a separate router and hence a private IP before.
Both setups worked fine with load balancing.

Steve

So essentially my ISP1 has to be routed to a private Ip space and then fed to PFsense..Am I right?
Due to frequent connectivity disruption I am trying to set this up
Sorry I am a newbie

stephenw10 · Jul 31, 2011, 11:59 AM

The best setup is to have both connections pass their public IP to pfSense.
That way pfSense can control and monitor the connection.
That depends on what sort of connections you are using (cable, adsl etc) and whether you can set whatever modems you have into 'bridge' mode.

Steve

kumarnarain · Jul 31, 2011, 3:50 PM

@stephenw10:

The best setup is to have both connections pass their public IP to pfSense.
That way pfSense can control and monitor the connection.
That depends on what sort of connections you are using (cable, adsl etc) and whether you can set whatever modems you have into 'bridge' mode.

Steve

One ISP is already giving public Ip though it changes everytime it is rebooted. I am not sure if ti can be made to bridge mode. I need to check…..
All I know is that it is a wimax based connection. What I get from their antenna on the rooftop is an RJ45 jack which I plug to my
current 1.2.3 pfsense box and thru the second NIC I hook it to the switch in the office.

I have already filed a request with the incoming ISP to give me public IP instaed of the 192..x.x.x their adsl router provides. I will know tomorrow.
Will keep this link updated. Thank you for the time and patience

Regards

Kumar

stephenw10 · Jul 31, 2011, 4:36 PM

@kumarnarain:

One ISP is already giving public Ip though it changes every time it is rebooted. I am not sure if ti can be made to bridge mode. I need to check…..

No need to adjust anything with that connection. Public IP via dhcp on an RJ-45 is ideal.

@kumarnarain:

I have already filed a request with the incoming ISP to give me public IP instead of the 192..x.x.x their adsl router provides.

Does your ISP have their adsl router locked down? Usually it is this that can be set to bridge mode to pass a public IP through to your pfSense box.

Either way you should be able loadbalance the two connections.

Steve

kumarnarain · Jul 31, 2011, 4:56 PM

@stephenw10:

@kumarnarain:

One ISP is already giving public Ip though it changes every time it is rebooted. I am not sure if ti can be made to bridge mode. I need to check…..

No need to adjust anything with that connection. Public IP via dhcp on an RJ-45 is ideal.

@kumarnarain:

I have already filed a request with the incoming ISP to give me public IP instead of the 192..x.x.x their adsl router provides.

Does your ISP have their adsl router locked down? Usually it is this that can be set to bridge mode to pass a public IP through to your pfSense box.

Either way you should be able loadbalance the two connections.

Steve

They havent locked it. It is set at 192.168.1.1, but connectivity got cut when I changed the mode. So i have filed a request.
Right now I am unable to load balance when I tried following the doc given at the site. Is there a good step by step document
for this scenario?

stephenw10 · Jul 31, 2011, 5:55 PM

It's all covered here:
http://doc.pfsense.org/index.php/Multi-WAN_2.0

Steve

wallabybob · Jul 31, 2011, 10:39 PM

Typically when you change your ADSL modem from router to bridge mode you need to also change the corresponding pfSense interface from DHCP and enable pppoe on it: Interfaces -> (assign), click on PPP tab, add a PPP interface, go back to Interfaces -> (assign), add the ppp interface, assign it to WAN (or whatever) then add the username and password that had previously been configured in the ADSL modem for ppp.

I don't know if that applies to your service.