General routing question - how does router effect local speeds with subnets
- 
 Greetings. I am testing different linux router/firewall distros. I keep coming back to pfSense, as for some reason I prefer it over the many choises available. I am very familiar with windows boxes, but have very limited experience with linux boxes, although I can stumble around if I get help. I am pretty familiar with networking in general - I understand what ports are, what holds a port open and why, how to create rules that allow or deny traffic, understand basic subnetting. My weak spot is routing. I have had for many years a static IP at home and work. Recently I changed ISPs at home, and now have a dynamic WAN IP. One reason I am looking into one of these distros is because I have some specific rules in my current router (Dlink 655) that I can no longer utilize with a dynamic IP. I understand I can probably use some scripting with the iptables to solve that problem, but in learning more about these linux distros, I wonder how much I can use since it has more options. Anyway, while I have it working right now in a very basic setup, I am wondering if anyone can help me understand just how using something like pfSense will impact things. I will explain it the best I can, hopefully it make sense. First, I put the pfSense box as my router, and the RED nic is hooked to the modem. No big deal so far, there is my WAN nic. Next, I create a subnet for the GREEN nic, maybe 192.168.1.1/24 - pretty much like normal so far. I create some rules for port forwarding if needed, or create deny rules or allow rules, nothing really out of the ordinary yet. Next I create subnet for the ORANGE nic, maybe 192.168.2.1/24. Here I realize I could use a wifi nic or an AP somewhere, as long as the ORANGE is providing DHCP or I use static on the wifi clients. Again, not too confusing. But here is where I have questions – when I begin to route traffic from Green to Orange or Orange to Green, how does it effect my local bandwidth. Right now I have the router (dlink) which is Gigabit, connected to 4 switches, 3 of which are gigabit (unmanaged) and one which is a 10/100. The 10/100 has only print servers attached, as none of them are gigabit, either 10base or 100base. Currently then, I have a few data servers and a couple NAS boxes (synology), along with about 25 clients. A few clients are wireless due to location not having copper, all else is wired to gigabit switches. The transfer rates are acceptible, roughly 30-50% of gig speeds (some very long runs). I wonder a few things. First, Assuming I have a pfSense box as the router, would both the Green and Orange nics be plugged into the same switch? Would that be acceptible. I don't think I can segregate the clients out by subnet/switch, as the wiring is in the walls and I have to work around that. Second, assuming that X clients are on GREEN, and Y clients are on ORANGE, and I chose to allow traffic between them, how would the traffic flow? The router must route the two interfaces together, but when the traffic flows, does all traffic come into and out of the router. This means of course from client X to switch, from switch to router, across router interfaces, from router back to switch, from switch to client Y. Or, can the routes exist within the clients route tables so that traffic goes from client X to switch, from switch to client Y. I ask because I wonder if all the traffic goes through the pfSense box, doesn't that cause some bandwidth issues? If half of my clients hit a data server at the same time, and half are on Orange, half on Green, wouldn't that be a lot of traffic on the pfSense adapters? Would that manifest as collisions or sluggishness? Mind you, I don't fully understand routing, but more than anything don't understand how the pfSense box plays its role in the path of traffic. Sul. 
- 
 Anyway, while I have it working right now in a very basic setup, I am wondering if anyone can help me understand just how using something like pfSense will impact things. I will explain it the best I can, hopefully it make sense. If you don't mind we might ask questions also to find out more First, I put the pfSense box as my router, and the RED nic is hooked to the modem. No big deal so far, there is my WAN nic. Next, I create a subnet for the GREEN nic, maybe 192.168.1.1/24 - pretty much like normal so far. I create some rules for port forwarding if needed, or create deny rules or allow rules, nothing really out of the ordinary yet. Next I create subnet for the ORANGE nic, maybe 192.168.2.1/24. Here I realize I could use a wifi nic or an AP somewhere, as long as the ORANGE is providing DHCP or I use static on the wifi clients. Again, not too confusing. You don't have to use smoothwall notation, because pfsense doesn't limit interfaces and allready tells what to with'em But here is where I have questions – when I begin to route traffic from Green to Orange or Orange to Green, how does it effect my local bandwidth. Ofcourse it will impact your local bandwidth, like it does with current equipment I wonder a few things. First, Assuming I have a pfSense box as the router, would both the Green and Orange nics be plugged into the same switch? Would that be acceptible. I don't think I can segregate the clients out by subnet/switch, as the wiring is in the walls and I have to work around that. As long as those switches are manageable you can use same switch, but no otherwise Second, assuming that X clients are on GREEN, and Y clients are on ORANGE, and I chose to allow traffic between them, how would the traffic flow? The router must route the two interfaces together, but when the traffic flows, does all traffic come into and out of the router. This means of course from client X to switch, from switch to router, across router interfaces, from router back to switch, from switch to client Y. It doesn't have to go via pfsense if you have L3 switches, but based on your info you don't have. thusfore it has to go via router when changing subnet Or, can the routes exist within the clients route tables so that traffic goes from client X to switch, from switch to client Y. They exist a while as an arp table, but traffic is still going via router I ask because I wonder if all the traffic goes through the pfSense box, doesn't that cause some bandwidth issues? If half of my clients hit a data server at the same time, and half are on Orange, half on Green, wouldn't that be a lot of traffic on the pfSense adapters? Would that manifest as collisions or sluggishness? You should share us basic info to help you out of this question: wan speed(s), loadbalance/failover, how many clients total(per subnet) & etc this is all the info which will determine your hardware needs and after that knowledge you can buy that hardware which will do the job without hitting performance. Mind you, I don't fully understand routing, but more than anything don't understand how the pfSense box plays its role in the path of traffic. Sul. pfsense is not different from any firewall in that case. it's put between modem and lan switch like your dlink now is. but take that dlink off and use pfsense instead. Hope i could clarify even a bit 
- 
 Just one small aclaration ;D : pfSense is not Linux based http://en.wikipedia.org/wiki/PfSense 
- 
 If you don't mind we might ask questions also to find out more Of course not. I went down this road because I am a nerd, plain and simple. I love to learn, and this seemed like a good reason to learn something new, so any help I can give, I will. You don't have to use smoothwall notation, because pfsense doesn't limit interfaces and allready tells what to with'em Oh, I thought the whole Red/Green business was not smoothwall specific, but a generalization of the interfaces. Ofcourse it will impact your local bandwidth, like it does with current equipment Thats is what I thought. You should share us basic info to help you out of this question: wan speed(s), loadbalance/failover, how many clients total(per subnet) & etc this is all the info which will determine your hardware needs and after that knowledge you can buy that hardware which will do the job without hitting performance. Right now I have just one subnet (192.168.1.0/24). WAN speed is 10 x 768 dsl, static ip (this is my workplace). There is no loadbalance/failover at all, as we use the internet for email, research and surfing, not for any business related activities other than ordering online sometimes. Total clients is approx. 25. Also 1 lamp box running as internal webserver for dev of real website, 2 data servers, 2 NAS boxes, 1 server for some fancy probes, and a couple boxes I setup with TeamSpeak3, more for my personal use than anything else (not using bandwidth at night, so a good fringe benefit ;) ). Hardware wise, it works something like this: 
 DSL modem (not router/modem) - Dlink DIR-655 wifi router - gig switches
 There are I believe 6 switches, all 8 port, at choise locations where multiple clients live but with only 1 run of copper. The router is connected to the switches, and the switches to the clients. None of the switches are managed. I used to have some, but when we went to gigabit, I could not afford managed because I would have to purchase so many of them. The unmanaged were cheap enough, and at the time I wasn't concerned about VLANs.After playing with this a bit more, using 1.2.3 and 2.0 snapshots, I don't believe this is going to make sense to use. I don't have a 2.5ghz + machine to use as the pfSense box, and that is what would be needed to get the wire speeds I desire, according to the pfSense documentation. I have a number of 500mhz to 1.5ghz boxes available, with 256-512mb ram available, and 10-80gb hdds to use. What I wanted to do originally was use some scripting with IPTables. Due to the fact that I remote into some of the boxes from home, I want very strict rules as to what IP can be forwarded to the remote machines. My old ISP gave me a static IP at HOME, so my work router had specific filters/rules so that I could remote in. My new ISP gives my HOME a dynamic WAN IP, and my router can no longer be setup the same without me manually changing the IP in the filter to whatever my current HOME IP is. Firewalls for windows boxes can create a rule based on a DDNS name, which is what I use, but once they resolve the name to ip, they never check/update again, so it becomes a manual setting again. Not bad until my HOME IP changes, and then I can't remote in unless I modify the router and/or software firewall. So, I was thinking maybe I could use a linux/bsd distro like smoothwall or pfSense instead of my router, as I could script a change to the iptables and keep it updated to my DDNS account, which would always have my current HOME IP. But, after playing with this, it is more important that I keep internal bandwidth up that use pfSense as a router/firewall. I have now been investigating using pfSense as a proxy with squid and squidguardian. It is not what I set out to do, but I think it could be beneficial. Right now I have it setup to use squid/squidguardian, but both interfaces are on the same subnet, the same as the hardware router. My thought was to then set the http proxy on all clients for the pfSense box LAN interface, which would be the proxy. It does work, but I think I still need to figure out what services/features to disable to stop double NAT and other things not needed in such a configuration. As well, the proxy actually makes the rendering of web pages slower. It could be the machine, which is only a PIII 500mhz with 256mb sdram 100 and a 100ATA hdd. From the docs though, it looks like this should be ample. To finish, I don't think I will proceed with how to make this a router/firewall for my network, but rather how to utilize it as a proxy server only. Any help on that front is greatly appreciated. Thanks for taking the time to reply. Oh, and @ptt, yes I recognize this is BSD based, but thanks for pointing it out Sul. 
- 
 As proxy server it has some demands on harddrive side, but transparent squid and three interfaces could create filtering bridge. And why to buy ferrari and use it like a lada?!? ;) 
- 
 And why to buy ferrari and use it like a lada?!? ;) lol, I know. It is too bad, but budgets are such that I get no $$$ to purchase this year. For our business, computers are not really needed, only a nice convenience, so I don't get much to work with to start with. Being a nerd, I just can't stand not using something like this, so I am being creative and finding a reason to use the ferrari for lowly purposes such as a proxy. I think I am addicted to technology TBH. :) Thanks. Sul. 
- 
 I may be missing something here, but why do you think you need 2.5Ghz + to run a 7Mb DSL connections? I can max a 15Mb cable connection with a 500Mhz Pentium 1 
- 
 I may be missing something here, but why do you think you need 2.5Ghz + to run a 7Mb DSL connections? I can max a 15Mb cable connection with a 500Mhz Pentium 1 If you have more than one internal subnet and have them segregated using different interfaces in pfSense then traffic between the subnets (and hence the interfaces) is filtered just as it would be between WAN and LAN. This if both 'LAN' interfaces are gigabit you will need to filter at gigabit speeds. @sully: If you can't have segregated internal networks, because of your existing wiring, then you don't need fast box. Even so I can get throughput of around 500Mbps from my Pentium-M 1.5GHz box. It would be faster if it had nice Intel NICs. If you think about it carefully you can probably come up with some compromise solution. E.g. put your teamspeak boxes on a separate interface close to your pfSense box. Leave your NAS in the same subnet as your clients so that traffic is not filtered. The concept of red, green and orange interfaces doesn't really hold true for pfSense since, especially in 2.0, all interfaces are treated equally. The differences between them are simply down to what rules you have applied. E.g. you could have five internal interfaces and they would all be 'green'. If you are going to use pfSense as a web proxy it would probably actually be easier to use it as a router as well. ;) Steve 

