Filtered bridge Colo setup
-
Firewall config looks fine. Server's IP config has to be within your WAN subnet and using the upstream router as the gateway. No different from how I wrote it in the m0n0wall link there. You'll only be able to pass ping outbound with that ruleset. You have to enable OPT1 and set it to type "none".
-
For the purpose of debugging I replicated the Colo setup as you (Chris) described in http://doc.m0n0.ch/handbook/examples-filtered-bridge.html, see snippets below.
I'm able to ping from the pfSense WAN interface (111.111.111.10) to the upstream Colo router (111.111.111.9) and vice versa. But I'm not able to ping the Colo router (111.111.111.9) from the Servers interface (111.111.111.11), or ping from the Servers the Colo router through the Bridge. As in the example the IP's from the Colo router, WAN and Servers are all on the same subnet /24.The setup looks like this:
I feel it's something simple I'm overlooking…See post below..
-
Darn STP on VLANNED Switch :(
Old cross cable to the rescue :)Now seeing nice throughput on a Nexcom NSA 1120 http://bit.ly/Ijrwkc (Atom D525, 2 GB, 64 GB Samsung 830 SSD)
Any tips for tuning the em(4) interface?
-
After eliminating a Broadcom nic in the test setup, everything is now on Intel, the numbers are slightly better.
I think an filtered bridge setup (no NAT) is also good on CPU usage :)
-
Hi,
I am using pfsense for a very similar situation.
I gather you have it up and running but take a look:
http://forum.pfsense.org/index.php/topic,37824.msg196000.html#msg196000 -
Fred,
In my setup with 3 interfaces (LAN, WAN, OPT1) I didn't need steps 4 and 5.
I have 2 more questions for you:-
Which Firewall Optimization profile you use for state table optimization?
-
Did you find an solution to the RRD Graph issue http://forum.pfsense.org/index.php/topic,42081.0.html?
thanks for your suggestions.
-
-
Fred,
In my setup with 3 interfaces (LAN, WAN, OPT1) I didn't need steps 4 and 5.
I have 2 more questions for you:-
Which Firewall Optimization profile you use for state table optimization?
-
Did you find an solution to the RRD Graph issue http://forum.pfsense.org/index.php/topic,42081.0.html?
thanks for your suggestions.
Hi Goliathxo:
I use "normal" for the optimization because otherwise in a high traffic environment (like colo) you're going to have tons of states open, DDoS attacks especially can create too many if the timeouts are long. In some cases during a DDoS I will set that to aggressive to keep it from running out of resources but normal is the way to go.
On the RRD issue, never resolved it. It might have been fixed in 2.0.1, it was strange the RRD totals were off yet the traffic was flowing normal and traffic graph showed it correct, did you have this issue too? Try using 2.0.1, it might have been resolved, I know it was listed in the bug tracker. We're running colo/data center with pfsense too, it's a very good firewall for it.
-
-
Hi Goliathxo:
Sorry missed your earlier reply…
Difference is I have the pfSense address on the Bridge interface. WAN and Server interfaces are "none" in my config with my LAN (maintenance port) routing.
I don't see why what your doing wont work though...
My test box config file is here http://forum.pfsense.org/index.php/topic,46738.0.html
In that post Im having a problem with 2.1 that does not happen with 2.0.1...
-
On the RRD issue, never resolved it. It might have been fixed in 2.0.1, it was strange the RRD totals were off yet the traffic was flowing normal and traffic graph showed it correct, did you have this issue too? Try using 2.0.1, it might have been resolved, I know it was listed in the bug tracker.
I'm running 2.0.1 the RRD issue is still there.
@chpalmer
STP on a VLANNED switch broke my setup, now everything seems to be working.Although I'm experiencing an strange phenomena:
DNS traffic from IP's behind the bridge (SERVERS interface, windows unicast NLB) is suddenly blocked on the WAN interface. As sudden as it appears is also disappears without changing anything in the config ???
The rules for SERVERS interface allow DNS tcp/udp traffic, so I'm in de dark here!
-
Hi Goliathxo:
RRD: can you post it for the other interfaces too (same time period)? Will work on finding/solving it over the weekend. Thanks
