Is it possible with Pfsense?
-
Hi,
I was looking thru the entire forum and didn't find this.
We have a SLES11 SP2 2-node-cluster with Pacemaker, XEN and 10 DSL connections. we would like to deploy this and tell me if it's possible to accomplish with PFsense:
Install 10 virtual PFsense machines or 5 virtual machines (2 WAN connections each) that can do:
- load balance (both LAN = 1 IP address as a proxy server and WAN)- Failover in case one of the WANs is down
- Transparent Proxy Caching
- Filezilla connection to the outside world (I know this is not possible with Squid that's why I'm writting this in a Pfsense forum to see if can handle it)
Basically I want that +1000 users have one and only one Proxy server and no matter if one of the links or virtual machines is/are down, the user can still browse the net.
Thanks in advance!
Daniel -
Why do you want to run so many pfSense instances?
It would be much easier to do this with one machine with 10 WAN connections.Steve
-
For 1000+ users I'd use one pfSense machine with 10 WAN links and a separate squid cache server.
PS: I don't know what a "Filezilla connection" is, but assuming it is ftp/sftp, then it'd work through pfsense.
-
It is FTP/sftp.
http://en.wikipedia.org/wiki/FileZillaSteve
-
Why do you want to run so many pfSense instances?
It would be much easier to do this with one machine with 10 WAN connections.Steve
Assuming it is all in the same physical location I would recommend not ONE box with 10 wan interfaces but two or more and to use CARP for fail over. With that much traffic going on you don't want the firewall to be a single point of failure.
PS. You could use what ever protocols/ports (such as FTP) in any way you need as long as the firewall(s) are up and are configured correctly. A big + with filezilla is that you can use "active FTP" (in some versions of Filezilla this is done by disabling passive FTP) which, IMO, is much easier to configure in your firewall(s) when you run multiple FTP-servers.
-
Thank you guys for the quick answers! and I'm astonished about the capabilities that Pfsens has for free.
I will try to create, at least, 2 pfsense servers (virtualized) with 5 wan each with CARP and squid cache. I'll try to follow all the tutorials I found and let you know.
Again, thank you!
Daniel -
When you run two boxes as a carp pair only one box is active at a time, the other is backup. Thus if you want to use all 10 WAN connections they all have to connect to both boxes.
If you are running these virtualised there is very little point in having them on the same host machine. You would still have the single point of failure.
I'm not familiar with SLES but since you have two nodes I am guessing that's at least two real machines.What speed are each of these connections?
Steve
-
I see.. so CARP is not for me.. each DSL connection is 5mbps.
What do you recommend for a complete failover solution? (if a wan or server is down, the service is still up but degraded)
Transparent proxy is also desirable if possible.Regards,
Daniel -
If you want a failover solution for server failure then CARP is for you. :)
http://doc.pfsense.org/index.php/Configuring_pfSense_Hardware_Redundancy_%28CARP%29
It's just more complex because you have a number of WAN connections and you're running virtualised.To be honest this is beyond my experience.
Transparent proxy and loadbalancing/failover between 10 5Mbps connections should be no problem on any recent hardware.
Steve
-
You might also want to check the high-availability options of your virtualization platform, instead of using CARP between VMs (which also has its place in a setup where downtimes needs to be minimal)
-
I read the docs once again.. checked on the forum… and I'm still not convinced that CARP is the solution for me.. I don't need a stand-by server. I just need n servers connected to 10 WANs with load balancing. So, I believe installing 2 servers with 5 WAN each with load balancing is more than enough for me.
Daniel
-
If you have, say, 500 users connected to each pfSense instance then if one of those goes down you will have 500 unhappy users. How are you planning to failover those users?
You can mitigate this by using the HA features of your virtualisation server to make sure they never go down as Dhatz suggests.Steve
-
good point.. what if…
4 virtual servers all with load balance (1 transparent proxy for all the users) with 5 wan on the "active" servers. CARP with the other 2 virtual servers in case something happens.
what do you think about that?
-
I think… why do you want to have two active servers with 5 WANs on each as opposed to one with all 10?
It will be far easier to setup a transparent Squid proxy if all the traffic goes through one machine.Steve
-
that's even better!
1 active server with 10 WANs and 1 passive server with CARP.
Excellent!!
Thanks!!
Daniel -
Like I said this is beyond my experience so don't thank me yet! ;)
Perhaps wait for other comments. That's what I'd try though.
Steve