Has anyone tried to use 2 pfsense servers?
-
I agree with vindenesen, you have a lot of NATing going on that's not really necessary. An ideal situation would be: both your APs running purely as APs (no NAT or DHCP) and connected directly to one pfSense box. Doing that gives you control over all traffic in one place and also allows the most flexibility in configurations.
well I agree with you. but this dual pfsense boxing started when I wondered if I could generate a proxy report using
lightsquid report on my AP. because I can easily track all IP activities on LAN. but on the AP I couldn't see who's being a pain.
since… again, that AP has all access. as requested by our management.but I'm also bothered with these mobile devices that has Hotspot Feature. since they use their mobile phones
to access my ap and give open access to anyone. (yes, management also requested their mobile phones too)
and pfsense couldn't monitor those who are connected to those hotspots... or so I think, or don't have any idea how to.You only have 3 NICs and no more slots. You could get around this by using a dual or quad port NIC. You could also do it by using VLANs with a suitable managed switch which may be cheaper. Perhaps you already have such a switch?
quad NIC… I never knew such a thing existed. thanks for letting me know. I'll look for one here.
I'll read about VLANS I just quick googled what it is and It sounds promising. At some point I really don't need another pfboxYou can add port forwarding to access all your devices in their current configuration. Have a look here:
https://doc.pfsense.org/index.php/How_can_I_forward_ports_with_pfSenseThis is also useful:
http://pfsensesetup.com/port-forwarding-with-nat-in-pfsense/I'll take a close look on all these links. thanks for the help steve :)
-
Hello,
I am currently using 2 pfSense boxes, but it's more because said boxes are small (repurposed) thin clients, and they don't have much power. There is only one 32-bit PCI slot, and a 1 GHz single-core CPU in each, not to mention only 1 GB of RAM and a 2 GB flash chip (SSD). One of the boxes is performing DHCP & DNS, as well as Squid and SquidGuard. It has a PCI to PCMCIA/CARDBUS adapter installed, with a 2 GB Microdrive for use as the squid cache and various logs - I don't want to ruin the Flash with too many writes. The other box is has a second NIC, and is doing NAT, and some other stuff.
I had to read this 4 times just to basically understand this. thank you I didn't think pf could do that
Now, to add to the discussion at hand:
If the 2 WiFi routers are setup as APs only, with DHCP server off on both units, then getting to the web GUI should be as simple as opening a web browser and going to each router's ip address.yes. I understand. but I was wondering If I could do it without bringing a long cable and access it here in my pc
since they have their own DCHP I don't know If could access AP's gui. from IP 192.168.1.5 to an 192.168.2.1 AP…Also, if you need to separate the wifi addresses and corresponding traffic to each router, then, yeah, use a managed switch, and separate out each subnet as needed.
Alternately, your WiFi routers may already support vlans, but the embedded GUI may not allow access to such settings. Usually the WAN port is part of the LAN switch physically, but is segregated out by way of vlans. For more info on this topic, as well as info on how to get to the advanced features of your specific router, if it is supported, search the Internet for OpenWRT, DD-WRT, Tomato Linux, and related distributions. These are essentially the same idea as pfSense - at least as far as getting a free, open-source router solution. These are specifically focused on actual WiFi routers, rather than custom-built and brand-name computers. I am especially fond of OpenWRT, but it is not as well suited to beginners. It is rather "bleeding-edge" stuff.
subnets and Vlans … I'll do some research on these thanks aaron.
I really apologize for this It feels like I'm giving everyone a hard time on a really simple problem.
thanks everyone for helping, I'll go through everything one at a time. -
No need to apologise, you're not giving us a hard time. :)
If anything it's us giving you a hard time with some unusual suggestions. If it were me I too would look at using VLANs on the access points directly and that might mean running a 3rd party firmware. The reason I would do that is that you could accomplish everything you want without having to buy any new hardware. However if you've never tried dd-wrt, openwrt etc you could be in for a steep leaning curve.Steve
-
No need to apologise, you're not giving us a hard time. :)
If anything it's us giving you a hard time with some unusual suggestions. If it were me I too would look at using VLANs on the access points directly and that might mean running a 3rd party firmware.I definately concur, but moreover, I think most of us reallize there was a time wherein we were sitting in your seat, so to speak. As a community, helping each other benifits the whole community. One might think of it like this: If you know your class is having a spelling bee, you could try to pick only the best spellers. If the other team has already done that, then you just have to educate your "weak links" and make them better than the already good spellers on the other team - In other words, strengthing the team members, also strengthens the team as a whole. It's not that any one is smarter or better than anyone else, so much as some are further along in their quest for knowledge than others.
Knowledge - pass it on…
-
Luckily this isn't a spelling bee. Many of us would not make that team! ;D
Steve
-
No need to apologise, you're not giving us a hard time. :)
If anything it's us giving you a hard time with some unusual suggestions. If it were me I too would look at using VLANs on the access points directly and that might mean running a 3rd party firmware. The reason I would do that is that you could accomplish everything you want without having to buy any new hardware. However if you've never tried dd-wrt, openwrt etc you could be in for a steep leaning curve.Steve
Yes, I'm currently looking at videos about vlans. thank you
and my AP here is a dd-wrt. and the other AP is a tp-link. I havent seen openwrt yet i think…and maaan there are a lot of questions I'd like to ask everyone but I'm a bit busy.
I guess I'll ask just a few questions for now. Links if you guys have read it somewhere in the forums :)in the Firewall: Traffic Shaper: Limiter. I made 4 limiters
1mb IN\1.5mb OUT
These are for those who has All access (management/department heads, the boss himself)
who wish to have their connection just like at home. without restrictions800kb IN\1mb OUT
and these are for the special employees (brown nosed people for always kissing the management/department head's a$$es)
restricted but requests facebook to be allowed.my question is:
1. to a single user doing regular office work how much would you limit their IN/OUT?
2. if inside a single alias there are 5 people in it, and I gave that alias a 1mb limit rule
yould that mean those 5 share 1mb? or 5 will each have 1mb?3. is there "Network/PFsense: best practices book somewhere? haha
No need to apologise, you're not giving us a hard time. :)
If anything it's us giving you a hard time with some unusual suggestions. If it were me I too would look at using VLANs on the access points directly and that might mean running a 3rd party firmware.I definately concur, but moreover, I think most of us reallize there was a time wherein we were sitting in your seat, so to speak. As a community, helping each other benifits the whole community. One might think of it like this: If you know your class is having a spelling bee, you could try to pick only the best spellers. If the other team has already done that, then you just have to educate your "weak links" and make them better than the already good spellers on the other team - In other words, strengthing the team members, also strengthens the team as a whole. It's not that any one is smarter or better than anyone else, so much as some are further along in their quest for knowledge than others.
Knowledge - pass it on…
Thanks for sharing the knowledge, and I'll pass it on too.
Luckily this isn't a spelling bee. Many of us would not make that team! ;D
Steve
LOL
-
It's almost impossible to give you a recommendation on how much bandwidth you should assign. It depends on how much each user actually needs which varies a lot. What is your WAN bandwidth total? The fact that you have assign limiters with greater outgoing bandwidth than incoming indicates your usage is different that any network I've worked on. Or is that reversed, from the LAN interface point of view?
Depending on how you've setup the traffic shaping it could be either 1Mb each or shared between all. Traffic shaping is probably to most difficult part of pfSense to understand IMHO.
There is a pfSense book and it's very good. However the book that's currently available was written for 1.2.3 so it's outdated. There is a new book that should be released 'soon'.Steve
-
It's almost impossible to give you a recommendation on how much bandwidth you should assign. It depends on how much each user actually needs which varies a lot. What is your WAN bandwidth total? The fact that you have assign limiters with greater outgoing bandwidth than incoming indicates your usage is different that any network I've worked on. Or is that reversed, from the LAN interface point of view?
Depending on how you've setup the traffic shaping it could be either 1Mb each or shared between all. Traffic shaping is probably to most difficult part of pfSense to understand IMHO.
There is a pfSense book and it's very good. However the book that's currently available was written for 1.2.3 so it's outdated. There is a new book that should be released 'soon'.Steve
Thanks Steve.
sorry. it is from LAN pov.
we only have 5mb connection. so for 60++ people including everyone's mobile phones and laptops I think I need to shape traffic. -
Traffic shaping with PRIQ isn't too hard to handle. There is an excellent HFSC thread going on right now in the Traffic Shaping forum if you need to worry about realtime traffic guarantees.
Becoming a pfSense Gold Member gives you access to the 2.x manual, which is a work in progress.
-
Yep the draft V2 book is well worth a read if you have the gold subscription.
With a 5Mbps connection shared between 60 clients you may need to get some relatively complex shaping to keep things moving.
Is the connection symmetric, 5Mbps up also?
For example rather than specifying a bandwidth limit per user you can instead reserve some bandwidth for important tasks/users leaving the rest to be used by anyone. Again it depends what your users need. I have no idea what sort of business you're involved with but maybe most of those 60 clients only occasionally send emails.Steve