Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DMZ like IP sharing and Limiter - Is it possible?

    Scheduled Pinned Locked Moved General pfSense Questions
    17 Posts 4 Posters 2.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      firewalluser
      last edited by

      It would be simpler to just do a straight 50:50 split, but with pfsense if you wanted to get a bit more technical you could enforce quality of service as seen here
      https://doc.pfsense.org/index.php/Traffic_Shaping_Guide
      https://forum.pfsense.org/index.php?topic=50337.0

      Problem is, you dont really have any QoS control upstream unless its built into your ToS, so your QoS becomes less of an issue on the open internet.

      Voip lines generally need around 100Kb for a reasonable call quality per line if you need some figures to work from, but its codec dependent. I've streamed voip call's over 2G and 3G mobile networks not tried 4G yet, but mobile is much less reliable for voip due to the way it works compared to landline based net access.

      Whats the data being used for? Synching SQL db's? Just curious but you might have some things to watch out for there as well due to the way some SQL db's synchronise themselves, latency could be a nuisance here.  :)

      For the billing being split, is it unlimited bandwith/download or are you capped?

      If capped, how would a 50:50 speed split work with the different data quantities that can be downloaded by each party?

      This might be relevant for managing the different amounts of data each party could download over the month.
      https://doc.pfsense.org/index.php/How_can_I_monitor_bandwidth_usage
      https://doc.pfsense.org/index.php/Vnstat

      I havent suggested a switch solution, just pfsense, the L3 switch was almabes.

      Capitalism, currently The World's best Entertainment Control System and YOU cant buy it! But you can buy this, or some of this or some of these

      Asch Conformity, mainly the blind leading the blind.

      1 Reply Last reply Reply Quote 0
      • A
        almabes
        last edited by

        @torontob:

        @almabes:

        If it were me, I'd do this with a L3 smart switch.  I'd set bandwidth limits on the ports the two companies edge devices WAN ports connect to.

        I like your simplistic approach. Can you please detail:

        1- example of the switch type you have in mind
        2- would the switch do IPs and routing? or it will act as a dumb switch in that regards?
        3- are all managed smart switches capable of splitting the bandwidth to 50,50 mbps and is that why you were suggesting managed switch?
        4- would both my pfsense and office-2 router connect to same switch and obtain the same /27 subnet but just use different usable IPs?

        Thanks,

        1.  Any decent switch will do port based ingress and egress rate limiting.  Some will be easier to configure than others.  I just purchased a 48 port Cisco 2900 series gigE switch for ~$180.  If you don't care about the two businesses Ethernet traffic being visible to each other's edge device then you can get away with a Layer 2 device.  Cisco SG300 switches can be had for $180.  Mikrotik switches are supposed to do this too and ~$40 .  Tim McManus just got one for a project he and I are working on.

        2.  A Layer 3 switch can do the routing for you.  You can break up the /27 you have been allocated into a few /29 networks and set up separate VLANs.

        3.  I know most managed Cisco gear will do this.  Others? RTFM YMMV

        4.  You could configure it that way, but you would need some coordination to make sure nobody uses duplicate IP addresses, etc.  You could get away with a L2 device then.

        1 Reply Last reply Reply Quote 0
        • T
          torontob
          last edited by

          @almabes:

          @torontob:

          @almabes:

          If it were me, I'd do this with a L3 smart switch.  I'd set bandwidth limits on the ports the two companies edge devices WAN ports connect to.

          1.  Any decent switch will do port based ingress and egress rate limiting.  Some will be easier to configure than others.  I just purchased a 48 port Cisco 2900 series gigE switch for ~$180.  If you don't care about the two businesses Ethernet traffic being visible to each other's edge device then you can get away with a Layer 2 device.  Cisco SG300 switches can be had for $180.  Mikrotik switches are supposed to do this too and ~$40 .  Tim McManus just got one for a project he and I are working on.

          2.  A Layer 3 switch can do the routing for you.  You can break up the /27 you have been allocated into a few /29 networks and set up separate VLANs.

          3.  I know most managed Cisco gear will do this.  Others? RTFM YMMV

          4.  You could configure it that way, but you would need some coordination to make sure nobody uses duplicate IP addresses, etc.  You could get away with a L2 device then.

          Thanks for the input.

          I was discussing SG800 earlier on Cisco irc channel and heard that Policing / Shaping on it would only control TCP which adheres to limiters and not UDP for example. To me that is not a true port based bandwidth limit. If office-A has an app that uses UDP a lot then it can eat bandwidth from other office.

          A- Can you confirm this is true?
          B- Co-ordination is possible. What example of layer-2 switch do you have for this purpose around same price?
          C- With a Layer-2 switch, office-A and office-B will setup /27 but simply use different usuable IP on their end - is that correct?

          *I would like to stick to layer-2 as it will be dumb in all other regards but limiting speed to 50mbps per port.

          1 Reply Last reply Reply Quote 0
          • A
            almabes
            last edited by

            http://www.cisco.com/c/dam/en/us/td/docs/switches/lan/csbms/sf30x_sg30x/administration_guide/78-19308-01.pdf
            Chapter 25.  Page 499 and 500
            Configure your two Gig ports with ingress and egress limits and leave it in Layer 2 mode.

            I've got an unused SG300-10 PoE version at work.  I'll bring it home and bandwidth limit the kids as a POC.  They'll LOVE that!  ;D

            1 Reply Last reply Reply Quote 0
            • A
              almabes
              last edited by

              A.  Cisco SG300 does port based bandwidth limiting.  It's almost too easy to configure.  It can do other types of flow based limiting, but that isn't what you're looking for.

              B.  The SG300 operates in Layer 2 mode unless you configure it otherwise.

              C.  You are correct.

              1 Reply Last reply Reply Quote 0
              • A
                almabes
                last edited by

                Configured port based ingress and egress limits on the kids.

                before (no limits other than the craptastic 100Mb switch they're plugged in to):

                after (10000Kb/s ingress and egress):

                1 Reply Last reply Reply Quote 0
                • T
                  torontob
                  last edited by

                  @almabes:

                  Configured port based ingress and egress limits on the kids.

                  before (no limits other than the craptastic 100Mb switch they're plugged in to):

                  after (10000Kb/s ingress and egress):

                  Thanks for the test. I guess your test was TCP only. How about any UDP file transfer? I heard that is where this fails or probably with other protocols that do not honor limiters.

                  1 Reply Last reply Reply Quote 0
                  • DerelictD
                    Derelict LAYER 8 Netgate
                    last edited by

                    Being an ISP and doling out public IPs behind your router is a lot easier with a routed subnet instead of a single /27.

                    You keep mentioning CARP.  Are you going to have a redundant pair of firewalls providing this access?  If not, you can get CARP off the brain.

                    I'd get the /27 routed to an address on a /29, carve a subnet out of the /27 for each of them on a layer 3 switch and either limit in the switch or use the shaper in pfSense.

                    If you limit in pfSense they can both get wire speed to each other if that matters at all.

                    Decided to do a drawing.  It's what I would try to do.

                    Topic-94111.png_thumb
                    Topic-94111.png

                    Chattanooga, Tennessee, USA
                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • A
                      almabes
                      last edited by

                      @torontob:

                      @almabes:

                      Configured port based ingress and egress limits on the kids.

                      before (no limits other than the craptastic 100Mb switch they're plugged in to):

                      after (10000Kb/s ingress and egress):

                      Thanks for the test. I guess your test was TCP only. How about any UDP file transfer? I heard that is where this fails or probably with other protocols that do not honor limiters.

                      The switch doesn't care if its UDP, TCP, ICMP, HTTP, VoIP or a caffeinated rat terrier tapping out Morse Code.  I did a port based limit, not any QoS or per flow limit.  This is how Metro Ethernet ISPs limit your bandwidth when you buy 10Mb from them delivered on a 100Mb loop.  The switch just counts the bits moving per second regardless of the underlying protocol.

                      1 Reply Last reply Reply Quote 0
                      • T
                        torontob
                        last edited by

                        @almabes:

                        @torontob:

                        @almabes:

                        Configured port based ingress and egress limits on the kids.

                        before (no limits other than the craptastic 100Mb switch they're plugged in to):

                        after (10000Kb/s ingress and egress):

                        Thanks for the test. I guess your test was TCP only. How about any UDP file transfer? I heard that is where this fails or probably with other protocols that do not honor limiters.

                        The switch doesn't care if its UDP, TCP, ICMP, HTTP, VoIP or a caffeinated rat terrier tapping out Morse Code.  I did a port based limit, not any QoS or per flow limit.  This is how Metro Ethernet ISPs limit your bandwidth when you buy 10Mb from them delivered on a 100Mb loop.  The switch just counts the bits moving per second regardless of the underlying protocol.

                        Thanks again. That's interstng that you say that. I was on IRC and on Cisco channel where people agreed that such an arrangement doesn't exist. They mentioned Policing and Shaping on Cisco SMB smart switches which would work for all protocols that honor rate limiters but for example in case of a UDP app then it won't. Not, that I have an app that specifically pumps all in UDP but I also don't know what the client might have so I don't want to leave things to chance.

                        1 Reply Last reply Reply Quote 0
                        • DerelictD
                          Derelict LAYER 8 Netgate
                          last edited by

                          You cannot stop someone from sending you traffic.  All you can do is limit how fast you send it or drop it if it is sent to you too fast.

                          Chattanooga, Tennessee, USA
                          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                          Do Not Chat For Help! NO_WAN_EGRESS(TM)

                          1 Reply Last reply Reply Quote 0
                          • A
                            almabes
                            last edited by

                            When I said port in "port based limit", I meant switch interface.  I specifically did not mean anything like TCP port 80, or 443 or UDP 5060.

                            Using a switch upstream of the two edge devices and limiting your ingress and egress to the two interfaces is so simple, and it does everything you want.

                            I'm a big believer in:
                            A) Use the right tool for the job.
                            B) Keep it Simple, Stupid.

                            My test, was speedtest.net.  Simple, effective, TCP 80 HTTP test. 
                            The ISP that provides 20Mb bandwidth to my office uses the same kind of limiter, on a Catalyst switch.  I pump all kinds of TCP, UDP and who knows what else through that pipe.

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.