DMZ like IP sharing and Limiter - Is it possible?
-
It would be simpler to just do a straight 50:50 split, but with pfsense if you wanted to get a bit more technical you could enforce quality of service as seen here
https://doc.pfsense.org/index.php/Traffic_Shaping_Guide
https://forum.pfsense.org/index.php?topic=50337.0Problem is, you dont really have any QoS control upstream unless its built into your ToS, so your QoS becomes less of an issue on the open internet.
Voip lines generally need around 100Kb for a reasonable call quality per line if you need some figures to work from, but its codec dependent. I've streamed voip call's over 2G and 3G mobile networks not tried 4G yet, but mobile is much less reliable for voip due to the way it works compared to landline based net access.
Whats the data being used for? Synching SQL db's? Just curious but you might have some things to watch out for there as well due to the way some SQL db's synchronise themselves, latency could be a nuisance here. :)
For the billing being split, is it unlimited bandwith/download or are you capped?
If capped, how would a 50:50 speed split work with the different data quantities that can be downloaded by each party?
This might be relevant for managing the different amounts of data each party could download over the month.
https://doc.pfsense.org/index.php/How_can_I_monitor_bandwidth_usage
https://doc.pfsense.org/index.php/VnstatI havent suggested a switch solution, just pfsense, the L3 switch was almabes.
-
If it were me, I'd do this with a L3 smart switch. I'd set bandwidth limits on the ports the two companies edge devices WAN ports connect to.
I like your simplistic approach. Can you please detail:
1- example of the switch type you have in mind
2- would the switch do IPs and routing? or it will act as a dumb switch in that regards?
3- are all managed smart switches capable of splitting the bandwidth to 50,50 mbps and is that why you were suggesting managed switch?
4- would both my pfsense and office-2 router connect to same switch and obtain the same /27 subnet but just use different usable IPs?Thanks,
1. Any decent switch will do port based ingress and egress rate limiting. Some will be easier to configure than others. I just purchased a 48 port Cisco 2900 series gigE switch for ~$180. If you don't care about the two businesses Ethernet traffic being visible to each other's edge device then you can get away with a Layer 2 device. Cisco SG300 switches can be had for $180. Mikrotik switches are supposed to do this too and ~$40 . Tim McManus just got one for a project he and I are working on.
2. A Layer 3 switch can do the routing for you. You can break up the /27 you have been allocated into a few /29 networks and set up separate VLANs.
3. I know most managed Cisco gear will do this. Others? RTFM YMMV
4. You could configure it that way, but you would need some coordination to make sure nobody uses duplicate IP addresses, etc. You could get away with a L2 device then.
-
If it were me, I'd do this with a L3 smart switch. I'd set bandwidth limits on the ports the two companies edge devices WAN ports connect to.
1. Any decent switch will do port based ingress and egress rate limiting. Some will be easier to configure than others. I just purchased a 48 port Cisco 2900 series gigE switch for ~$180. If you don't care about the two businesses Ethernet traffic being visible to each other's edge device then you can get away with a Layer 2 device. Cisco SG300 switches can be had for $180. Mikrotik switches are supposed to do this too and ~$40 . Tim McManus just got one for a project he and I are working on.
2. A Layer 3 switch can do the routing for you. You can break up the /27 you have been allocated into a few /29 networks and set up separate VLANs.
3. I know most managed Cisco gear will do this. Others? RTFM YMMV
4. You could configure it that way, but you would need some coordination to make sure nobody uses duplicate IP addresses, etc. You could get away with a L2 device then.
Thanks for the input.
I was discussing SG800 earlier on Cisco irc channel and heard that Policing / Shaping on it would only control TCP which adheres to limiters and not UDP for example. To me that is not a true port based bandwidth limit. If office-A has an app that uses UDP a lot then it can eat bandwidth from other office.
A- Can you confirm this is true?
B- Co-ordination is possible. What example of layer-2 switch do you have for this purpose around same price?
C- With a Layer-2 switch, office-A and office-B will setup /27 but simply use different usuable IP on their end - is that correct?*I would like to stick to layer-2 as it will be dumb in all other regards but limiting speed to 50mbps per port.
-
http://www.cisco.com/c/dam/en/us/td/docs/switches/lan/csbms/sf30x_sg30x/administration_guide/78-19308-01.pdf
Chapter 25. Page 499 and 500
Configure your two Gig ports with ingress and egress limits and leave it in Layer 2 mode.I've got an unused SG300-10 PoE version at work. I'll bring it home and bandwidth limit the kids as a POC. They'll LOVE that! ;D
-
A. Cisco SG300 does port based bandwidth limiting. It's almost too easy to configure. It can do other types of flow based limiting, but that isn't what you're looking for.
B. The SG300 operates in Layer 2 mode unless you configure it otherwise.
C. You are correct.
-
Configured port based ingress and egress limits on the kids.
before (no limits other than the craptastic 100Mb switch they're plugged in to):
after (10000Kb/s ingress and egress):
-
Configured port based ingress and egress limits on the kids.
before (no limits other than the craptastic 100Mb switch they're plugged in to):
after (10000Kb/s ingress and egress):
Thanks for the test. I guess your test was TCP only. How about any UDP file transfer? I heard that is where this fails or probably with other protocols that do not honor limiters.
-
Being an ISP and doling out public IPs behind your router is a lot easier with a routed subnet instead of a single /27.
You keep mentioning CARP. Are you going to have a redundant pair of firewalls providing this access? If not, you can get CARP off the brain.
I'd get the /27 routed to an address on a /29, carve a subnet out of the /27 for each of them on a layer 3 switch and either limit in the switch or use the shaper in pfSense.
If you limit in pfSense they can both get wire speed to each other if that matters at all.
Decided to do a drawing. It's what I would try to do.
-
Configured port based ingress and egress limits on the kids.
before (no limits other than the craptastic 100Mb switch they're plugged in to):
after (10000Kb/s ingress and egress):
Thanks for the test. I guess your test was TCP only. How about any UDP file transfer? I heard that is where this fails or probably with other protocols that do not honor limiters.
The switch doesn't care if its UDP, TCP, ICMP, HTTP, VoIP or a caffeinated rat terrier tapping out Morse Code. I did a port based limit, not any QoS or per flow limit. This is how Metro Ethernet ISPs limit your bandwidth when you buy 10Mb from them delivered on a 100Mb loop. The switch just counts the bits moving per second regardless of the underlying protocol.
-
Configured port based ingress and egress limits on the kids.
before (no limits other than the craptastic 100Mb switch they're plugged in to):
after (10000Kb/s ingress and egress):
Thanks for the test. I guess your test was TCP only. How about any UDP file transfer? I heard that is where this fails or probably with other protocols that do not honor limiters.
The switch doesn't care if its UDP, TCP, ICMP, HTTP, VoIP or a caffeinated rat terrier tapping out Morse Code. I did a port based limit, not any QoS or per flow limit. This is how Metro Ethernet ISPs limit your bandwidth when you buy 10Mb from them delivered on a 100Mb loop. The switch just counts the bits moving per second regardless of the underlying protocol.
Thanks again. That's interstng that you say that. I was on IRC and on Cisco channel where people agreed that such an arrangement doesn't exist. They mentioned Policing and Shaping on Cisco SMB smart switches which would work for all protocols that honor rate limiters but for example in case of a UDP app then it won't. Not, that I have an app that specifically pumps all in UDP but I also don't know what the client might have so I don't want to leave things to chance.
-
You cannot stop someone from sending you traffic. All you can do is limit how fast you send it or drop it if it is sent to you too fast.
-
When I said port in "port based limit", I meant switch interface. I specifically did not mean anything like TCP port 80, or 443 or UDP 5060.
Using a switch upstream of the two edge devices and limiting your ingress and egress to the two interfaces is so simple, and it does everything you want.
I'm a big believer in:
A) Use the right tool for the job.
B) Keep it Simple, Stupid.My test, was speedtest.net. Simple, effective, TCP 80 HTTP test.
The ISP that provides 20Mb bandwidth to my office uses the same kind of limiter, on a Catalyst switch. I pump all kinds of TCP, UDP and who knows what else through that pipe.
