Pfsense get "slow" my retail system
-
Here's an idea - simplify the damned mess.
-
Here's an idea - simplify the damned mess.
I consoder this would be an urgent goal of this network because it really lokks like an historical grown one.
Now, try to imagine aprox 10 sellers overloading the server. I wonder if using my network configuration i can pass directly to router mikrotik, and vice versa.
In the network schematic shown here in the last post, it would be really a big problem to work with three (3)
NAT points! This could mostly not work well in all directions! You should over think this that the entire network
will be more or less complicated! On both sides you can have one times a NAT doing device but please not more.
And then please inform your self about working with VLANs this could be then a more easy to administer network
and working likes you will expect it. -
Buekobold:
I know that my network isn't correct , and this is the main idea after all (I've purchased a Switch layer 3 for this). Like i said before; This is only a test network.
By curiosity, I just wanted to know if there is any way to solved this with my aforementioned "network". But you said: There's no way to use this.I will do my vlans and if i have some questions hope you help me like you did now.
Thanks for the paitence to all. -
@chavarriaa
Many things can be done in various ways! If you don´t want to set up and work with VLANs
you could either go by plain routing! As an example:If the switches are not capable to handle and support VLANs:
You could connect each switch on the left side of the network diagram to one LAN Port
of the MikroTik router and give each Port another IP address range, likes 192.168.1.0/24
and 192.168.2.0/24 thats it, so no need of a pfSense box is there.If the switches are capable to handle and support VLANs
On the left side you will be able to set up VLANs on both switches and then it is more a
problem where these switches are staying more and what kind of switches you have then
build a VLANs.This can be done with the Mikrotik router on the left side of the diagram
and vice versa with the pfSense firewall.A so called double NAT will work fine but a tripple NAT solution is not the real
thing you will be happy with. -
I found another way how to implement Pfsense, using a single NIC with VLANs , so I remove the double natting (i hope so).
My idea is to apply to the four stores we have in the previous maps .
In my sketch it looks like this:Now I wonder:
- Is a correct way to implement pfsense?
- If i have pfsense applied like the last image, should i have to move all the clients and the server to the VLAN?
- Can I use Pfsense as DHCP server? i Have proxy non transparent with WPAD, and as you know, DHCP is required
- Can i use Firewall Rules to manage the LANs?
I know a bit of networks, but i need experience and I will appreciate to share your knowledge with us.
-
- Is a correct way to implement pfsense?
Please be not angry, but where in the network schematic is the pfSense?
-
Yeah everything is on 192.168.0.0/24. What do you need a router for?
-
BlueKobold, I'm not angry. Sorry if the question is a bit aggressive.
Derelict and BlueKobold:
I need pfsense mainly as proxy server, then Firewall Rules.As PFsense only will have one NIC, I'll put it in one of the two switches. (in the sketch; below of the switch)
After reading a lot of websites I found a solution in Spanish, this is from a website of one of the moderators from Spanish PFsense forum.
I'll work pfsense with only VLANs:
WAN -> vlan_10
LAN -> vlan_20On the switch:
Port 1: Trunk (Here is where I put the pfsense ethernet)
port 2: Acces vlan_10 (Here is where I put the router ethernet)
port 3: Acces vlan_20 (This port will give me an out of LAN)Here is the link:
http://www.bellera.cat/josep/pfsense2/VLANs_pfSense_y_switch_Cisco.pdf -
But to where? Everything is on the same network segment There will be nothing forcing the traffic through your (presumed) transparent proxy. If the stations' default gateway is 192.168.0.1, pfSense will not be touched. Even if you're WPAD and sending the web traffic to pfSense, I don't know if you can put a regular proxy on bridged interfaces or even if you'd want to. And if not, having two interfaces on pfSense on the same subnet would be problematic. You might consider putting your network behind pfSense with a transit network to the microtik or eliminating the microtik entirely and letting pfSense do it.
I am feeling out of my lane. I don't do much with squid. Apologies if I'm hosing it up.
Exactly what is "slow" again? You do realize that ICMP (ping) doesn't go through the proxy at all so if you're seeing packet loss on your WAN you have to address it in the microtik or with your ISP.
-
But to where? Everything is on the same network segment There will be nothing forcing the traffic through your (presumed) transparent proxy. If the stations' default gateway is 192.168.0.1, pfSense will not be touched. Even if you're WPAD and sending the web traffic to pfSense,
The latest days I've tried pfsense with one nic. And my map is like the next:
My switch L3 configutaion is the next:
FE1 = access mode (access for vlan 10)
FE2 = trunked mode (allowed vlan 10, 20)
FE3 to FE5 = access mode (access for vlan 20)So, the computer connected in FE3 to FE5 ports only will allow vlan 20. The switch redirect to the trunked port (where is connected pfsense) and Pfsense do a normal work, as if i had two NICS. Wpad and proxy server are good.
I don't know if you can put a regular proxy on bridged interfaces or even if you'd want to. And if not, having two interfaces on pfSense on the same subnet would be problematic.
I know that double natting is so bad. For that reason my queries to the server with my retail system is so problematic.
You might consider putting your network behind pfSense with a transit network to the microtik or eliminating the microtik entirely and letting pfSense do it.
If this doesn't work. My last choice is:put pfsense instead of mikrotik
Exactly what is "slow" again? You do realize that ICMP (ping) doesn't go through the proxy at all so if you're seeing packet loss on your WAN you have to address it in the microtik or with your ISP.
My problem is the double natting. The data travels via pfsense then to the server.
When I ping to the server works well. When i send a query to the database (like a inventory, quotes or invoice) the system gets overloads and loses packages.But whit this configuration (pfsense with one NIC) my Retail system works better.
There's no lost package neither overload. But I don't know if this configuration is correct (don't know if this is double natting too)If this configuration is correct. I will proceed to implement in the other stores.
sorry if I’m a hard headed.