Any pfSense guru to help me choosing a setup for a small network ?
-
To be clear, I am not sure of anything at the moment. That's why I hope to be enlighted with this forum knowledge :)
What leads me to think that I need a pfSense in the cloud :
1. WAN bonding : I've read a lot about WAN bonding (but I did not experiment a lot myself), and WAN bonding is the very first reason why we entered this whole thinking, because they are really in need of better performance. At the moment, the best results we got in WAN bonding is with the Peplink balance. This is not a real bonding, the 3 WANs have different IP, and most of the applications they use will go through only 1 WAN. But they can send or receive 3 files at the same time. And when speed is really needed, some applications which can multithread file transfers (like BitKinex) can use the 3 wans at the same time.
I have talked with some Peplink guys and they told me about Speedfusion bandwidth bonding, which does some packet-level bonding. But to benefit from that, you have to have the same routers at each ends of the link. We cannot do that, but it leads me to think that having the same technology on each side would give better performance. I thought that 2 multiWAN pfsense would be able to create a unique tunnel between them. Maybe I am completely wrong on that point.
2. The need of security : I suggest to move their entire work in the cloud, and they are not really at ease with that (and me neither). Their local computers would mostly act as "remote controllers" to launch commands on the remote servers. If I only put a local firewall, it does protect nothing, as far as their applications and data would be on the remote servers. So it's in the cloud that the firewalling is needed (in my understanding).
IF you have any better suggestion, without the cloud pfsense (or the local pfsense), I would be happy to hear about it. Because at the moment, I also feels that this too complicated, especially with my very basic knowledge about networking. But I don't see any other option.
Anyway, thanks for sharing your thoughts.
-
@virgiliomi : Thanks for your message. We haven't decided how many servers will be in the cloud. We are trying to lower costs, because this is a company launched by 4 retired people just to get a better pension, they are not into investing in tech :). But I'm pretty sure that yes, we will need at least 2 servers in the cloud to cover their CPU needs.
As far as pfsense doesn't require a high-end CPU, I thought that installing it on a small dedicated server in front of the big servers would be a better protection (and see my point about WAN bonding too) and less maintenance (as they don't need to log on the firewall, I wouldn't fear they break everything :) ).
-
"But they can send or receive 3 files at the same time"
Huh?? So what are these links you currently have. What are speeds?
The best and easiest solution when your pipe is not fat enough is to get a fatter pipe ;) Adding overhead of vpn tunnels be it ipsec or openvpn does not make for better performance ;)
Here is a cool tool for figuring out the overhad of a ipsec based upon the different factors that would make your tunnel, if NAT-T, your encryption used the integrity used both on esp and ah, etc.
https://cway.cisco.com/tools/ipsec-overhead-calc/
If what your looking to do is maximize the use of the pipe, putting it inside a vpn would not be first choice that is for sure.
As to sending or getting 3 files at a time.. Not sure where you go that idea that you can only do 1 thing in a connection at a time?
-
As I told in my first message, they have 3 DSL lines with almost the same characteristics : 10 Mbits/s down, and 1 Mbits/s up. They are installed in an old farm in the countryside, 4 kms away from the first village, and have no other options for their internet access (We thought about satellite, but as far as they have huge volumes of data to exchange, the prices are way too high).
I have heard about the overhead, and I know that 10+10+10 down will probably end up with 23 or 24 instead of 30. But this is anyway better than what they have today.
I'm not sure to explain myself clearly, so I'll try to make it more clear :
A client send them a file of X Gb. They download it, work on it, and then send it back to the client 2 or 3 days later. They have no control about how the client want the file back. Sometimes the client has a SFTP service. Sometimes it is just HTTP. Some clients just use WeTransfer services for example.
If they have 3 clients for the same week, when sending back the files, they are able to use the 3 WANS at the same time for a total uploading bandwidth of about 3 Mb/s (Well, sometimes it works, sometimes not, but that's not the point)
But if they have only 1 client on a given week with a big file (this is the most frequent case), and that this client offers only HTTP service, they can send the file back at a maximum speed of 1 Mb/s, because they can only use 1 WAN. Sometimes it takes 20+ hrs to send back the files. For their clients, this is one more day of delay.
So if I can bond the 3 DSL, even if I don't get 3 Mb/s, but only 2,3 Mb/s, I can cut this delay by more than a half. If they finish their work at the evening, launch the upload during the night, and the client gets his file the next morning, they have gained one day.
This was my first thought of how to accelerate their work.
The second thought was that they may not be forced to D/L and U/L all of their files and that if I can put their applications in the cloud, on a server connected to a huge backbone, only the server would have to D/L and U/L these files. And that with a remote desktop viewer, they can manipulate these files the way they do it locally, and then just ask the server to send the file back.
It won't work in all cases, but again, that is maybe another 50% saving on their bandwidth if half of the files can be worked this way.
-
Seems like they are on the wrong place for such a business model if you ask me ;)
Not trying to be a smartass or anything… But come on.. Who runs a business in a location that requires movement of large files both up and down in a location where they can only get a 1mbps uplink connection?? Someone wasn't thinking ;)
Here is what I would do.. If your not having any issues with the download using your 10+10+10.. Then stick the file on a usbstick and mail it too them :) Or have someone drive to the closest place that has a real internet connection and upload the file..
Sorry but if your talking 3mbps up max without any overhead even using the Full pipe GB / 3mbps = LONG TIME!! Faster cheaper easier to just mail them them file overnight.. A usbstick weights nothing, cost of express overnight them not very much..
Or just move the business to where you can get a connection with speeds that actually viable for a business model where your uploading large files..
Or sure your model of working on the files remotely with the server on cloud is good idea for moving large amounts of data..
-
At first I want to clear up some things here;
-
Peplink is offering devices and services that are acting likes MLPPP (MPLS) at the WAN Port.
If you are using pfSense you can´t bond in real life that 3 WAN connections together without
having them from only one ISP and that must be also offering you that MLPPP service too!
Please note, that is not a can be or should be, that is a must be situation! -
pfSense is offering such a MLPPP (MPLS) function too, likes also MirkoTik with their RouterOS
but this must be also supported from the ISP, and Peplink is using for that their own devices
to realize something likes such a service, its not the same we are talking here about!
And so it might be sounding nice if peoples are speaking about bonding WAN interfaces together
but in real 10 MBit/s + 10 MBit/s + 10 MBit/s = 10 MBit/s + 10 MBit/s + 10 MBit/s and not 30 MBit/s
please don´t forget this! Only if your ISP is offering you such a Service and you get also matching
devices for that services, you may get 10 MBit/s + 10 MBit/s + 10 MBit/s = 30 MBit/s!In this case here I would think multi WAN (3x) and policy based routing will be the solution.
And for that you may not need any Cloud services and/or other things like shown in the picture.A single line with poor or low throughput is only able to speed up by the ISP and never on your
(customer) side, please don´t think I am kidding you, but this question will be surely 100%
returning and discussed very hard every month in other forums such as the administrator.de
and/orthe MikroTik.com forums, often more then two times a month!Get higher suited Internet connections or use load balancing over the three lines, perhaps
you may ask in your region for a LTE 100 uplink and put it in that multi WAN situation?I have heard about the overhead, and I know that 10+10+10 down will probably end up with 23 or 24 instead of 30. But this is anyway better than what they have today.
Sure it is likes it is, but then Peplink with their model is the best bet you could get or you ask for
a really nice LTE 100 or 200 MBit/s link and put it in the game.
-
-
Hmm sorry, but just my two cents…. I may have totally misunderstood things, but if not...
Besides network architecture.... why don't you just use something like rsync to sincronize the files?, it will just send the binary differences between the source and target files and you will surely gain time. Of course it depends on the changes made to the files, but I think they will probably be much less than the original file size.
-
^ hmm, that might actually be pretty good idea to be honest..
You could pull down the file to a server in the cloud with real internet connection. Then possible to bring it down to your location with rsync or something else that does diff.. Maybe something as simple to use as dropbox. Modify the file, then with say dropbox it would only send up the differences. Then the customer could either pull the file from your dropbox, or you could remote to that server and send the file to them, etc.
Not sure how much your actually changing the file, or if your creating a completely new file based upon the contents of that file? But if your just making changes to it the diff sync might be very good idea.. And save you loads of bandwidth and time.
-
maybe you can try this, https://www.youtube.com/watch?v=tqbnjgbtDl0 is a different aproach for what you want, and probably can use a pfsense behind that router and change to a new topology.
-
^ sure there you go – that will for sure help ;) ROFL heheeheh
-
With such crappy internet they should probably put everything into AWS and just RDP in from the farmhouse.
It's kind of a push on cost whether you use AWS VPC IPsec VPN or a pfSense instance there and VPN to that.
pfSense on AWS starts to shine when you need multiple VPNs into a VPC. Those costs start to multiply while IPsec to pfSense on AWS is a static cost depending on the instance size regardless of the number of tunnels. With pfSense there you can also do things like remote access VPN straight to your VPC.
-
That iTel looks like a pretty good service if the use case is right.