PfSense for medium business?

CitizenKane · Mar 26, 2008, 6:20 PM

Hello Everyone,
I work in the IT department of a medium sized business (approx. 200 employees) and we are considering using pfSense for our main router/firewall. I had a few questions regarding this. What would the approximate hardware specs for a router be for this many people?
Also, I was wondering if it's possible to get a setup in which the internal network, DMZ and the WAN are all on separate network interfaces.
I'd appreciate any input greatly. Thanks!

hoba · Mar 26, 2008, 6:24 PM

See http://www.pfsense.org/index.php?option=com_content&task=view&id=52&Itemid=49 for hardwaresizing information. You can add either multiple interfaces to do the seperation and the segments or use vlans in combination with a vlan capable switch.

ssbaksa · Mar 26, 2008, 7:51 PM

Please, read this:

http://forum.pfsense.org/index.php/topic,7668.0.html

Sasa

CitizenKane · Mar 27, 2008, 3:06 AM

We have ended up choosing pfSense and it is working pretty well so far. The trouble we are having now is mapping certain external static IP addresses to pfsense, does anyone know how to do this?

hoba · Mar 27, 2008, 3:34 AM

Are you talking about having several public IPs at your WAN that you want to forward or use for servers? That's what virtual IPs are for (firewall>virtual IPs).

CitizenKane · Mar 27, 2008, 3:40 AM

Yes, that's exactly what I'm talking about. I have no idea if I'm setting it up right since it after I have set it up for a certain IP it doesn't seem like traffic from that IP is even managing to get to the firewall (because there are no denied messages).

hoba · Mar 27, 2008, 3:56 AM

Basically set up the VIP, type depending of your need. ProxyARP and CARP will provide Layer2-messages as well in case your ISP/modem/connection needs it. Type other can be used if the ISP is routing that IP to you anyway regardless of layer2-messages. The only VIP-type that can be used by the firewall itself is CARP (even if you don't have a standbybox, because that's what CARP is usually used for).

Once you have setup the VIP just add portforwards, 1:1 NAT or outbound NAT up for it like you would for the original interface IP. You'll need firewallrules for that too of course.

CitizenKane · Mar 27, 2008, 4:50 AM

VIP was working great, it turns out the cisco switch that we use was holding on to old (bad) routes even after we had removed them on our old router. It turns that pfSense was working perfectly the entire time. I must say that I'm very impressed.

hoba · Mar 27, 2008, 5:06 AM

Good to hear :)

Some devices need a reboot or manual arp cache reset when IPs change to new macadresses.