• I have a small (or big) trouble… we are going to organize a small/medium lanparty (90-130 pcs), and we have (for internet access) 4 wimax simetric connections (4 mb upload and 4 mb download each one), so, we have several options:

    1º. 4 pcs each one with pfsense
    2º. 2 pcs with pfsense and multiwan (2 nics wan)
    3º. 1 pc with 4 nics for multiwan and one nic for lan
    4º. 1 pc with 1 nic and vlans
    5º. No pfsense..... this is not an option

    what option do you recommend?


  • It depends on how your WAN's arrive at your location.
    Is it a standalone device (a router?) on which you can configure the internal subnet?
    The problem is, that you cannot have for multiple WAN's the same gateway.
    If you just have 4 devices on which you can configure manually an internal subnet, and since you already consider using multiple PC's i would go with a combination of 2,3 and 4.

    2 PC's.
    One for loadbalancing, the other for traffic shaping.
    You dont want someone leeching like crazy and slowing down everyone else).

    The machine doing traffic-shaping has 2 interfaces.
    LAN and WAN.

    The machine doing loadbalancing has 2 interfaces as well.
    LAN and a VLAN_interface with 4 VLANs –> keep the LAN on a non-tagged interface.

    It would look like this:

    Clients (maybe 10.0.0.0/24?)
                            |
                            |
                            |10.0.0.1
                      shaping_pf
                            |172.17.0.2
                            |
                            |172.17.0.1
                      balancing_pf
                            |192.168.1.2
                            |192.168.2.2
                            |192.168.3.2
                            |192.168.4.2
                            |
                            |
      192.168.1.1    |                192.168.4.1
          WAN1---VLAN_switch----WAN4
                        |          |
                      WAN2      WAN3
              192.168.2.1      192.168.3.1


  • As a side note force users to use opendns.
    2nd side note, sites like youtube don't like loadbalancing.


  • @GruensFroeschli:

    It depends on how your WAN's arrive at your location.
    Is it a standalone device (a router?) on which you can configure the internal subnet?

    I think so (i am not sure)

    @GruensFroeschli:

    2 PC's.
    One for loadbalancing, the other for traffic shaping.
    You dont want someone leeching like crazy and slowing down everyone else).

    It is a very ingenious option that I would never have thought

    I will try first this option, but… I want to have a bullet extra ... this way if the first option fails in half of the party ... that will be better? ... an equipment with 4 nics or 2 equipments with 2 nics (all without vlan)... i known two pfsense machines ... two diferent gateways (it doesnt matter, we will indicate the users to change the gateway)

    Another question... someone has tried pfsense in an vmware environment with an intesive charge???? (this option will be another bullet... if our first lines of defense down... we will survive )


  • @Perry:

    As a side note force users to use opendns.
    2nd side note, sites like youtube don't like loadbalancing.

    Please… can you explain more these notes???


  • OpenDNS adds extra security against bad sites with virus, spyware (keeps your party going) + parents tend to like knowing that there son wont be looking at naked ladies on porn sites.
    Look at the pictures on how to use openDNS
    IMO The Loadbalancing pool benefit ( in it's current state ) is slim to none. So I would much rather go with failover pools and split the load by assigning groups of users to a failover pool.
    In your case with 4 wan i would make 3 failover pool's:

    wan2FailsToWan assigned to an alias with ip ...10 - 50
    wan3FailsToWan assigned to an alias with ip ..
    .51 - 100
    wan4FailsToWan assigned to an alias with ip ..*.101 - 150
    (Remember ftp downloads will only be using wan)

    Unfortunately GruensFroeschli traffic sharping will be lost unless you will be using pfSense snapshot version 1.3 alpha alpha with multi wan sharper support. How well the 1.3 work is unknown to me.


  • Perry why do you think the balancer in its current state doesnt benefit such a setup?
    And why cant you use the shaper with your solution as well?
    After all a single machine is dedicated to shaping, because you cannot shape multiple wans in 1.2

    For the OpenDNS. I would force the users to use the pfSense DNS-forwarder, block outbound port 53 traffic, and set the OpenDNS-servers on pfSense.

    Like this you can create your own names for specific servers.
    –> At the last lan-party i helped we've been using pfSense as well and like this we could direct the names intra, intranet, webserver, game-stats, etc. all to our intranet-server.


  • Perry why do you think the balancer in its current state doesnt benefit such a setup?

    When you load a youtube video with a loadbalancing pool it will often fail or be very slow to start. Sticky connection is/was the solution but unfortunately it had other problems.

    And why cant you use the shaper with your solution as well?
    After all a single machine is dedicated to shaping, because you cannot shape multiple wans in 1.2

    As I split the load by user IP I can't see how a pc in between could handle this.


  • Well since the balancer-machine is AFTER the shaper it doesnt look like anything gets balanced at all (seen from the shaper-machine).

    But i think we get offtopic from the original question.
    And i think this all is a bit overkill for a LAN.

    A single pfSense with balancing as perry said is probably the easiest.

    When we organised a LAN, internet was basically here for troubleshooting problems and downloading drivers / new virus definitions / check E-mails / etc, and NOT for downloading or watching youtube.

    We've run the captive portal and had a Freeradius on th pfSense.
    When someone needed internet access he could come to us and we created an user which was valid for 1 hour.

    Ok we didnt have 4x4Mbis symetric bandwith at our hands…. ;)


  • Though i would give 1.3 a shot at this it should perform well enough and you need its QoS capabilities.
    Since as i may forecome you need only loadbalance and some filtering it may serve you well.


  • @GruensFroeschli:

    When we organised a LAN, internet was basically here for troubleshooting problems and downloading drivers / new virus definitions / check E-mails / etc, and NOT for downloading or watching youtube.

    We've run the captive portal and had a Freeradius on th pfSense.
    When someone needed internet access he could come to us and we created an user which was valid for 1 hour.

    Ok we didnt have 4x4Mbis symetric bandwith at our hands…. ;)

    This solution for slow inet connection is very good…. (i was in a lanparty which has this trouble... and they couldnt find a solution ... so, we had no inet....:-(    ....)


  • @ermal:

    Though i would give 1.3 a shot at this it should perform well enough and you need its QoS capabilities.
    Since as i may forecome you need only loadbalance and some filtering it may serve you well.

    First i will try QoS new capacities of 1.3.

    Another question… is there any software to "test or emulate" the conditions of use of a lanparty????


  • search for packet generator.