Injection of Wan Accelerator Between Subnets

mcamino

Hello. I am looking for some assistance on if what i want to accomplish is possible.  I have a PFsense system which is serving as both our internet default gateway and our OpenVPN site-to-site server. We have several openvpn tunnels between our various offices. We are looking to invest in a WAAS or WAN Accelerator type product to speed up the file transfers between our sites and our central office.

The problem we are running into is ho to deploy the wan accelerator with the current network topology.  We can do WCCP or INLINE modes. As far as i can see, PfSense does not support WCCP redirection of traffic. So we are looking at IN-LINE mode of deployment. This leaves us the question of how to physically/logically connect the wan accelerator in our topology.  If we place it on our WAN,It is useless since the openvpn traffic is encapsulated. If we place it on our LAN, it breaks internet traffic. We are looking for some way to place it logically between our LAN interface on PFsense and our OpenVPN interface on PfSense. Any Suggestions on how to inject a device between two interfaces on pfsense?

johnpoz

Placement of such devices is before your routers..

users –lan -- wanacc -- pfsense -- internet -- pfsense -- wanacc -- lan -- users

They are transparent to the traffic so how would it "break" your internet?  Other then trying to send traffic to its peer it should not be sending there.  So just create rules on the device to not do that.  What are you looking at for your wanacc Riverbed? Something else?

Riverbed they are called passthru rules, or bypass.. So setup rules on your wacc to leave the traffic alone that is just to go to pfsense and go out internet and not the vpn connect.  So your optimize traffic would only be traffic dest for the remote location through your vpn connection.

fgoc

Facing the same situation we are about to start a PoC for Citrix SD-WAN (basically a CloudBridge VPX appliance) and we been told to use WCCP mode but this does not seem be to supported.

Anyone out there has configured a CloudBridge VPX with Inline mode behind a pfsense? Any tip or recommendation in similar scenarios would be great.

johnpoz

Are you asking if WCCP (Web Cache Communication Protocol) a Cisco protocol would be supported or is supported by pfsense?  You would run wccp on your downstream infrastructure that connects your lan to your router.. This is not something you would run on pfsense on your edge anyway.

You put your appliance in front of your edge router.

fgoc

Thanks for your responses.

Our current setup in a nutshell:

• Just running Trunk VLANs from the switches (Dell PowerConnect) all the way up to the pfSense VM.
• Each physical ESXi NIC port is tagged so it can carry all the VLANs.
• Each VLAN has its own vSphere Port Group and pfSense has a dedicated vNIC “Trunk” with VLAN ID 4095 and then we create other interfaces on top.
• Single vSphere vSwitch on each host. The edge router is our upstream provider gateway.

The WAN optimization appliance apparently requires 2 x vSwitches (LAN and WAN) however our WAN uplink is just an access port on the switch and then an interface on pfSense VM. It does not run on a separate vSwitch.

What is the best method to set this up with the In-line mode?