Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    First project need some input (regarding hardware and concept)?

    Scheduled Pinned Locked Moved General pfSense Questions
    7 Posts 2 Posters 2.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      deskdevil
      last edited by

      Hello all,

      at the moment I am working on a "proof of concept". Actually we are using a Watchguard Firebox X500 as our Firewall and VPN-Gateway.

      After playing around with pfSense I thought that it is good enough to replace our WatchGuard. I told my teamleader about my idea to setup a pfSense cluster. And he said that I should set up a single system where I can show that my idea can handle our needs. For this little project he gave me one server (for specs see below). Now I need to know if this server will be able to handle the following things and if my config-plan can will work out?

      • two wan lines

        • 10mbit leased line

        • 4mbit leased line

      • about 5 openVPN-connections (mobile user) at the same time

      • 3 const. IPSEC / openVPN tunnels

      • if one of our MPLS-networks fails we should be able to set up to 8 additional vpn-tunnels over WAN

      • pfSense should also work as a firewall between our local LAN and other offices which are connected via MPLS

      My idea is to set up four interfaces.

      • WAN1

      • WAN2

      • LAN

      • caro

      Then I would connect WAN1 to the 10mbit-router and WAN2 to the 4mbit-router.
      LAN would be setup as VLAN-interface which connect to a trunked port on our local backbone switch. Over this trunked-port the firewall would be able to connect to the MPLS-networks, local LANs and other configured VLANs on the network.
      And the carp-interface would be for later syncing with an intendical pfSense-server.

      The hardware I have at the moment is an Fujitsu-Siemens RX 100 S3 with the following specs:

      • P4 3,4GHz

      • 1GB Ram

      • 160GB SATA HDD

      • 2x onboard NICs

      I know that I would need to add one dual-nic (any suggestions?).

      Should I add a crypto-card? If yes can you give me some idea what type will work fine with pfSense?

      And if anybody has anything to say about my idea and planning please to hesitate to drop a reply I need any input I can get.

      Thanks so far.

      Alex

      isn't there a jabber field in the profile?

      1 Reply Last reply Reply Quote 0
      • GruensFroeschliG
        GruensFroeschli
        last edited by

        I think your hardware is more than adequat.
        There are already a few numbers about hardware-sizing on the pfSense-page itself:
        http://www.pfsense.org/index.php?option=com_content&task=view&id=52&Itemid=49

        If you're already working with VLANs: You could work with only the two NIC's you already have:
        One for WAN1, WAN2, LAN and one as sync interface for carp.
        I have here a few screenshots on how that could look:
        http://forum.pfsense.org/index.php/topic,11193.msg62084.html#msg62084

        I'm not sure but i think there are also some problems with failover of the VPN-connections to the second WAN if the mainWAN goes down.

        We do what we must, because we can.

        Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

        1 Reply Last reply Reply Quote 0
        • D
          deskdevil
          last edited by

          @GruensFroeschli:

          I think your hardware is more than adequat.
          There are already a few numbers about hardware-sizing on the pfSense-page itself:
          http://www.pfsense.org/index.php?option=com_content&task=view&id=52&Itemid=49

          Ok thanks for this info.

          @GruensFroeschli:

          If you're already working with VLANs: You could work with only the two NIC's you already have:
          One for WAN1, WAN2, LAN and one as sync interface for carp.
          I have here a few screenshots on how that could look:
          http://forum.pfsense.org/index.php/topic,11193.msg62084.html#msg62084

          I am already working with VLANs but at the moment I don't have clue how this setup should work. Lets imagin the following IP-setup:

          WAN1-network
          network….......:10.50.0.160/27
          mask..............:255.255.255.224
          router-ip.........:10.50.0.161
          pfSense-if.......:10.50.0.162

          How should I connect the ISP-router (10.50.0.161/27) over a VLAN-switch to my pfSense-box (10.50.0.162/27)? Maybe I am just blind at this moment but I don't see any solution. But I am open for ideas.

          @GruensFroeschli:

          I'm not sure but i think there are also some problems with failover of the VPN-connections to the second WAN if the mainWAN goes down.

          Thanks for this info but I would no big problem if we need to switch manualy.

          Thanks and regards

          Alex

          isn't there a jabber field in the profile?

          1 Reply Last reply Reply Quote 0
          • GruensFroeschliG
            GruensFroeschli
            last edited by

            On pfSense VLAN's appear as a "virtual-interface".
            Meaning you can firewall/route each VLAN as if it where a real interface.

            So you can have one interface as trunk-interface with many VLAN's on it.
            All traffic on this interface is tagged.
            On the switch you split the tagged traffic up on the various untagged VLAN ports.

            With a standard VLAN-capable 24port switch you can turn a pfSense machine with only a single real interface into a router with 23 interfaces (24 minus the trunk).

            We do what we must, because we can.

            Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

            1 Reply Last reply Reply Quote 0
            • D
              deskdevil
              last edited by

              Good morning,

              yes of course I forgot that a VLAN can live without an IP-address   :-\

              Is there any limitation of VLANs pfSense can handle? Or can this box handle the VLAN-limit of 4096?

              Best regards

              Alex

              Edit: is someone using a optical fibre connection with pfSense? I was thinking about a optical trunk between pfSense and backbone switch.

              isn't there a jabber field in the profile?

              1 Reply Last reply Reply Quote 0
              • GruensFroeschliG
                GruensFroeschli
                last edited by

                pfSense itself certainly could handle 4094 vlans on each interface (0x0 and 0xFFF are forbidden, 0x1 is default).

                I'm not sure if the onboard NIC's can handle them.
                Onboard NIC's tend to be crap (realtek…).
                It mostly depends on the driver.
                I had some problems with vr cards (the NIC's in the ALIX) that packets with an MTU of 1514 where dropped.

                I usually use a Gbit connection for a trunk.
                But if there are fiberoptic cards which are supported under FreeBSD i dont see why that shouldnt work.

                We do what we must, because we can.

                Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                1 Reply Last reply Reply Quote 0
                • D
                  deskdevil
                  last edited by

                  OK I will contact my hardware-dealer and ask for freeBSD compatible fibreoptic-card.

                  Thanks foru your help so far.

                  isn't there a jabber field in the profile?

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.