First project need some input (regarding hardware and concept)?

deskdevil

Hello all,

at the moment I am working on a "proof of concept". Actually we are using a Watchguard Firebox X500 as our Firewall and VPN-Gateway.

After playing around with pfSense I thought that it is good enough to replace our WatchGuard. I told my teamleader about my idea to setup a pfSense cluster. And he said that I should set up a single system where I can show that my idea can handle our needs. For this little project he gave me one server (for specs see below). Now I need to know if this server will be able to handle the following things and if my config-plan can will work out?

• two wan lines

  • 10mbit leased line

  • 4mbit leased line

• about 5 openVPN-connections (mobile user) at the same time

• 3 const. IPSEC / openVPN tunnels

• if one of our MPLS-networks fails we should be able to set up to 8 additional vpn-tunnels over WAN

• pfSense should also work as a firewall between our local LAN and other offices which are connected via MPLS

My idea is to set up four interfaces.

• WAN1

• WAN2

• LAN

• caro

Then I would connect WAN1 to the 10mbit-router and WAN2 to the 4mbit-router.
LAN would be setup as VLAN-interface which connect to a trunked port on our local backbone switch. Over this trunked-port the firewall would be able to connect to the MPLS-networks, local LANs and other configured VLANs on the network.
And the carp-interface would be for later syncing with an intendical pfSense-server.

The hardware I have at the moment is an Fujitsu-Siemens RX 100 S3 with the following specs:

• P4 3,4GHz

• 1GB Ram

• 160GB SATA HDD

• 2x onboard NICs

I know that I would need to add one dual-nic (any suggestions?).

Should I add a crypto-card? If yes can you give me some idea what type will work fine with pfSense?

And if anybody has anything to say about my idea and planning please to hesitate to drop a reply I need any input I can get.

Thanks so far.

Alex

GruensFroeschli

I think your hardware is more than adequat.
There are already a few numbers about hardware-sizing on the pfSense-page itself:
http://www.pfsense.org/index.php?option=com_content&task=view&id=52&Itemid=49

If you're already working with VLANs: You could work with only the two NIC's you already have:
One for WAN1, WAN2, LAN and one as sync interface for carp.
I have here a few screenshots on how that could look:
http://forum.pfsense.org/index.php/topic,11193.msg62084.html#msg62084

I'm not sure but i think there are also some problems with failover of the VPN-connections to the second WAN if the mainWAN goes down.

deskdevil

@GruensFroeschli:

I think your hardware is more than adequat.
There are already a few numbers about hardware-sizing on the pfSense-page itself:
http://www.pfsense.org/index.php?option=com_content&task=view&id=52&Itemid=49

Ok thanks for this info.

@GruensFroeschli:

If you're already working with VLANs: You could work with only the two NIC's you already have:
One for WAN1, WAN2, LAN and one as sync interface for carp.
I have here a few screenshots on how that could look:
http://forum.pfsense.org/index.php/topic,11193.msg62084.html#msg62084

I am already working with VLANs but at the moment I don't have clue how this setup should work. Lets imagin the following IP-setup:

WAN1-network
network….......:10.50.0.160/27
mask..............:255.255.255.224
router-ip.........:10.50.0.161
pfSense-if.......:10.50.0.162

How should I connect the ISP-router (10.50.0.161/27) over a VLAN-switch to my pfSense-box (10.50.0.162/27)? Maybe I am just blind at this moment but I don't see any solution. But I am open for ideas.

@GruensFroeschli:

I'm not sure but i think there are also some problems with failover of the VPN-connections to the second WAN if the mainWAN goes down.

Thanks for this info but I would no big problem if we need to switch manualy.

Thanks and regards

Alex

GruensFroeschli

On pfSense VLAN's appear as a "virtual-interface".
Meaning you can firewall/route each VLAN as if it where a real interface.

So you can have one interface as trunk-interface with many VLAN's on it.
All traffic on this interface is tagged.
On the switch you split the tagged traffic up on the various untagged VLAN ports.

With a standard VLAN-capable 24port switch you can turn a pfSense machine with only a single real interface into a router with 23 interfaces (24 minus the trunk).

deskdevil

Good morning,

yes of course I forgot that a VLAN can live without an IP-address   :-\

Is there any limitation of VLANs pfSense can handle? Or can this box handle the VLAN-limit of 4096?

Best regards

Alex

Edit: is someone using a optical fibre connection with pfSense? I was thinking about a optical trunk between pfSense and backbone switch.

GruensFroeschli

pfSense itself certainly could handle 4094 vlans on each interface (0x0 and 0xFFF are forbidden, 0x1 is default).

I'm not sure if the onboard NIC's can handle them.
Onboard NIC's tend to be crap (realtek…).
It mostly depends on the driver.
I had some problems with vr cards (the NIC's in the ALIX) that packets with an MTU of 1514 where dropped.

I usually use a Gbit connection for a trunk.
But if there are fiberoptic cards which are supported under FreeBSD i dont see why that shouldnt work.

deskdevil

OK I will contact my hardware-dealer and ask for freeBSD compatible fibreoptic-card.

Thanks foru your help so far.