Help need: how to setup CP - with one or two pfSense boxes?



  • I have these requirements to build my network setup:

    1. Internet uses only one WAN (static IP).
    2. Users from office LAN needs to connect without restrictions to Internet. Traffic shaper must be active.
    3. Guests can access only internet via access point and can't see LAN users. All guests must be limited (shaped) and will get only part of the internet traffic (WAN is only one and shared for office and guest users).

    So what is the most stable configuration? Use one pfSense box with one WAN and two LAN interfaces or two pfSense boxes (one for router and second just for CP)? I do not want to run in problems with traffic shaping and complicated NAT and firewall rules just to save money for second pfSense box….

    Option 1:

    INTERNET ---> (WAN) pfSense ------> (LAN) ---> office users
                                        |
                                        +----->(OPT1) -->(CP)---> Access point (internet only, do not access LAN)

    Option 2:

    INTERNET ---> (WAN) pfSense 1 ------> (LAN) ---> office users
                                        |
                                        +--> (OPT1)---->(WAN) pfSense 2 ---> (LAN) -->(CP)---> Access point (internet only, do not access LAN)



  • I think that the first version is fine for you. The drawback with both versions is that you do not have any traffic shaping on the OPT with pfSense 1.2.1. However, as you need Shaping only on the LAN for now, that first version is safe. In case you need Shaping on all Interfaces, wait for the version 2.0.

    For the access points. Just make sure that they cannot connect to LAN, by blocking access to LAN.



  • @Monoecus:

    I think that the first version is fine for you. The drawback with both versions is that you do not have any traffic shaping on the OPT with pfSense 1.2.1. However, as you need Shaping only on the LAN for now, that first version is safe. In case you need Shaping on all Interfaces, wait for the version 2.0.

    For the access points. Just make sure that they cannot connect to LAN, by blocking access to LAN.

    It is important to use traffic shaping for LAN and guest users. I need to limit guests to 30% from total bandwith AND use traffic shaper to distrubute fair these 30% to all guest users.

    So I will use Option 2 until version 2.0 comes out.

    Thanks for the help!


Log in to reply