How can I prioritize users between internet connections?
-
So I have 300 hosts in my network, my internet link is a terrible 2mb DSL, that goes through main office's proxy and it's shared with a intranet/corporate net.
After a long time requesting, I was authorized to hire a new internet link that will bypass proxy as long that only prioritized users were to have access to it.
In other words, just the users who's work depends heavilly on internet connection.Now here is my issue:
I only use pfSense as a DHCP Server. (In 2015 the main office told my branch to remove every FW/Proxy from the network, since they were doing everything from there)
How can I use my PFSense to allow every host in the network to access the Intranet(corporate net) and select users (by IP) who can skip proxy (and use the new internet link) and those who can't (and should access internet through proxy?) -
Since I also posted this in the Portuguese forum, some users pointed that I may have given just too little information. So I made a simple diagram (attached) and would like to add:
- I no longer have a Firewall on my network. (Main Office's Policy)
- My PFSense today is only DHCP
- All my users are identified by IP, so I could create an ALIAS for the "prioritized' users using their IPs.
- All users must have access to Intranet (Corporate Net)
- Most part of my network should remaing using Main Office's Proxy for Internet.
- Only prioritized users should be able to access New Internet Link.
- I can't do anything that "get in the way" of main offices network or load balacing.
Can someone help me into a solution for this?
Thanks in advance.
-
Your pfSense box would need the be able to balance the traffic but it wouldn't be able to in that diagram. It looks like only that switch would be able to do it from where it sits in the network as it is the only device that connects to both the data links. If it's a L3 switch you may be able to do it if it is the gateway for your devices and using custom routes, maybe. It seems what you want is to load balance from a dual WAN connection and, in this diagram, would happen in your Branch Router and not the pfSense box. The only other option I can think of is to set the gateway or routes in the prioritized users' computers. That could force it to move on a one off basis depending on why the offices are linked.
-
One possibility is to put those special users into an address range, by mapping an IP address to their MAC address. Everyone else would get an address out of the DHCP pool. Then, set up rules to allow only the appropriate IP addresses access to the new link.
-
Would you use an alias for that range and assign rules to the alias? I was thinking about that but couldn't think of the mechanics to have devices behave differently in DHCP but your solution seems like it would work.
-
I expect an alias would work, but I haven't tried using one.
