Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How can I prioritize users between internet connections?

    Scheduled Pinned Locked Moved General pfSense Questions
    6 Posts 3 Posters 495 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      rdvc
      last edited by

      So I have 300 hosts in my network, my internet link is a terrible 2mb DSL, that goes through main office's proxy and it's shared with a intranet/corporate net.
      After a long time requesting, I was authorized to hire a new internet link that will bypass proxy as long that only prioritized users were to have access to it.
      In other words, just the users who's work depends heavilly on internet connection.

      Now here is my issue:
      I only use pfSense as a DHCP Server. (In 2015 the main office told my branch to remove every FW/Proxy from the network, since they were doing everything from there)
      How can I use my PFSense to allow every host in the network to access the Intranet(corporate net) and select users (by IP) who can skip proxy (and use the new internet link) and those who can't (and should access internet through proxy?)

      1 Reply Last reply Reply Quote 0
      • R
        rdvc
        last edited by

        Since I also posted this in the Portuguese forum, some users pointed that I may have given just too little information. So I made a simple diagram (attached) and would like to add:

        • I no longer have a Firewall on my network. (Main Office's Policy)
        • My PFSense today is only DHCP
        • All my users are identified by IP, so I could create an ALIAS for the "prioritized' users using their IPs.
        • All users must have access to Intranet (Corporate Net)
        • Most part of my network should remaing using Main Office's Proxy for Internet.
        • Only prioritized users should be able to access New Internet Link.
        • I can't do anything that "get in  the way" of main offices network or load balacing.

        Can someone help me into a solution for this?

        Thanks in advance.

        diag.jpg
        diag.jpg_thumb

        1 Reply Last reply Reply Quote 0
        • S
          Stewart
          last edited by

          Your pfSense box would need the be able to balance the traffic but it wouldn't be able to in that diagram.  It looks like only that switch would be able to do it from where it sits in the network as it is the only device that connects to both the data links.  If it's a L3 switch you may be able to do it if it is the gateway for your devices and using custom routes, maybe.  It seems what you want is to load balance from a dual WAN connection and, in this diagram, would happen in your Branch Router and not the pfSense box.  The only other option I can think of is to set the gateway or routes in the prioritized users' computers.  That could force it to move on a one off basis depending on why the offices are linked.

          1 Reply Last reply Reply Quote 0
          • JKnottJ
            JKnott
            last edited by

            One possibility is to put those special users into an address range, by mapping an IP address to their MAC address.  Everyone else would get an address out of the DHCP pool.  Then, set up rules to allow only the appropriate IP addresses access to the new link.

            PfSense running on Qotom mini PC
            i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
            UniFi AC-Lite access point

            I haven't lost my mind. It's around here...somewhere...

            1 Reply Last reply Reply Quote 0
            • S
              Stewart
              last edited by

              Would you use an alias for that range and assign rules to the alias?  I was thinking about that but couldn't think of the mechanics to have devices behave differently in DHCP but your solution seems like it would work.

              1 Reply Last reply Reply Quote 0
              • JKnottJ
                JKnott
                last edited by

                I expect an alias would work, but I haven't tried using one.

                PfSense running on Qotom mini PC
                i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                UniFi AC-Lite access point

                I haven't lost my mind. It's around here...somewhere...

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.