Newbie - suggestion/recommendation for initial setup for Satellite (HX50)



  • I have successfully installed pfsense 1.2.2 on Compaq D530 with 4NICs.  (1) internal NIC - Broadcom 1000, (2) Dual Intel 1000GT, & (3) 3Com 10/100.  P4 3.0Ghz & phsense has SMP enabled, 2.5gb RAM, WD 250GB SATA 7200rpm HD.

    I have the Broadcom NIC has my LAN (192.168.150.xxx/24).  Dual Intel has my WAN/OPT1 & 3Com as OPT2. 
    Static IPs by Bentley Walker (my ISP).  LAN1 as (10.136.31.193/28) & LAN2 (10.136.31.209/28). 
    Both links are 2048/256 on 10to1 ratio.  ISP is using OPENDNS, (IPs 206.67.222.222 & 206.67.220.220).  I have 198GB monthly download quota on each link and 8hour fair share penalty schedule.

    The HX50 modem has payload and tcp header compression enabled and is working.  I will have around 35+ end users on this system.  This system is for the troops serving in Iraq (they are paying for it) for keeping in touch with the family primarily (web, email, chat, sip) & online school, general web browsing).  The users have been told NO P2P, MAC Spoofing and so forth or they will be kicked off the system.  The system has been online since 5Mar09.

    My plan is to have pfsense to loadbalance LAN1 & LAN2 and squid installed initially.  I need suggestions/recommendation and most likely links to "how to"s to on your suggestions/recommendations.

    I am actively reading this forum for traffic shaping, captive portal, NATing and the problems/issues pfsense users are having and their fixes for them.

    I currently have an Asus router (Asus WL-500gP v2 running tomato V1.22) on LAN1 and will have pfsense on LAN2 for configuration and testing, except the loadbalancing portion, until I feel comfortable with it.

    As I write this, some users are typical….  they are P2Ping, eating the bandwidth.  I am blocking P2P by ports and keywords but still they get by using other ports and encryption.

    On the Asus router, I am using TCP Vegas for congestion avoidance and will setup QOS on Tomato later today to slow down the P2P.  My network switches are Cisco 2950s and will block MACs on the core switch for P2P users until they uninstall the software on there windows systems.  I have access restrictions set to only allow authorized MACs on the Asus router.  Thanks there are no Linux/BSD systems on the network other than mine.  Easier to catch the abusers.

    Anyway,  any and all suggestions/recommendations/how to's are greatly appreciated and will be respected.  I am very grateful for this product/forum and its creator(s), forum moderators, the Gurus and supporters.  Thanks for all your hard work and support.  Will be using pfsense when I get back home.

    Ken



  • First - kudos to you for helping set this up.

    Second - I think you might be over thinking things a little bit with the load balancing between the interfaces.  With satellite bandwidth limited to 2Mb/256kb, there won't be much need to load balance anything as I can't foresee 35 users ever exhausting the link, even if it is squid cached data coming through at 1Gbps.  You can bind squid to multiple interfaces, just hold down crtl when selecting in the box (simple, but many have missed that).

    That said, all of this should work fine as you explained.  It's good that you have some serious switches to work with to help control P2P.  Combined with pfSense you should really be able to cut down on that type of traffic.



  • mhab12,

    Thanks for the reply and the kudos.

    I got the loadbalance working properly I believe.  Wondering on binding squid to multiple interfaces - which ones do I bind?
    LAN & WAN & OPT1WAN2 or
    WAN & OPT1WAN2 only
    or something else?

    I have installed the squad package along with squidguard & Lightsquid but not configured it, until I do further research on the forums.

    I have commented out the /boot/loader.conf statement  to "#kern.ipc.nmbclusters="0"" as per another thread.  "Boy am I rusty with vi"

    Am I on the right track with this?  any suggestions on the tips in "Squid Package Tuning" section of the docs.  Have you had success with "caching windows update" portion.  I have both XP & Vista users.

    by the way I have around 65 users online now.  Loadbalancing is really helping:)

    After this post I will start posting in the proper sections of the forums, but just wanted to get your response.

    Thanks again.  Ken



  • I would bind squid to any interface that is going to have users doing browsing.  I think for you that is all except WAN.  Make sure you've switched your GUI to run on HTTPS so there are no port conflicts on port 80.

    As for caching windows update, there is nothing special to do.  Just make sure you set the 'Maximum Object Size' to something like 262144 (256Mb) if you want to grab items like windows update.  I've noticed this helps a lot across the board with any updates, not just MS (think AOL, AIM, P2P programs).  That said, I was having some issues with the most recent version of Squid not serving anything from cache, but that's another issue.


Log in to reply