New Setup 2 Wans, VIP's, 1to1 Nat, squid/squidguard

  • I have finally convinced my Boss pfsense is the way to go. Before we implement it I want to check and make sure it can do everything I need it to. First thing is we have two Wan connections, one cable one T1. I would like to load balance and set it up as a failover. This I know can be setup though I haven’t done it before. The other is we have a barracuda which does our inbound and outbound email filtering. Using one to one Nat rules I need inbound and outbound email over port 25 to use another ip address then our Wan Primary. This should work with 1 to 1 as I understand but will send all traffic over that public IP from the Nat'ed IP. Lastly I need to use squid and squidguard. Using squidguard am I capable to limiting what file extensions users can download? For instance I would need to allow only pdf's, word, excel and powerpoint files to be downloaded. Everything else would need to be blocked. Does all this seem doable? I have a dell poweredge 1750 with 2 Xeon 2.4Ghz processors and 2 Gigs of ram, and to compliment it we will use Intel server nics. Does anyone seem to see any problems with this setup? Anything to take into consideration?

    Thanks in advance,

  • @cconk01:

    I have finally convinced my Boss pfsense is the way to go. Before we implement it I want to check and make sure it can do everything I need it to.

    Don't you think you got the order backwards?
    Usually I first make sure something does what I need it to and on a second step I convince others that it is the right decision/solution. Gives you way more arguments if you know the capabilities and/or bitfalls beforehand.

    Since you want to use the setup in a commercial ervironment (unless you call your wife your boss  ;-) consider buying commercial support.
    BSD Perimeter and Centipede Networks  are great for this - and as a side note, Chris Buechler is now full time on pfSense trying to make a living from that! Show your support!

    Since your setup is not straight forward and requires some more thoughts and knowledge I highly recommend this to satisfy you and your bosses needs in the long term!

  • Thanks guys. I am going to put my first pfsense box in a small office to get it setup and show it does everything we need to. From there I’m going to be exploring this idea, 2 wans, 1 to 1 nat and squid plus squidguard. The support defiantly looks worth purchasing if my boss approves my decision. Off the top of your heads, can squid or squid guard block by file extension? I know it can block MIME types, but I really need it to block file extensions, is there any conf file I could manually edit to do this?


  • yah, i'm pretty sure it does

  • You should keep in mind that squid does not work with multi-wan, you will only be able to send squid traffic out your primary wan connection.

  • ahh! Good catch. Thanks for the heads up. Is this fixed in 2.0?

  • i think it's more of a function of squid… can probably only cache from one wan at a time