New user - can pfsense do the following?



  • hi,
    it seems we have outgrown our draytek 2950 router. it has 2 x wan (24mb adsl2+) serving 40+ ipsec vpn's. problem is although it has 4 ethernet ports that can be port based vlan'd, it will only run with 1 lan subnet and only allow ipsec vpn's to connect to that lan on a /24. so we have 3 departments vlan'd but on the same subnet and 40 ipsec's with full access to each vlan. not ideal by any means!
    we have a spare watchguard x500 which after reading around have realised that we could install pfsense on it which would be ideal.
    so…...
    1. does pfsense support multiple public ip's on the wan?
    2. does pfsense support more than 1 wan for load balance/failover?
    3. does it support multiple lan subnets?
    4. can the above be vlan'd (802.1q)?
    5. can ipsec vpn's be restricted to certain local subnets/vlans?

    any help or pointers would be appreciated. thank you
    louis



  • ad 1)
    yes it does, not problem, just add a virtiual IP with ARP or CARP

    ad 2)
    yes you can setup a LoadBalancer under Services which does work as a failover.

    ad 3)
    Yep, why not. better have multiple NICs from them of pfsense, or route them thru some other router.

    ad 4)
    VLAN is supported

    ad 5)
    This I'm not sure, but there are IPsec specific rules which should do the trick.
    Maybe some can help here.

    hope this helps.



  • thank you for your quick reply. just to clarify then, i could have the following:

    LAN1 - vlan11 -192.168.20.0/24
    LAN2 - vlan12 -192.168.21.0/24
    LAN3 - vlan13 -192.168.22.0/24
    LAN4 - vlan14 -192.168.23.0/24

    first 2 subnets going out through WAN 1 (8 ip's) & second 2 going out through WAN2 (8 ip's)

    i'm still looking through the documentation to see if i can set up an incoming ipsec to say 192.168.20.3/32 to restrict incoming connections to a certain server on each lan but allow that server total access to the remote lan ie /24

    we also have 2 x draytek 100 adsl modems which use a pppoe to pppoa bridge so the authentication is done on the router. can pfsense handle this ie 1 x pppoe connection per wan?



  • I believe in pfSense 1.2.x only one PPPoE WAN is supported. You'd have to run your modems in half-bridge mode.

    IPsec appears as a separate interface in the rules configuration, so you can restrict it however you like.



  • is that one pppoe per wan or one pppoe wan? if pfsense meets our needs, we will start a program of replacing our main routers. looking forward to giving pfsense a shot.



  • One PPPoE WAN.
    AFAIK in 2.0 all interfaces should be able to support PPPoE, but 2.0 is still FAR away.

    But as ktims wrote:
    Most modems today support half-bridge mode.
    (The authentication is done on the modem, but you have the real IP on the pfSense).



  • does half bridge mode create a problem with multiple public ip's? or does pfsense just take the router ip address and you enter ip aliase's into pfsense?



  • In half-bridge mode the modem is only responsible for negotiating the PPPo(A|E) session and encapsulating all the traffic that appears on its ethernet interface. So you can basically treat it as if it was a regular ethernet connection instead of running a PPPo(A|E) client on the router.

    Never understood why PPP is so popular on ADSL circuits… Ethernet over ATM seems to make a lot more sense to me (and all of the local DSL ISPs here use it), but then I'm not a senior network engineer at a huge ISP either ;).



  • thank you very much for your time on this. it has cleared things up and i'm looking forward to getting to grips with pfsense.



  • wow….
    just installed it on an x500 with the lcdd script and it looks very good. now for some testing over the next couple of weeks. but it looks impressive to say the least and is more in line with what i'm familiar with.


Log in to reply