Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    A feasibility question, Fallover, bridge firewalling, etc.

    Scheduled Pinned Locked Moved General pfSense Questions
    4 Posts 2 Posters 1.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Z
      zevlag
      last edited by

      Here is my desired network configuration, is it feasible?  Please see my 6 points below.  I'd welcome any comments on what would or would not work.

      /–------------\  /--------------\                              
                  |   INTERNET   |  |   INTERNET   |                              
                  --------------/  --------------/                              
                         |                 |                                      
                         |                 |                                      
                   DSL MODEM         GATEWAY ROUTER                                
                   xxx.xx.12.174/29  xxx.xx.9.1/24                                
                         gw1              gw2                                      
                          |                |                                      
                          |                |             Available IP Blocks:      
                          |en0             |en1          xxx.xx.9.220-222/24      
                          +----------------+             xxx.xx.12.169-173/29      
                          |    pfSense     |                                      
                          --------+-------                                      
                         /en2      |en3     \en4                                  
                        /          |          \                                    
                       /           |            \                                  
                      /            |              \                                
                     /             |                \                              
                    /              |                  \                            
                   /dmz1           |public              \private                  
         webserver                                                                
         xxx.xx.12.171/29           192.168.1.1/24       192.168.15.1/24

      1. Bridge en0 with en2 (gw1, dmz1), run a transparent firewall            
         2. NAT en3 and en4 to en1 (public, private to gw2)                        
         3. If gw2 fails, auto fallover only private (en4) to gw1                  
         4. Firewall traffic between en2, en3, en4 (dmz, public, private)          
         5. Run traffic shaping on en3, en4. Not allow any one client to peak      
            connection capacity.  Prioritize protocols/ports.  Give private        
            priority over public.                                                  
         6. Squid Proxy traffic on en3, en4 (public, private) for caching of      
            large downloads.

      1 Reply Last reply Reply Quote 0
      • GruensFroeschliG
        GruensFroeschli
        last edited by

        I dont see any problem except with point5.
        Currently you can run the traffic shaper only on 2 interfaces.
        In your case you want to run it on 4 interfaces (each WAN, private and public). This is not possible with 1.2.x

        The new shaper in 2.0 should be able to do this.
        2.0 is still VERY far away.

        We do what we must, because we can.

        Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

        1 Reply Last reply Reply Quote 0
        • Z
          zevlag
          last edited by

          Where are the traffic shaper limitations?  In the GUI? or in elsewhere? ie. is there a way around this?

          If the the traffic shaper limitations are show stopper, what are some good alternatives? (I'm willing to roll my own even, I just don't know what distro to start from, linux, bsd, etc…)

          1 Reply Last reply Reply Quote 0
          • GruensFroeschliG
            GruensFroeschli
            last edited by

            @GruensFroeschli:

            Currently you can run the traffic shaper only on 2 interfaces.

            No workaround.

            There was a bounty that lead to the addition of said new shaper.
            If i remember correctly everyone commiting to the bounty back then was provided with a howto to get the new shaper running on the current version.
            Not sure if you could get that if you donate some money to the developer of the new shaper (ermal).

            Where to start for other distros?
            Not sure actually.
            How much are you willing to pay?

            We do what we must, because we can.

            Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.