Is pfSense right for me?



  • Hi there.

    I have been running a PC with FreeBSD as a gateway for a while, but its hardware is now playing up. In the process of changing the hardware I also had a look on how I could be simplifying my setup and pfSense was recommended….

    My network is made as follow:

    
    Network (192.168.0.0/23) -> Gateway -> Public Net 1 (/29 subnet)
                                   | |
                                   | \----> Gateway2 -> Public Net 2
                                   \------> VPN Connection 1 to remote site
    
    

    Gateway is 192.168.0.1
    Machines from 192.168.0.2 to 192.168.0.63 ; sees all there traffic going through Public Net 1 (SHDSL with SLA)

    All other machines sees their traffic going through Gateway 2 with is a Cisco 878 ADSL2+ router. It's connected to a cheap ADSL2+ network (sync at 17Mbit/s).
    Machine from .2 to .63 are servers
    from .64 to .254 are user PCs.

    I could have handled public net 2 directly from the freebsd gateway , but I never managed to get SIP, iChat, AIM, MSN etc clients to properly work behing the FreeBSD NAT; while the Cisco handles this just fine.
    I know Linux thanks to all the kernel module nat helpers can properly nat most traffic (I know my little Linksys WRT54G router does it just fine)

    For the traffic coming from specific hosts all on the same subnet to go through a different route, I use a set of IPFW divert rules.

    Each IP addresses allocated on Net 1, are statically NATed to one of the server ; so while the server has a private IP like 192.168.0.2 every traffic coming say to IP xxx.yyy.zzz.1 is diverted to 192.168.0.2 and every traffic originating from 192.168.0.2 to the internet seems to come from xxx.yyy.zzz.1 etc…

    There are 14 IP addresses allocated to the gateway ; each of them linked to a PC.

    The gateway itself runs various services:
    -PPTP server (using mpd)
    -OpenVPN server
    -SNMP with custom MIBs
    -Scripts monitoring the status of each connection, restarting them when need be and changing the routes if one is down. For example, all user PCs go through the ADSL2+ connection, but this one can go down from time to time ; automatically then the traffic is routed through the SHDSL link (which is much slower being 2Mbit/s only, and with rather expensive download quotas)
    -DHCP server
    -DNS (bind) of about 10 domains. With a different views for external queries than internal queries

    I have been maintaining a complex set of IPFW rules ; prioritising the traffic from some servers (like a VoiP one) ; blocking unwanted traffic etc...

    I ideally, I would love to get rid of the Cisco router ;each time I need to reconfigure that beast, I have to reopen my Cisco book as I forgot how it works.
    But does PF and pfSense allows the same level of functionality when it comes to NAT than the Cisco or your basic Linux router ?

    The machine I'm getting has 3 ethernet ports ; but reading the FAQ, it seems that pfSense doesn't handle PPPoE nor DHCP. Which is what I use to obtain IP addresses.

    Does the PF web interface cater for having multiple IP addresses and establishing either static NAT or forwarding a specific port on a specific public IP to a private machine.

    I'm guessing that as pfSense is based on FreeBSD; I could probably easily add whatever I want ; but I would have strongly preferred something where everything is handled through a nice easy to use web interface.
    I've been doing all my admin stuff via the command line for almost 10 years, but I'm kind of sick of it now.

    I use the Tomato firmware on a WRT54GL, and that stuff is great, and best of all , it works pretty well...

    Thanks for any replies !
    Jean-Yves



  • I don't have anything like your complexity to deal with. My pfSense box acts as DHCP server on LAN interface, Wireless LAN interface (bridged to LAN) and OPTx interface (links to local server on separate network from family PC's and accessible from the internet). It also acts as DHCP client on WAN interface (connects to ISP). Other contributors to these forums seem to be able to use PPPoE. Don't know why you think pfSense doesn't support DHCP or PPPoE. Was there something particular in the FAQ that suggested that?



  • @wallabybob:

    I don't have anything like your complexity to deal with. My pfSense box acts as DHCP server on LAN interface, Wireless LAN interface (bridged to LAN) and OPTx interface (links to local server on separate network from family PC's and accessible from the internet). It also acts as DHCP client on WAN interface (connects to ISP). Other contributors to these forums seem to be able to use PPPoE. Don't know why you think pfSense doesn't support DHCP or PPPoE. Was there something particular in the FAQ that suggested that?

    Hi.

    From there:
    http://www.pfsense.org/index.php?option=com_content&task=view&id=40&Itemid=43

    (the main feature page)
    "Only works with static public IPs, does not work with DHCP, PPPoE, PPTP, or BigPond type WANs (will be resolved in a future release)"

    Ahh, I see what my mistake was… I read too fast, this is for "redundancy" only :)


Locked