Need advice on my first dual WAN



  • I'm about to rework two networks that are very similar; my home office and one of my employers offices. What I'm needing to do in both cases is pretty clear from a goals perspective.

    I have an Alix board with 3 NICs

    WAN 1 = Cable modem connection (5 fixed IPs)
    WAN 2 = DSL connection  (PPPoE, 1 fixed IPs)
    LAN with two segments
    LAN segment 1 = general traffic
    LAN segment 2 = SIP phones

    I want all SIP traffic to go via the DSL service. All other traffic to go via the cable modem. If the cable service fails I'd like all traffic to fail over to the DSL, but with standard QoS provisions to ensure voice still works.

    Further, we require need to access email via a PPTP VPN to an exchange server in the UK. We cannot setup a persistent VPN tunnel from pfsense to the UK because of authentication/security issues. It has to be PPTP from a handful of laptops inside the LAN to the VPN server.

    That suggests that we use MAC DHCP reservations for staff laptops and 1:1 NAT with our fixed IP addresses.

    While I understand this in principle all of this is a little beyond my scope. Does this seem like an appropriate approach given the requirements?

    Many thanks,

    Michael


  • Rebel Alliance Developer Netgate

    There are a few caveats for this, mainly in 1.2.3.

    1. PPPoE must be on WAN, not WAN2. In 2.0 you can have PPPoE on any WAN, but with 1.2.3 it must be on WAN.
    2. You can't have multiple PPTP clients connecting to the same remote server at the same time, so like you said you'd have to do 1:1 NAT with some of your spare IPs on the Cable side, and direct their PPTP (tcp/1723 and GRE) traffic out the Cable interface via policy routes.
    3. The SIP traffic should be doable via policy routes.


  • Would there be any need or advantage to having a managed switch in this situation? That is, should I be using vlans to segragate the SIP traffic from the rest?

    Thanks,

    Michael


  • Rebel Alliance Developer Netgate

    It should work either way. Unless there is a security or other reason to segregate the SIP devices, it would be easier to keep them together.


Locked