Internet Access for entire school district?
I'm going to start with our current setup… We are a New Jersey High School with 5 sending K-8 schools. (In NJ, schools are regionalized. Thus, we have no control and/or understanding of the sending school's IT infrastructure)
Currently, one of our sending schools (School A), has a 25 MB pipe to the Internet. Their Internet router, has 6 interfaces. One interface connects to their Firewall and the other 5 interfaces connect to transceivers that send fiber to each of the other 5 schools. At our school, the fiber terminates at a transceiver that connects in to the wan port of our PFSense. Presumably, this is the same at the other schools.
To make things more complicated, I believe each school has separately assigned ranges of IP addresses that are not contiguous.
Now, on to what we want to do...
We want to bring the Internet feed into our school (the High School) and feed out to all the other schools. We also have a DSL line in our school that we are currently using with load balancing/failover. We want to be able to provide the DSL failover to the other schools as well.
I'm thinking (hoping) that we can eliminate the router completely and just use PFSense. I also believe that I will have to convert all the sending school's to a Private IP subnet on their "WAN". (Come to think of it, they won't even really need a firewall in their school anymore).
My question is... How do I assign the multiple and separate public IP ranges to PFSense and forward them on to the corresponding schools (OPT or LAN interfaces?)
Thanks all, Hope everyone can follow our scenario.
Yes, if I understand what you're asking, that should be quite feasible. It sounds like what you need to do is proxy ARP for your public scopes upstream, then push them downstream to each campus with a series of 1:1 NAT rules.
Regarding removing the pfSense nodes downstream, I'd be cautious about that. It's a good idea to have something segmenting the schools off from eachother downstream. Keep in mind that students are often brighter and more capable than school faculty, especially in technical matters, and should not be underestimated.
One final piece of advice would be to stage as much as you can before it goes live. Also might want to run some serious torture tests on the hardware/software stack you plan to deploy, ensuring that:
The hardware is reliable and won't be a bottleneck for the amount of traffic you're expecting, + predictable growth.
pfSense / FreeBSD is reliable enough on your hardware stack, and has all the features you need.
You know exactly what to expect in terms of configuration, backing up and recovering configurations (if the interface names don't match you're in for a fun time), etc.
Regarding the stability of pfSense / FreeBSD, I ran into some rather serious issues myself which essentially blocked me from deploying pfSense 1.2.3 in an overly-hostile environment. YMMV of course, but here's the record of my endeavors for reference: http://forum.pfsense.org/index.php/topic,24337.0.html