I am looking at replacing our current firewalls for our wifi network and need a solution that can handle a single, large environment.
We will see upwards of 6000+ simultaneous wifi users on the network (16 bit) pushing 65k + connections through nat and @ 500+ mbps load balanced over two internet connections in a single building with approximately 1 million sq ft.
I realize that a lot of that depends on hardware, which is easy to get, but I am looking for the following:
support for beyond 120k nat translations (nat overload)
failover and/or active/active. I have a router/firewall solution in place at the moment that uses Cisco GLBP for active/active load balancing
ipsec vpn pass-thru support for multiple users, sometimes even to the same vpn termination point.
support for 10Gig network cards.
robust packet shaping that can support thousands of flows
multiple wan support, aka support multiple default routes (load balancing), something similar to Ciscos' pfr would be nice too.
I realize that some of the questions are very general, but any input is greatly appreciated.
In short, pfsense can do what you need if you spec. the right hardware. It may not be the best solution for some aspects though (wifi side).
IMO, you can probably get mesh type APs instead which would solve the internal wifi routing with redundancy. Ubiquiti has relatively inexpensive solutions for this.
Then deploy pfsense boxes for the general firewalling/ routing (between vlans/ subnets) and WAN(s) load-balancing/ failover. 120k NAT is easy to achieve; another user on the forums has had luck with the Myricom 10GbE NICs so you can look into that.
That should be achievable, but one thing you will need to be careful of:
To get that many NAT translations, you will need multiple external IP addresses on each WAN, and segment users such that portions of them use different IPs.
Each IP only has 65k ports, so to go past that with NAT, you would need multiple IPs on each WAN.
I don't think we have a way in the GUI to NAT to a "subnet" of IPs (where NAT will automatically balance entries over a few IPs) but I believe pf supports it, so it may show up in the future.
You'd just have to setup your outbound NAT rules to account for that, taking chunks of your internal network and using the NAT rules to direct them out specific IPs.
Having two WANs alone would help that situation, but if one WAN went down you'd have to be sure you can handle the maximum number of connections out either WAN.
I have an open feature ticket that describes it: http://redmine.pfsense.org/issues/820
Isn't a connection identified by the 4-tuple (src port, src IP, dst port, dst IP) so you can have about 64K connections to each distinct destination?
So unless the connections are all focussed on a very small number of external sites there shouldn't be a problem.
For states that is true, but last I knew you couldn't have two connections sharing the same outgoing port number. (Ermal would know for sure). pf may be smarter than I'm giving it credit for.