LAN-party with pfSense



  • Hi! First post here..
    So I'm planning on hosting this LAN-party for my local area. I'm expecting at least 200 participants, but there's always a chance we'll get more people.
    What I'm interested in is using a pfSense-box as firewall/gateway as i have some experience with it and heard a lot of praising of it.
    I'd want to set up traffic shaping to ensure enough bandwidth for low-latency gaming even if everyone is running their torrent client. A caching proxy could assist in keeping the traffic load down - plus some blacklisting of unwanted sites (we might get around a 10mbit connection, possibly less).

    In the past I've used the captive portal also, passing out usernames and passwords only AFTER the person has paid the entry fee (they tend to let people in to carry their rig and expect them to come back out and pay). Is it a good idea to avoid this, or is the performance effect of the captive portal negligible?

    I have some experience setting up networking with unmanaged switches and uplinks (for ~100 people) but as we're closing on the IP-cap of one subnet I'd need a different set up. I have no experience with VLANs but I assume this is what I'd have to look into.

    The hardware is capable of pretty much anything - it's a corporate 2U rack-server with SCSI-disks, dual CPU, 2 NICs and some gigabytes of RAM.

    One NIC is used for WAN, the second will be connected to the network via a managed switch I guess. I'd have to set up at least 2 subnets of VLANs.
    Will all traffic from VLAN1 to VLAN2 run through the one cable/NIC to the pfSense box (effectively halving the bandwidth) which might generate a bottleneck? Can it cause problems?

    Another issue is the public IP. Is having 200 users on a single public IP a problem? I don't think 1:1 will be possible from the ISP, but we might get a number of IPs available to us, is there a way to handle this intelligently?



  • I would like to share some thoughts.
    If you are expecting 200~ people I would suggest moving to 'class A' private IP space. In my experience of hosting LAN Parties people bring multiple devices and many people have virtual machines that also pull IPs from your pool. I wouldn't do VLANs at all, I would just increase the IP pool to a 10.x.x.x address to create one network with plenty of room.

    Running a proxy server sounds like a good idea for the web with that amount of clients. Even if you have a slow proxy server you will still be able to reduce bandwidth usage on your WAN. Setting up traffic shaping would be a must in this case as well and blocking P2P would grantee that problems don't arise for those that connect to online servers.

    Having 200~ private IPs behind a single IP will not be a problem. I wouldn't even bother calling the ISP about it since, you know, how ISP are about certain things.

    Lastly, are we invited? :)



  • Thanks a lot! I hadn't even thought of that. How do you set up Class A DHCP with pfSense?
    A disadvantage with not routing traffic through VLANs is all the broadcasts coming out of everywhere. I've even experienced people setting up their own DHCP-servers and connecting to the LAN, thus randomly creating all sorts of problems on the entire network. With routing this would only happen on one VLAN.
    Also blocking P2P completely is a great challenge, is pfSense capable of recognizing (and blocking) this type of traffic?
    If not I remember someone setting up several "tunnels" for their connection. Say we have a 10/10mbit connection, they reserved 2/2 of it for gaming ports only (WoW, Steam, etc), then assigned 7/7 to all other traffic (thus leaving 1/1 unused - just in case). I'm unsure if this is the way pfSense does traffic shaping, or if it simply assigns a priority rating to each packet and takes it from there.

    Of course you are invited! However it's gonna happen at around 70 degrees north - and our traveling budget for "outsiders" isn't that great.



  • @silvercat:

    Thanks a lot! I hadn't even thought of that. How do you set up Class A DHCP with pfSense?

    That's the easy part, change IP to 10.0.0.1/8 (that should be enough for your LAN ^_^), and a BIG DHCP pool.

    A disadvantage with not routing traffic through VLANs is all the broadcasts coming out of everywhere. I've even experienced people setting up their own DHCP-servers and connecting to the LAN, thus randomly creating all sorts of problems on the entire network.

    This is what managed switches should be able to contain.

    If not I remember someone setting up several "tunnels" for their connection. Say we have a 10/10mbit connection, they reserved 2/2 of it for gaming ports only (WoW, Steam, etc), then assigned 7/7 to all other traffic (thus leaving 1/1 unused - just in case). I'm unsure if this is the way pfSense does traffic shaping, or if it simply assigns a priority rating to each packet and takes it from there.

    pfSense can do both



  • We used pfSense for all the LAN parties i helped organise in the last 4~5 years.

    While we didn't use blacklisting / Proxying, we did use the Captive Portal.
    Generally we didn't allow any internet traffic except when someone needed it with a good reason. (eg update their antivirus software).
    For this we created a time-limited user (30 minutes).

    To solve the problem with people comming in, setting up their computer and just connect to the network, we used VLANs.
    We once had a problem with a samba virus infecting everyone.
    So we made it our policy to only allow people which have an up to date anti-virus and can show an active virus scan within the last 24 hours.
    We enforced this with VLANs.
    Every port on all switches were in their own VLAN.
    All ports in a public VLAN. The PVID is initially set to each ports private VLAN.
    On the pfSense we bridged all VLANs (as many VLANs as there are ports) and blocked all traffic on all VLANs with as destination something RFC1918 (but allow all destinations on the internet).
    After someone of the staff verified their computer and checked if they payed, the PVID of the port on the switch would be moved into the public VLAN. (For this we used a python script with pyCurl)

    This ensures that no communication with the local LAN (except the pfSense) is possible, but at the same time everyone gets an IP which will later actually be used and allows them to access the internet if they need to install/update their antivirus.
    Might be a bit overkill, but it ensured that we never had any virus problems again ^^"

    However if you're not familiar with VLANs i wouldn't suggest a setup like that to you.

    When is your party?
    I would suggest to set up a test network at least 3~4 weeks in advance with all your servers you're going to run and test everyting.
    Especially if you want to run the traffic shaper this will take some time to tweak until it runs the way you want.
    Otherwise, keep it as simple as you can.

    Since most people will come with their computer configured to get an IP via DHCP, you could set up a DHCP server to server the 172.16.0.0/16 subnet, but the actual network for the party will be 10.0.0.0/8.
    Assign the IPs to the people statically.
    Something like 10.Room.Row.Place/8
    (eg, Room 1, Row 2, Place 7 would have 10.1.2.7/8)
    (This is actually the system we used before we used the pfSense).
    This has the advantage that you know out of the IP address the place where someone sits.
    For this we put on every place a small sticker with an explanation how to change their address, subnet, gateway, etc and what the IP of the current place is.



  • @silvercat:

    Another issue is the public IP. Is having 200 users on a single public IP a problem? I don't think 1:1 will be possible from the ISP, but we might get a number of IPs available to us, is there a way to handle this intelligently?

    Not an issue with most games EXCEPT Battlenet games.  Blizzard has a lock on Bnet hosts for 6 hosts per IP.  Your gamers can game but hosting games are an issue.  Plus, you need to set different game ports and forward them for each game host.

    Using a Class B or Class A subnet would solve your problems with address space.

    With the right kind of money, ISPs can be very willing to offer help.  LOL..  Just last year, we had a Dreamhack over here where the ISP opened up a 40Gbps symmetric link direct to Sweden for us and provided all the network routers required so that we could have "LAN" games played between Sweden and Singapore.


  • Netgate Administrator

    @dreamslacker:

    Just last year, we had a Dreamhack over here where the ISP opened up a 40Gbps symmetric link direct to Sweden for us and provided all the network routers required

    What!  :o That's got to be the best ISP in the world. Dare I ask how much that cost?

    Steve



  • Due to our 'sponsors' cough government cough, the ISP was arm twisted into providing for the link and necessary routing infrastructure using their marketing funds.  IIRC, the actual cost would have been close to US$180K for maintaining the link for the 3 days of the event.



  • @dreamslacker:

    @silvercat:

    Another issue is the public IP. Is having 200 users on a single public IP a problem? I don't think 1:1 will be possible from the ISP, but we might get a number of IPs available to us, is there a way to handle this intelligently?

    Not an issue with most games EXCEPT Battlenet games.  Blizzard has a lock on Bnet hosts for 6 hosts per IP.  Your gamers can game but hosting games are an issue.  Plus, you need to set different game ports and forward them for each game host.

    Using a Class B or Class A subnet would solve your problems with address space.

    With the right kind of money, ISPs can be very willing to offer help.  LOL..  Just last year, we had a Dreamhack over here where the ISP opened up a 40Gbps symmetric link direct to Sweden for us and provided all the network routers required so that we could have "LAN" games played between Sweden and Singapore.

    I doubt people are going to host games and expect their friends (those not in the LAN) to be able to connect - however I'm considering letting home users to be able to connect to the LAN from their homes using VPN, to be able to virtually participate! =) Ahh, the power of pfSense!
    @GruensFroeschli:

    We used pfSense for all the LAN parties i helped organise in the last 4~5 years.

    While we didn't use blacklisting / Proxying, we did use the Captive Portal.
    Generally we didn't allow any internet traffic except when someone needed it with a good reason. (eg update their antivirus software).
    For this we created a time-limited user (30 minutes).

    To solve the problem with people comming in, setting up their computer and just connect to the network, we used VLANs.
    We once had a problem with a samba virus infecting everyone.
    So we made it our policy to only allow people which have an up to date anti-virus and can show an active virus scan within the last 24 hours.
    We enforced this with VLANs.
    Every port on all switches were in their own VLAN.
    All ports in a public VLAN. The PVID is initially set to each ports private VLAN.
    On the pfSense we bridged all VLANs (as many VLANs as there are ports) and blocked all traffic on all VLANs with as destination something RFC1918 (but allow all destinations on the internet).
    After someone of the staff verified their computer and checked if they payed, the PVID of the port on the switch would be moved into the public VLAN. (For this we used a python script with pyCurl)

    This ensures that no communication with the local LAN (except the pfSense) is possible, but at the same time everyone gets an IP which will later actually be used and allows them to access the internet if they need to install/update their antivirus.
    Might be a bit overkill, but it ensured that we never had any virus problems again ^^"

    However if you're not familiar with VLANs i wouldn't suggest a setup like that to you.

    When is your party?
    I would suggest to set up a test network at least 3~4 weeks in advance with all your servers you're going to run and test everyting.
    Especially if you want to run the traffic shaper this will take some time to tweak until it runs the way you want.
    Otherwise, keep it as simple as you can.

    Since most people will come with their computer configured to get an IP via DHCP, you could set up a DHCP server to server the 172.16.0.0/16 subnet, but the actual network for the party will be 10.0.0.0/8.
    Assign the IPs to the people statically.
    Something like 10.Room.Row.Place/8
    (eg, Room 1, Row 2, Place 7 would have 10.1.2.7/8)
    (This is actually the system we used before we used the pfSense).
    This has the advantage that you know out of the IP address the place where someone sits.
    For this we put on every place a small sticker with an explanation how to change their address, subnet, gateway, etc and what the IP of the current place is.

    I don't think we'll use such an extensive VLAN-setup for one. However I like the static IP idea. If you're too stupid to set up your IP manually, then chances are you're too stupid to keep your antivirus up to date, thus generate problems.
    We've decided to do this June 2nd, and the crew is planning to do a "bootcamp" prior to the event to test the equipment, setups, games, servers.
    Guess we'll be testing the new RC of pfSense 2 as well =)


Log in to reply