PfSense the right choice?
-
Hello everyone,
I ran into m0n0wall a few weeks ago, played around with it, liked it, didn't really test it in depth, since I ran into a problem, where m0n0wall was limited and pfSense is supposed to be able to help out soon (multiple WAN) - but that's not the main issue right now. I'll try to explain, what I'm looking for and perhabs someone can give me some feedback, wether I can make this work with pfSense or not. I'm almost sure pfSense can do all I want, but at the first glimps it looked a bit overwhelming. I can work my way into it, but in the end I'll not be the only one using / configuring it - and that might become the problem.
I'm looking for a solution for a small provider-like situation (basically a really small regional provider, working with few customers, offering solutions via microwave technics), traffic / bandwidth management and logging, that's basically all I need. I have several WAN-Connections (100mbit) from cable, right now only one is in use, but more are coming (that's why the multiple WAN issue is not that urgent yet). The WAN is currently managed by a Vigor 3300. The Vigor acts as a gateway for several other SOHO users = our customers. We configure a smaller router for the customer, place it where he needs it and that's it. The customer can't access the router for security reasons (because he shouldn't be able to change his routers WAN IP). Since the Vigor 3300 only gives me limited control over bandwidth management et cetera, I'm looking for another solution.
From the main (right now only) WAN Connection I need to be able to set the upload and download bandwidth for any LAN-Client(=SOHO-Router at the cusomers place).
That's the fist job.
Second I need to be able to log all the connections from these customer-routers to the internet for a specific time due to security reasons. An external syslog server (similar to the m0n0wall settings) wouldn't be a problem.
Of course I need to be able to do port forwarding as well, but that looks not like a problem so far.Sorry for asking probably pretty easy questions. But my first tests tonight didn't work out the way they were supposed to do and now I'm not even sure wether pfSense is the right choice or not. The traffic wizard does an amazing job - if pfSense was my firewall / bandwidth-manager for a local network. But since all the prioritication of traffic is already done in the customers-router, I actually only need to set max. down- and max. upspeed per user=customer-router=specific IP.
If something is still unclear, I'll try to explain it a little more in detail.
Thanks in advance,
sap -
That's a good fit, a lot of small to mid sized ISPs deploy pfSense to do exactly what you're looking to do.
For rate limiting, you'll just want limiters (2.0-only) for this type of setup, makes it very easy. We've deployed that setup in several ISP type environments, ranging from a few dozen customers (apartment complex, condo buildings, those type of environments) to hundreds of customers and more (WISPs mostly). Not a lot of documentation on that available yet outside of our heads, may find some useful howto info by searching here. Or we'd be happy to walk you through the whole setup (see link in my sig).
The traffic logging is most always done using NetFlow (pfflowd or softflowd to export from the firewall) in ISP type environments from small to huge. There are numerous commercial and open source tools to collect and report on that flow data.
In general, this type of setup isn't really a complex configuration and isn't hard to work with. Anyone competent enough to manage any class of equipment that can handle this kind of functionality will have no issue with it, definitely no more difficult than any other option and easier than most. It's a little beyond your typical SOHO router, but not by much with this kind of setup. Anyone with basic router experience and basic firewall knowledge could be easily trained to handle the specifics of your environment. Anyone without basic router and firewall knowledge is going to get you in trouble with any product in existence that handles your requirements. ;D
Sounds like a good fit, something we've done many times already with 2.0, usually with a CARP secondary for high availability though that's always something you can add on later if you aren't concerned with hardware redundancy.
-
I take that back that there isn't much info on limiters, more than I realized here:
http://doc.pfsense.org/index.php/Traffic_Shaping_Guide#Limiterand I just added and clarified some.
-
I was just about to ask where to find the informations how to set it up. Your description of the features sound awesome. I will have a look at it and then might be in touch for commercial support, depending on my impression ;) (if it is too easy it's a compliment for the developers although it might be bad for you :p - if it is too hard I might skip the pfSense idea, even with the option of commercial support - if it's just right, it's just right ;) )
thanks so far