Slow T1 & unused Comcast for failover



  • I am kind of a newb, perhaps just rusty. I haven't used pfSense for roughly two years now. Last was v1.2.1. I think.

    I want to replace my Cisco ASA 5505 with something more powerful, and with more features. Specifically, we have a T1 circuit (primarily for the SLA and the uptime that we rely on). We also have Comcast in the building just for failover. Apparently, an ASA 5505 will failover, or can route specific IP addresses to Comcast, but I would like to route all port 80/443 traffic to the Comcast line. I'm told that the ASA cannot do this. It just galls me that the Comcast line is just sitting there doing nothing and capable of running so much faster than the T1. (Even worse is the differences in price/performance in the two!) I wish FIOS was an option in our town - politics.

    Finally, I would also like to provide home users with VPN access and begin to eliminate the hated Citrix box. I know that VPN access can really tax a firewall.

    I just ordered the book "pfSense: The Definitive Guide" and I will read it. But before I order hardware, I'd really like to hear others opinions. Especially, sections of the book to focus on.

    Can pfSense route based on traffic type AND then still failover to one interface or the other so that ALL traffic goes out one if the other goes down?
    Can pfSense handle a dozen different VPNs, with 2 or three active at any one time? I'll buy the hardware for THIS software. It was worth it before.

    Any suggestions that you all might have would be greatly appreciated. Again, it's been a while since I've been active in this area, but it's obvious that the folks before me were sold some expensive hardware that's left them wanting.

    Lou


  • Rebel Alliance Developer Netgate

    @Lou57:

    Can pfSense route based on traffic type AND then still failover to one interface or the other so that ALL traffic goes out one if the other goes down?

    Yes, it can handle just about any failover/balancing scenario you can dream up. You can policy route traffic in any way you like, based on any criteria that can be matched in a firewall rule. You can make multiple failover groups, one that prefers T1, one that prefers Cable, and then direct traffic into one or the other as it comes in on LAN. If T1 goes down, everything would use Cable; If Cable goes down, everything would use the T1.

    @Lou57:

    Can pfSense handle a dozen different VPNs, with 2 or three active at any one time? I'll buy the hardware for THIS software. It was worth it before.

    We have people who use hundreds of concurrent VPN tunnels. As long as you have the hardware to push encrypted traffic at line speed, that should be sufficient. Even a little ALIX box can do ~10-20Mbit of VPN traffic (depending on the cipher in use).



  • Excellent. I cannot wait for the book to arrive and get started again.
    We'll probably use one of the small HP desktops that are sitting around with dual core and 2 Gb of RAM.
    That should handle just about anything I could ever throw at it.

    The last time I installed/used pfSense was also installed on a desktop, a P4 at 2Ghz. Ran like a champ.
    It did everything I asked it to, but there was so much more that I knew it could do. Hopefully, this book
    will enable me to get there and understand what I am doing. Great reviews on Amazon. Congrats.

    Lou


  • Rebel Alliance Developer Netgate

    It should help quite a bit. The section on multi-wan has quite a bit of detail but you may also benefit from looking over the other multi-wan tutorials on the doc wiki and forum.



  • it's easy to route your http/s traffic over the cable, on your lan rules just create an entry higher in the list than your default outbound entry, enter 80/443 for the port, and select the gateway for comcast instead of default. You can then create a failover that will route it back onto the T1 if comcast is down.



  • Was just handed the hardware. Woohoo!

    pfSense will run on a Core2 Duo E4400 @ 2Ghz with 2Gb RAM and 60 Gb hard drive. This is in an HP dc5700 small form factor PC.
    The CEO was glad to upgrade to an i7. The only limitation is that it only has one NIC. I will need to add a NIC with two ports for the T1 and Comcast.

    Any recommendations for a reliable card that FreeBSD loves?

    Lou



  • The motherboard has a Broadcom NetXtreme Gigabit Ethernet based NIC. So I'll use that for the LAN side.

    The dc5700 has two PCI slots and one PCIe slot. I figured that it would be simpler to just pick up two inexpensive PCI based, single port NICs rather than purchase a substantially more expensive dual port PCIe card. That way I can purchase a third for a backup in case one goes down and I've still spent less than the dual port card.

    I am looking at Intel desktop adapters rather than server adapters. Considering that these are going to go directly to the ethernet ports on the routers, I don't see any reason to go expensive. I won't be teaming, setting up any VLANs, etc.

    Can pfSense make use of cryptographic accelerators like the ubsec driver found at http://www.freebsd.org/cgi/man.cgi?query=ubsec&sektion=4&manpath=FreeBSD+8.2-RELEASE? We do want to setup a number of VPNs.


Log in to reply