IPCop to pfSense?



  • I’ve been using IPCop for the past 5+ years for a small business (around 100 total users including 20 remote users). Although I’ve been happy with the IPCop, I’m thinking of making the change to pfSense. I have a few general functionality questions now, and I’m sure that I will have a ton of specific questions once I deploy the box. So, hello and thanks in advance!

    How would you compare pfSense to IPCop in terms of stability and performance? Would you trust pfSense with your small business network?

    I know that it is possible to use two WAN links with pfSense, but how refined are the controls? That is, could I set it up to have all servers (FTP, WEB, Mail) and VPN users restricted to our T1 connection, and the desktop Internet connections restricted to a cable connection? Can it be defined by IP range?

    Can I block all outbound SMTP traffic… except from the mail server?

    Thanks again!
    Mark


  • Netgate Administrator

    I've come from IPCop and couldn't be happier!  ;D

    I should qualify that by saying that I'm only using pfSense at home.
    It's been rock solid for me and my IPCop install would crash out occasionally but then I'm running on new (to me) hardware.
    I was originally running Smoothwall because, at the time, it was the only thing that supported my ISP's mandatory usb adsl modem. Moved to IPCop when Smoothwall sold out and then to pfSense after my IPCop box expired.

    FreeBSD certainly doesn't have the wide range of driver support that Linux does. If you switch to pfSense the one thing I'd recommend is that you use Intel NICs. They seem, by a long way, to cause least problems.
    That said I have a test box with Marvell NICs and no problems.

    Steve



  • @rooster:

    How would you compare pfSense to IPCop in terms of stability and performance? Would you trust pfSense with your small business network?

    It's generally stable for most parts if you're considering 2.0.  pfSense 1.2.3 final is stable and should support your hardware well (assuming you're using ipcop 1.4.21).  I used to use 1.4.21 (with Advanced QoS mod) and switched to pfSense for better QoS features.  This is in a cybercafe environment.

    @rooster:

    I know that it is possible to use two WAN links with pfSense, but how refined are the controls? That is, could I set it up to have all servers (FTP, WEB, Mail) and VPN users restricted to our T1 connection, and the desktop Internet connections restricted to a cable connection? Can it be defined by IP range?

    Yes, it's possible to do so.  You simply switch out the default Allow all rule in favour of 2 different rules, each allowing a subnet or ip range to go out through a specific gateway instead.

    @rooster:

    Can I block all outbound SMTP traffic… except from the mail server?

    Yes.  Again, you can setup a rule to block all outgoing SMTP except for the Mail Server's IP address.



  • Thanks! Got a few more general questions if anyone has the time/answers. I will be reading the documentation, and hopefully have more challenging questions soon enough.

    What about load balancing by port? That is, does pfSense have the ability to designate a portion of bandwidth to say VPN connections, FTP, http? Inbound and outbound?

    What about outbound traffic from the DMZ going out as the same public IP as the actual server? That is, right now with my set-up of IPCop, all outbound traffic goes out under one IP address (Firewall IP address) rather than the “true” public address for that server.

    I was having issues with IPCop recognizing my hardware, but I was able to get pfSense 2.0 loaded easily enough (loaded enough to at least play around in the GUI for now). It recognized all four of the onboard NICs, but I do have a quad port Gigabit NICs that I could add. Not sure why I would need more than 4 NICs, but I guess that the extras would not be a problem?

    Sun SunFire x4100 with 2x 2.4Ghz AMD dual core processors, 16GB Ram, and a RAID1 of 2 146GB SAS drives. Big hardware upgrade from my current IPCop, and hopefully a big software upgrade as well.



  • @rooster:

    Thanks! Got a few more general questions if anyone has the time/answers. I will be reading the documentation, and hopefully have more challenging questions soon enough.

    What about load balancing by port? That is, does pfSense have the ability to designate a portion of bandwidth to say VPN connections, FTP, http? Inbound and outbound?

    What about outbound traffic from the DMZ going out as the same public IP as the actual server? That is, right now with my set-up of IPCop, all outbound traffic goes out under one IP address (Firewall IP address) rather than the “true” public address for that server.

    There is no real 'DMZ' in pfSense;  You simply need to do a 1:1 NAT for the server.  Alternatively, you simply use a firewall rule to force all traffic from the LAN client(s) IP(s) to the specific external IP you want to use.  Most of the 'features' you need are basically effected from Firewall rules.

    Even the traffic shaper rides on Firewall rules to assign traffic.  =) Get your firewall rules done right and your problems are all solved.


Log in to reply