Split protocol/port handling between WANs



  • Hi Guys,

    For reasons beyond my control (mostly location), I am annually forced to serve between 50 and 150 concurrent connections via a single 5Mbit/.5Mbit ADSL line; pfSense has proven useful in mitigating the strain this load places on the connection but at the upper end of that range there's really not much you can do to prevent a generally shitty user experience for all involved (these are users who are expecting [and are granted by my overlords] unfettered access to the internet and who complain at the restrictions we do place, i.e. no streaming or media-heavy browsing.)

    This year, for the first time, I have the opportunity to have two lines, still 5/.5 each, rather than the one. I initially intended to simply set up a gateway group, but given that the most serious issues experienced by the more senior staffers (the users whose needs I can't really ignore or blag out of) include a loss of access to off-site corporate e-mail I had another thought:

    I took note a long time ago of the ability within pfSense firewall rules to classify client (LAN->WAN) connection requests by port and wondered whether there was any technical reason, whether within pfSense itself or more generally, that I couldn't use the second line for 'essential' sessions, e.g.all ICMP traffic and TCP/UDP ports 53, 110, 995, 143, 993, 25 and 465 (i.e. DNS and common mail ports) via preceding firewall rules, while retaining ADSL1 for general and unclassified sessions?

    [edit: I have seen various guides on policy based routing, my question is more whether doing this arbitrarily in response to usage patterns would result in any issues or whether the fact that the policies apply indiscriminately across all sessions is enough for the user not to notice]

    On a less hopeful note, a large proportion of the staffers in question prefer the use of web-based corporate e-mail, does anyone have any bright ideas for piping that out too while leaving the facebook >:( behind?

    Thanks,

    -GD


Log in to reply