PFSense/Untangle/SPA3000
-
This may belong better in another area, but I couldn't decide where.
I've attached a network diagram of my home network - or more specifically what I'm trying to achieve.
The aim is that PFSense will use it's packet shaper and ensure that the SPA3000 works perfectly for voice. I've always found PFSense does an excellent job of this.
All other traffic should pass totally unfiltered to Untangle which then manages everything (i.e. port forwards, filtering of traffic, firewall etc).
This is a really unusual config so I'm not surprised that I haven't found any posts that really assist, hence why I'm asking for assistance in this post.
TIA, Tony
-
Does anyone have any suggestions for this?
I did have another thought last night. If I get another small switch I could change my network config to the attached picture.
This would eliminate the need to use a DMZ - may be better?
I'd still need all traffic routed to the Untangle box.
I still think my first option makes sense with my local LAN being set to 192.168.100.0/24 via a DMZ, and the SPA3000 changed to a 192.168.101.0/24 address. I'd need to setup a rule to allow traffic to the SPA3000 from the LAN as normally traffic to this from a DMZ wouldn't be allowed.
-
How many public IPs do you have to work with?
-
Just one public IP address.
Looking at the traffic shaper again I can't see that it will shape via two network ports?
Assuming this to the case I'll need to use the second config.
I think all I need is to setup a rule to forward all traffic to the Untangle box. Should I post a question about that in the firewall section?
-
I'm not sure what you mean "via" two network ports. In 1.2.3 the traffic shaper will only work with 2 interfaces. In 2.0 it will do more than 2. I haven't really used the traffic shaper so I can't give much advice in that regard.
If you don't mind double-NAT (which generally seems like a terrible idea) you could put your phone and Untangle on the same small subnet 10.0.0.0/29 and then send all phone data to the phone and everything else to the Untangle. The untangle would then have it's WAN interface be on the 10.0.0.0/29 network and it's LAN be on the 192.168.100.0/24 network. You would still need to do port forwarding from pfsense -> Untangle -> inside device.
Can I ask the obvious question of why you want to have two firewall systems? Can you not get all you need from either pfSense OR Untangle instead of using both?
-
Sounds like the first thing I should do is upgrade to 2.0 as it also includes some other features I like the look of. I could then have the SPA3000 on its own interface and Untangle on its own.
Reasons for this config:
In the past I've found pfSense to be the best I could get in terms of QOS for VOIP when downloading via torrents and the like. Other QOS works okay but to my mind really struggles with the high jitter that torrent downloading seems to cause.
With 3 kids I wanted something that would filter websites. We're actually Untangle partners so have a full license for all their products. So makes more sense to use their web filter than pay extra for Net Nanny or something like that. I also really like their version of OpenVPN and the absolute ease of installing clients. (I believe this is now also the case with pfSense v2 but haven't tested). I also use the Anti-virus on Untangle.
So I've been running Untangle with high success, but finding my VOIP is suffering. I'm not sure if this is the dodgy RIM my Internet hangs off or not, but I do know that Untangle suffers when I'm downloading via uTorrent.