Pure router and traffic shaper

  • Hi,

    I'm looking for a pure router and traffic shaper (no NAT). I need to put it between the provider edge router and our firewall. It should look like this:

    provider edged router (62.x.x.154) <–-> (62.x.x.154) pfSense (231.x.x.137) <---> (213.x.x.138) firewall

    In pfSense I need to configure public IP on both NICs. The provider is routing our public IP net (213.) through the transfer net (62.).

    What I also need is outbound traffic shaping. The Ethernet connection will be 10 Mbit but the bandwidth is 6 Mbit. Packets over 6 Mbit bandwidth will be dropped by the provider.

    My question is: Can I use pfSense for that or is it better to use something like RouterOS? Our firewall is m0n0wall and I'm happy with it. So pfSense would be nice.

    Thank you!

  • From your description: I don't see why pfSense shouldn't work for this.
    If you're familiar with m0n0wall, then you'll find pfSense very easy.

  • Thanks for your answer. I was find in Google that to turn off NAT I need to disable the firewall under system/advanced. But the traffic shaper is in menu firewall. Will the shaper work with disabled firewall? And will the shaper limit all traffic e.g. also GRE and IP xy?

    I forgot to ask: Is there a way to reach the same goal with m0n0wall?

  • I know you probably don't want to hear this, but why add the extra complexity of two boxes when it can be done with one?
    Pfsense  forked from monowall so that it could provide the extra functionality that you need, so why not embrace it and make the switch?    ;D

  • Of course one single box would be nice :) But I'm not sure if pfSense can serve all the requirements. Attached you will find a picture showing what I'm planing. I need to disable NAT between the transfer net (62.x) and the public IP net (213.x). But I need NAT between the public IP net and my private VLANs.

    For example: Our mailserver's private LAN IP is and the public IP of mail.company.com is 213.x.x.139, which the provider is routing via the transfer net 62.x.x.152 to us. For outgoing mails I need to use the IP 213.x.x.139 also.

  • Yes pfSense can do this.
    You can even take your existing m0n0wall config and import it on the pfSense.

    Regarding disabling NAT/firewall:
    While you can disable them completly i wouldn't do that. Rather enable manual NAT rule generation and delete all NAT entries. Effectively creating a routing only platform.
    To "disable" the firewall, just set on all interfaces an "allow all" rule.

    If you'd go with a singlebox solution:
    you can specify very granularly what you want to NAT from where to where, and what not.

  • I want to try pfSense and test the single box option and the transfer router option. Which image should I chose when installing on CF card on Alix 2D13 board (no VGA)?

    Thank you!

  • Use the image with the size of your CF card.

    If you want to go with 1.2.3 then one of these images:

    • pfSense-2.0-RC3-512mb-i386-20110621-1821-nanobsd.img.gz
    • pfSense-1.2.3-RELEASE-1g-nanobsd.img.gz
    • pfSense-1.2.3-RELEASE-2g-nanobsd.img.gz
    • pfSense-1.2.3-RELEASE-4g-nanobsd.img.gz

    If you want to go with 2.0 one these images:

    • pfSense-2.0-RC3-512mb-i386-20110621-1821-nanobsd.img.gz
    • pfSense-2.0-RC3-1g-i386-20110621-1821-nanobsd.img.gz
    • pfSense-2.0-RC3-2g-i386-20110621-1821-nanobsd.img.gz
    • pfSense-2.0-RC3-4g-i386-20110621-1821-nanobsd.img.gz

    I would recommend to use the 2.0 image, even if it's still RC3.

  • It depends the size of your cf card

  • Thanks, it's actually writing on CF card ;-)

  • One more question: Later in production use I want to run pfSense on old IBM Server hardware (Xeon CPU, 2 GB RAM, GBit NICs). What is more recommended a) installing pfSense on hard disk, which could become damaged or b) to install the nanoBSD version on USB memory stick?


Log in to reply