Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Pure router and traffic shaper

    Scheduled Pinned Locked Moved General pfSense Questions
    11 Posts 4 Posters 8.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T Offline
      tonabnehmer
      last edited by

      Hi,

      I'm looking for a pure router and traffic shaper (no NAT). I need to put it between the provider edge router and our firewall. It should look like this:

      provider edged router (62.x.x.154) <–-> (62.x.x.154) pfSense (231.x.x.137) <---> (213.x.x.138) firewall

      In pfSense I need to configure public IP on both NICs. The provider is routing our public IP net (213.) through the transfer net (62.).

      What I also need is outbound traffic shaping. The Ethernet connection will be 10 Mbit but the bandwidth is 6 Mbit. Packets over 6 Mbit bandwidth will be dropped by the provider.

      My question is: Can I use pfSense for that or is it better to use something like RouterOS? Our firewall is m0n0wall and I'm happy with it. So pfSense would be nice.

      Thank you!

      1 Reply Last reply Reply Quote 0
      • GruensFroeschliG Offline
        GruensFroeschli
        last edited by

        From your description: I don't see why pfSense shouldn't work for this.
        If you're familiar with m0n0wall, then you'll find pfSense very easy.

        We do what we must, because we can.

        Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

        1 Reply Last reply Reply Quote 0
        • T Offline
          tonabnehmer
          last edited by

          Thanks for your answer. I was find in Google that to turn off NAT I need to disable the firewall under system/advanced. But the traffic shaper is in menu firewall. Will the shaper work with disabled firewall? And will the shaper limit all traffic e.g. also GRE and IP xy?

          I forgot to ask: Is there a way to reach the same goal with m0n0wall?

          1 Reply Last reply Reply Quote 0
          • G Offline
            Gob
            last edited by

            I know you probably don't want to hear this, but why add the extra complexity of two boxes when it can be done with one?
            Pfsense  forked from monowall so that it could provide the extra functionality that you need, so why not embrace it and make the switch?    ;D

            If I fix one more thing than I break in a day, it's a good day!

            1 Reply Last reply Reply Quote 0
            • T Offline
              tonabnehmer
              last edited by

              Of course one single box would be nice :) But I'm not sure if pfSense can serve all the requirements. Attached you will find a picture showing what I'm planing. I need to disable NAT between the transfer net (62.x) and the public IP net (213.x). But I need NAT between the public IP net and my private VLANs.

              For example: Our mailserver's private LAN IP is 10.1.0.5 and the public IP of mail.company.com is 213.x.x.139, which the provider is routing via the transfer net 62.x.x.152 to us. For outgoing mails I need to use the IP 213.x.x.139 also.

              planned.png
              planned.png_thumb

              1 Reply Last reply Reply Quote 0
              • GruensFroeschliG Offline
                GruensFroeschli
                last edited by

                Yes pfSense can do this.
                You can even take your existing m0n0wall config and import it on the pfSense.

                Regarding disabling NAT/firewall:
                While you can disable them completly i wouldn't do that. Rather enable manual NAT rule generation and delete all NAT entries. Effectively creating a routing only platform.
                To "disable" the firewall, just set on all interfaces an "allow all" rule.

                If you'd go with a singlebox solution:
                you can specify very granularly what you want to NAT from where to where, and what not.

                We do what we must, because we can.

                Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                1 Reply Last reply Reply Quote 0
                • T Offline
                  tonabnehmer
                  last edited by

                  I want to try pfSense and test the single box option and the transfer router option. Which image should I chose when installing on CF card on Alix 2D13 board (no VGA)?

                  Thank you!

                  1 Reply Last reply Reply Quote 0
                  • GruensFroeschliG Offline
                    GruensFroeschli
                    last edited by

                    Use the image with the size of your CF card.

                    If you want to go with 1.2.3 then one of these images:

                    • pfSense-2.0-RC3-512mb-i386-20110621-1821-nanobsd.img.gz
                    • pfSense-1.2.3-RELEASE-1g-nanobsd.img.gz
                    • pfSense-1.2.3-RELEASE-2g-nanobsd.img.gz
                    • pfSense-1.2.3-RELEASE-4g-nanobsd.img.gz

                    If you want to go with 2.0 one these images:

                    • pfSense-2.0-RC3-512mb-i386-20110621-1821-nanobsd.img.gz
                    • pfSense-2.0-RC3-1g-i386-20110621-1821-nanobsd.img.gz
                    • pfSense-2.0-RC3-2g-i386-20110621-1821-nanobsd.img.gz
                    • pfSense-2.0-RC3-4g-i386-20110621-1821-nanobsd.img.gz

                    I would recommend to use the 2.0 image, even if it's still RC3.

                    We do what we must, because we can.

                    Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                    1 Reply Last reply Reply Quote 0
                    • M Offline
                      Metu69salemi
                      last edited by

                      It depends the size of your cf card

                      1 Reply Last reply Reply Quote 0
                      • T Offline
                        tonabnehmer
                        last edited by

                        Thanks, it's actually writing on CF card ;-)

                        1 Reply Last reply Reply Quote 0
                        • T Offline
                          tonabnehmer
                          last edited by

                          One more question: Later in production use I want to run pfSense on old IBM Server hardware (Xeon CPU, 2 GB RAM, GBit NICs). What is more recommended a) installing pfSense on hard disk, which could become damaged or b) to install the nanoBSD version on USB memory stick?

                          Thanks!

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.