General topology question?
-
I have a cisco 7206vxr router and 3 C-class real ip addresses.
I will setup pfsense as firewall on my server (with three NIC ) but I am confused about topology.My main purpose is giving every hosts (including server farm) virtual ips and NAT them to these 3 c-class ip addresses.
How should I setup pfsense? On which interface should I assign my real ips?
-
Depending on how these networks look like you could simply use the real subnets/IPs at your internal subnet and just route them.
-
The 7206vxr could sit behind the pfsense box and perform traffic-shaping and/or policing before it gets to the pfsense box
internal networks –---> 7206 ------- pfsense [nat] –- internet
We do something similar
we have 3845 routers running as a glbp pair that shape traffic, police protocols, perform ip sla checks and then do policy based routing to send particular traffic out either of the pfsense servers or firewalls or nat routers - based on priority & availability.
You can use class-maps & service polices to give certain protocols more or less bandwith, qos, etc... For example: We choke down bandwidth hogs to a trickle before they even reach the pfsense servers
The 7206 is a bad ass router that can do a lot of stuff as above, as well as vlan support & firewalling.
We have one here in our shop, it just cranks right along -
The 7206vxr could sit behind the pfsense box and perform traffic-shaping and/or policing before it gets to the pfsense box
internal networks –---> 7206 ------- pfsense [nat] –- internet
We do something similar
we have 3845 routers running as a glbp pair that shape traffic, police protocols, perform ip sla checks and then do policy based routing to send particular traffic out either of the pfsense servers or firewalls or nat routers - based on priority & availability.
You can use class-maps & service polices to give certain protocols more or less bandwith, qos, etc... For example: We choke down bandwidth hogs to a trickle before they even reach the pfsense servers
The 7206 is a bad ass router that can do a lot of stuff as above, as well as vlan support & firewalling.
We have one here in our shop, it just cranks right alongI have an ATM connection to ISP. So I can't put anything in front of my router because of hardware requirements.
But your suggestion seems smart.But I think I will work on Hoba's suggestion.