A substitute for MIikrotik: Firewall, Router, PPPoE, FreeRADIUS, etc
-
Hi.
I would ask colleagues to put their experiences in using the pfSense on environment of "internet service provider": ISP and WISP.
pfSense as a substitute for MIikrotik
pfSense as a PPPoE concentrator with bandwidth control and configuration via freeradius.
pfSense as a edge router
pfSense as a edge firewall
pfSense as primary DNS server
pfSense as a central DHCP serveretc
-
All of that is very widely done by ISPs with the exception of PPPoE. PPPoE is used quite a bit, but not nearly as widely as the rest. There are at least hundreds if not thousands of ISPs who use pfSense for edge router, edge firewall, DNS, DHCP, but only maybe a dozen I'm aware of that use PPPoE. Not saying it won't meet your needs, or has any kind of deficiencies at all, it's just not extremely widely used by ISPs on that part.
-
Perhaps to WISPs, made sense, separate the router from the firewall.
In this case, perhaps the BSDRP could be an ideal choice.
Perhaps in the same server FreeBSD through the Jail: one for pfSense and another for BSDRP.What do you think?
-
We work with a lot of WISPs. Most combine their edge routing and firewalling in a single box as they don't have nearly the bandwidth to create a need for separating. If you have a very large WISP, then it can be sensible to split those roles, but nearly all WISPs are small by ISP standards where that isn't necessary. Maybe a couple thousand customers tops, a couple hundred Mb of total Internet connectivity at most. The majority come in well under that.
You won't be able to run firewalls or routers in jails.
-
@cmb:
We work with a lot of WISPs. Most combine their edge routing and firewalling in a single box as they don't have nearly the bandwidth to create a need for separating. If you have a very large WISP, then it can be sensible to split those roles, but nearly all WISPs are small by ISP standards where that isn't necessary. Maybe a couple thousand customers tops, a couple hundred Mb of total Internet connectivity at most. The majority come in well under that.
You won't be able to run firewalls or routers in jails.
cmb Interesting post. I run a WiSP (small currently, but growing), i am using pfSense currently for everything except RADIUS for which i have a FreeRADIUS server. I have a question, is PPPoE not good to use for a WiSP or are you saying that its not good to use pfSense as the PPPoE server?
I am currently just authenticating users via captive portal and Radius sever, authentication their MAC or Username/Passwords. I don't really know much about PPPoE but is this a better choice for Authentication that i should be using? Is it faster? more secure? thanks in advance..
-
I have a question, is PPPoE not good to use for a WiSP or are you saying that its not good to use pfSense as the PPPoE server?
I'm not saying either or those actually. :) Wasn't expressing an opinion at all, just stating what ISP users typically have deployed, from working with a bunch of them that are customers, and what I've heard talking to others that are users.
I am currently just authenticating users via captive portal and Radius sever, authentication their MAC or Username/Passwords. I don't really know much about PPPoE but is this a better choice for Authentication that i should be using? Is it faster? more secure? thanks in advance..
What you're doing is typical for WISPs and a fine practice. I wouldn't add PPPoE in that kind of setup, usually authentication is the biggest reason you want it, and as a WISP you can do that via CP easier and without the overhead and configuration hassle of PPPoE. It's additional overhead on every packet, so slightly slower vs. the non-encapsulated you have now, and otherwise has no functional difference for a WISP.
-
Not sure if it is possible with PPPoE and pfsense but with CaptivePortal and freeradius you are able to limit bandwidth, time and so on for every user.
-
Not sure if it is possible with PPPoE and pfsense but with CaptivePortal and freeradius you are able to limit bandwidth, time and so on for every user.
Yes correct, i am currently doing that with FreeRADIUS.