Load Balancing



  • Salutare si bine v-am gasit sper sa am o viata cat mai luna p-aici.
    Sper sa-mi raspunde-ti repede la problema dar sa va spun mai intai ca-s paralel cu freeBSD-ul insa imi place foarte mult PFsense-ul care este exact ceea ce cautam.
      Problema:
    Am doua conexiuni la net ispA si ispB  ceea ce vreau eu este ca atunci cand pica ispA sa treaca totul prin ispB si invers, cand nu-i picat niciunul sa mearga impreuna, stiu ca nu se aduna viteza, dar vreau ca download-ul sa se faca prin ispB iar browsing-ul, gaming-ul, chat-ul si ce-o mai fi sa ramana prin ispA care are banda mai mica insa download-ul facandu-se prin ispB ping-ul va fi bun.
    Am incercat sa fac ce scrie aici http://wiki.pfsense.com/wikka.php?wakka=OutgoingLoadBalancing insa tot traficul se face odata prin ispA, odata prin ispB fara nici o exceptie, iar atunci cand scot un cablu (sa zicem ispA) odata merge, odata nu.
    Daca am omis ceva intrebati-ma iar daca am gresit mai sus scuze insa stau de 12 ore in fata calculatorului fara nici o reusita :(

    Va multumesc anticipat.



  • nici o idee? :(



  • Presupun ca la ambii ISP se face conectarea cu adrese statice, PPPoE merge doar pe WAN, iar DHCP merge si pe o interfata OPT…E preferabil ca legatura fizica de la pfSense la ambii provideri sa se faca prin conexiuni ethernet. LoadBalancing comporta doua parti : incoming si outgoing LoadBalancing. Din cat am lucrat eu trebuie reglate ambele pentru ca sa mearga cat de cat acceptabil.



  • Amandoua vin prin ethernet insa nu stiu cum as marchez pachetele care sa mearga numai printr-o conexiune nu sa treaca odata prin una odata prin cealalta



  • Pai asta nu cred sa fie prea greu. In firewall pui regulile tale:
    Interface WAN1->Port any->Source LAN->Source Port any->Dest. any->Dest port 80 (pentru web)(permis)
    Interface WAN2->Port any->Source LAN->Source Port any->Dest. any->Dest port 80 (pentru web)
    (blocat)
    si tot asa…
    e cam greu dar merge...



  • Dar e normal daca nu fac asta pachetele odata sa treaca printr-o conexiune iar urmatoarea actiune sa treaca prin cealalta conexiune?
    Daca fac cum ai spus cand imi va pica una dintre conexiuni sa zicem WAN1 in exemplul tau pachetele care vin prin portul 80 nu vor fi acceptate pe WAN2 si atunci nu-mi va mai merge?

    P. S. multumesc mult pentru interesul acordat



  • Am rezolvat citind:
    http://www.pfsense.org/mirror.php?section=tutorials/policybased_multiwan/policybased_multiwan.pdf
    acum va rog daca-mi puteti spune cum da fac filtrare dupa mac (sa nu mearga decat la unii clienti)



  • Sincer sa fiu mi-a fost prea lene sa vad daca merge. Dar in monowall mergea, asta daca user-ii nu scanau si isi schimbau MAC-ul. Cred ca cel mai simplu este sa utilizezi PPoE unde el se autentifica cu nume si pass, chiar ca nu mai conteaza MAC-ul.

    Short answer: Not yet. (i.e. you cannot specify MAC addresses in firewall rules)

    Long answer: There are several "hacks" you may be able to use to achieve the desired end result.
    Note
    There is no bulletproof method of access control by MAC address. Keep in mind that MAC addresses are easy to change and spoof.
    Using Captive Portal and MAC pass-through

    You can utilize Captive Portal and its MAC pass-through functionality for rudimentary MAC address restrictions.

    1. Enable Captive Portal on the desired interface (e.g. LAN) at the Services -> Captive Portal screen. Create a HTML page of your liking that does not include the submit button so the user cannot authenticate with the captive portal. Other settings can all be left at their defaults.
      2. Click the "Pass-through MAC" tab on the Captive Portal screen. Click the + to start adding permitted MAC addresses. In the MAC address box, type in the six hex octets separated by colons (e.g. ab💿ef:12:34:56), optionally (but recommended) enter a description, and click Save. Repeat for every authorized host on your network.

    Using DHCP reservations and firewall rules

    First, set up your DHCP scope. At the bottom of the Services -> DHCP screen, add every authorized MAC address on your network, and check the "Deny unknown clients" box. This will prevent an unauthorized machine from getting an IP address from DHCP.
    Using Static ARP

    You can ensure certain MAC addresses can only use a certain IP by using static ARP.

    To add a static ARP entry, use /exec.php to run the arp command.

    arp -s 192.168.1.11 ab💿ef:12:34:56

    To verify this addition, run 'arp -a' in exec.php and you'll see the following in the list.

    ? (192.168.1.11) at ab💿ef:12:34:56 on sis2 [ethernet]

    This change will not survive a reboot. You need to put the arp -s command in your config.xml in <shellcmd>. See the FAQ on hidden config.xml options for more information.
    Note
    An unauthorized user with a clue will be able to get around this second method more easily than the first method by just assigning a static IP address that isn't in use. Either method is easy enough to get around for a user with a decent amount of knowledge.</shellcmd>



  • Am incercat cu captiv portal si nu inteleg de ce nu reuseste sa opreasca si web-ul adica messengerul nu mai merge, pingul nu mai megre insa www-ul functioneaza in continuare. Sa fie din cauza ca am 2 conexiuni externe? Insa pingul este pe acceasi conexiune cu www-ul, iar messengerul pe cealalta.


Locked