A Newbie who needs advice using pfSense



  • Hey guys, I'm a new member and am very interested in using pfSense, but first I would like a few questions to see if it fits my needs:-

    -I have two internet connections and would like to use one as the main connection and the second as a backup if the main one ever goes down.  Is this what "Redundancy" means?
    -The main ISP is a 50down/10up (megabits, so not true speed) by Comcast business, whom provide their own modem/router device.  The computers on the network are hooked up to a full managed switch, a Cisco 300 series.  So do I really need a powerful computer if all I need it to do is run redundancy and perhaps some simple firewalling? (Like do I need a dual-core, or would a Pentium 4 be good enough?)
    -Because of my setup, would standard desktop network cards do the job or should I go with a professional card? (PCI or PCI-e? Gigabit?)
    -I haven't played around with the Comcast device, but will the firewall and NAT capabilities of this device interfere with pfSense or is it ok to run both at the same time?
    -So if I have this right, all I need is two network cards on WAN and one for LAN, totaling 3 physical ports available on the pfSense PC?
    -Is there anything else I need to know for such a setup?

    Thanks in advance  :)


  • Netgate Administrator

    @tomsawyer2k5:

    -I have two internet connections and would like to use one as the main connection and the second as a backup if the main one ever goes down.  Is this what "Redundancy" means?

    This is generally referred to as fail-over. http://doc.pfsense.org/index.php/Multi-WAN_2.0#Failover

    @tomsawyer2k5:

    -The main ISP is a 50down/10up (megabits, so not true speed) by Comcast business, whom provide their own modem/router device.  The computers on the network are hooked up to a full managed switch, a Cisco 300 series.  So do I really need a powerful computer if all I need it to do is run redundancy and perhaps some simple firewalling? (Like do I need a dual-core, or would a Pentium 4 be good enough?)

    A P4 will handle that no problems, even a low speed one. A 2GHz P4 will firewall around 300-400Mbps (an approximation based on my own box).

    @tomsawyer2k5:

    -Because of my setup, would standard desktop network cards do the job or should I go with a professional card? (PCI or PCI-e? Gigabit?)

    Standard desktop cards will probably be fine. Use Intel NICs if you have a choice otherwise check the forum to make sure your NICs are supported.

    @tomsawyer2k5:

    -I haven't played around with the Comcast device, but will the firewall and NAT capabilities of this device interfere with pfSense or is it ok to run both at the same time?

    You can run double NAT but it can cause problems. It's best to set the modem in bridge mode and allow pfSense to handle the authentication.

    @tomsawyer2k5:

    -So if I have this right, all I need is two network cards on WAN and one for LAN, totaling 3 physical ports available on the pfSense PC?

    Yes. Though you could use VLANs and your managed switch to generate extra ports if you need it. You could get away with just one NIC, but it would be far more complex to setup.  ;)

    Steve



  • Wow, thanks for the quick reply :)  I have a few more questions which I forgot to ask earlier:-

    -I have a home server running, which is accessed via a URL or domain name by anyone.  If I use the pfSense Failover setup mentioned above, how do I configure pfSense's utility to allow the server to be directly connected through the internet?  I mean do I use DMZ for the server and pfSense will automatically take into account the Failover or do I need to configure per internet connection?  (Heh, I don't even know if I'm asking the question properly)

    -After I figured out the above question, all I need to do is add the second IP address to my URL hosting, aka GoDaddy, right?

    -Does pfSense run off the hard drive?  I don't know the installation size, so if I'm using an older computer would it be possible/better to run it off of a new flash drive? Or even a Failover option for the drives? (I could be getting ahead of myself here :P )


  • Netgate Administrator

    @tomsawyer2k5:

    -I have a home server running, which is accessed via a URL or domain name by anyone.  If I use the pfSense Failover setup mentioned above, how do I configure pfSense's utility to allow the server to be directly connected through the internet?  I mean do I use DMZ for the server and pfSense will automatically take into account the Failover or do I need to configure per internet connection?  (Heh, I don't even know if I'm asking the question properly)

    That is a good question. Hmm. I'm not sure though I expect there is a way to do this.  :-\

    @tomsawyer2k5:

    -After I figured out the above question, all I need to do is add the second IP address to my URL hosting, aka GoDaddy, right?

    Again I'm unsure.

    @tomsawyer2k5:

    -Does pfSense run off the hard drive?  I don't know the installation size, so if I'm using an older computer would it be possible/better to run it off of a new flash drive? Or even a Failover option for the drives? (I could be getting ahead of myself here :P )

    pfSense can run from a HD or a flash drive. The install size is small, almost any harddrive you have that still works will be fine!
    If you run from a flash drive, e.g. USB or Compact Flash drive in an IDE adapter, you can run the NanoBSD version which limits writes to the card to prolong it's life. If you do this there are some packages you cannot install. I am running the Nano version.
    You can run a raid setup but if you are running on older hardware your CPU or PSU fan will probably fail before anything else!

    Steve


  • Netgate Administrator

    Hmm, this is interesting. I've never had cause to use a fail over multi-WAN setup in front of a web server.
    I initially thought this would be easy but the more I think about it the more I realise either it's hard/not possible or there's a gaping hole in my knowledge I didn't see before.  ::)

    It's easy enough to have portforwards on each WAN interface such that any incoming port 80 traffic will reach an internal server. I guess if you use a dyn DNS service it would be possible to update that to point at which ever WAN is current. If you ran the dynDNS client on the server rather than on pfSense that would work but you would have to set it to check regularly. Can this work with pfSense's built in dynDNS client?  :-\

    Steve



  • Thanks Steve for all your help…learning a lot of things about pfSense just from your replies :D  Though I really need a solution to the server issue.

    My reason is this: The current main ISP connection to the server is a T1, which is rock solid reliable, but terribly slow at 1.5Mbps.  I've had many people complain about how slow the server is, especially when the office computers rely on the same internet connection.  Recently got Comcast Business to replace the T1 once its contract is out, and the speed difference is night and day.  I currently have it hooked up to one computer but am in the process of hooking it up to the rest of the office.  But I have read stories about Comcast not being 100% reliable.  This is why I need a failover internet connection, just in case.

    SO, I would like to use the Comcast connection as the primary ISP for all the computers including the server.  BUT, in the case that Comcast ever goes down, pfSense should switch the ISP to the T1 (which will be replaced by another connection later).  This is why I need the Failover setup for the server as well.  It's all about speed and cost issues.  Trust me, there is a HUUUGE cost difference between a faster T1 vs Comcast.

    As for dynDNS service, I use a paid online service called dnsmadeeasy.com .  I wonder if this helps my situation?

    Please help me out as I am in dire need of some kind of failover setup for my office + server.

    BTW, the server is a type of data server and has to be hosted in-office.


  • Netgate Administrator

    What would be nice would be if you could set pfSense's dynDNS client to monitor whichever interface was currently the default gateway. That way when it fails over and the gateway changes it would update the dynDNS service immediately. Unfortunately that doesn't appear to be possible. There may well be some technical reason for this. In fact it may work anyway.  :-\ Hopefully one of the developers might chime in here.

    It doesn't really matter for you since dnsmadeeasy is not one of the supported services.  ::) (though I'm sure it could easily be added)
    Where do you run the client? If the client is the type that detects what your public IP is by connecting to the service then it will simply update the dynDNS servers when your WAN switches. However it will be limited by the time between checks. Perhaps you can alter that?

    Steve

    Edit: You could use this: http://www.dnsmadeeasy.com/services/dns-failover-system-monitoring/



  • That's a good find!  So my dns service can simply monitor the available IP address and switches to the secondary and back again depending on the status of my primary IP. Sweet

    So, the only thing I need to do is simply forward port 80 to my server box and that's it?


  • Netgate Administrator

    Yes.
    Set up multi-WAN failover.
    Setup port forwards from both WANs to your internal server.
    Experiment to see what dynDNS option works best for you.

    I don't know if they charge extra for their failover dns service. Since it only checks every 2-4 minutes you may be able to do just as well using a client on the server.

    Steve



  • Oh, nice, thanks man   :D  Already in the process of getting a cheap comp to set this up on.    ;D

    Also, I was looking into PCI cards (found Intels 8) ), but realized the fact that the combined bandwidth available for all PCI slots AND devices on a motherboard is 133MB/s true speed.  So if the hard drive wants to process data, that takes away bandwidth from your PCI slots.  Theoretical limit of one Gigabit network card is 1000 megabits or 125MB/s true speed.  So this could be a problem for those who want to use more than one Gigabit PCI card on the same PC.  This won't be a problem for me as my internet speeds are 50 megabits or 6.75MB/s true speed and that I'm simply using my PC as a Failover device.  Or I should be saying that any PC to PC data transfer is handled by the switch directly and doesn't go through the PC.

    Found some cheap used comps with Pentium 4s, but for $50 more I could get a Core 2 Duo or Athlon 64 X2.  I'm leaning towards the Core 2 Duo as my choice over the Pentium 4 because of the available PCI express slot, which has its own bandwidth.

    Steve, you are DA MAN! You have helped me out a lot and so you deserve a special THAAAANK YOU!  :) ;D 8)


  • Netgate Administrator

    That's all true. The PCI bus is limited to 133MBps as you say. There are quite few P4 systems that use a PCI-X bus (64bit at 66MHz) for this reason, some systems have a special bus for network cards.
    I would only use a P4 if I happened to have one already (I have several  ::)) the cost of much faster machines is now so low it's not worth it.

    Thanks for the shout!  ;D

    Steve


Log in to reply