Load balancing and some network control (expert should predict a price)



  • Hi,

    I need to setup load balancing on 2 wans (one is ADSL, other is wireless router). Right now I did most of things from the forum suggestions and youtube videos but lets just say it works very bad.
    Also many times computers in the network start to show dns error for a few minutes. And last thing is to implement some control into LAN (to allow certain users to have free internet, others limit to some websites and some to limit only to have skype)

    PFSENSE is now running. wan=9Mb/3Mb, OPT1= 8Mb/0,5Mb.
    Name your price because(a reasonable one)  :)

    Thank YOu



  • maybe i can help but i cannot guarantee it.

    1. To load balance your WANs, go to System>Routing>Groups.
    Put your two WANs under same tier.

    Plan your LAN. How many users/IP are non-restricted and how many users/IP are restricted?
    Example, if my LAN is /24, half of it is non-restricted.
    Let's say the IPs 192.168.100.1-192.168.100.127 are the non-restricted and IPs from 192.168.100.128-192.168.100.254 are restricted.

    2. On Firewall>Alias, create an alias for non-restricted IPs and restricted IPs. Although this is not necessary, but it is much easier to maintain and troubleshoot if you use aliases.

    3. Under Firewall>Rules>Floating, add a rule:
    Protocol     Source                        Port Destination Port Gateway Queue Schedule Description
    UDP WAN1 and WAN2 address * *        53 (DNS) LoadBalance none

    Under Source, select your two WAN interfaces. Select DNS under port and the group you created in step 1 for Gateway.

    4. Under Firewall>Rules>LAN, create a rule like this:
    Proto Source      Port Destination Port Gateway Queue Schedule Description

    • Non-restricted * * *        LoadBalance none
    • Restricted        * * *        LoadBalance none

    Under Gateway, use the group you created in step 1.
    Also, use the aliases (restricted and non-restricted) you created in step 2 for the source.

    To put control on your restricted IPs, you can add a firewall rule that will block some websites.
    You can create an alias of URL, then on the firewall rule under LAN, select Block action

    • Restricted        * Blockedsites *        LoadBalance none

    As a good practice, always block everything under firewall rules and only allow specific rules.
    And always remember, rules are executed from top to bottom.

    EDIT:
    SORRY, i am not looking that this is posted in the BOUNTY section. I thought this is in General Questions. But if my post helps the OP, please contribute or give your payment to the pfsense developers.



  • I am going to give it a try these days (it is not simple for me now to reconstruct whole network (about 100 users)
    As soon as I get any results from your instructions I will write you to see what is the amount I should donate.

    Thank you



  • The instructions will only take 10-20 minutes or less if you are using DHCP on your LAN.



  • and do you know if it is possible to have some protection by mac adress?
    as some users have already learned to change their ip adress.



  • Use DHCP on your LAN.

    It has two features:

    Deny unknown clients
    If this is checked, only the clients defined below will get DHCP leases from this server.

    Enable Static ARP entries
    Note: Only the machines listed below will be able to communicate with the firewall on this NIC.



  • I will try to play with this. If I dont suceed can I count on you to do it for payment?



  • i am not familiar with the bounty section and this is just my first time posting here (accidentally :D)

    i think you need to read this first: http://forum.pfsense.org/index.php/topic,23514.0.html

    Configuration help bounties

    There are a lot of bounties for people asking for configuration help.  For those of you who need help getting your system set up in a specific way, consider paying for a commercial support package.  Its a great way to support pfSense and pay the developers for their time, plus you can be assured that you're getting someone who really knows this system to look at your network environment and help you configure pfSense properly.

    It is better to pay for a commercial support package and let the support team do its job.
    Sorry but i am not part of the support team and i am not an expert of pfsense.


Locked
 

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy