LOAD BALANCE 2 WAN PPOE+CABLE DHCP DYNAMIC IP?



  • HI,

    I'M RUNNING A STUDENTS HOUSING WITH 32 STUDENTS SURFING AND DOWNLOADING P2P, I'VE 2 ISP'S, ISP1(4MBPS) USING PPOE DYNAMIC IP  AND ISP2(2.4MBPS) CABLE  DHCP DYNAMIC IP.

    TO IMPROVE PERFORMANCE I'D LIKE TO CONFIGURE A LOAD BALANCE WITH SQUID CACHE, BESIDES I'D LIKE TO GIVE LOW PRIORITY TO P2P TRAFFIC.

    LOAD BALANCE: IS POSSIBLE THAT CONFIGURATION? I HAVE TO ADD ANOTHER ROUTER FOR PPOE OR CABLE?
    TRAFFIC SHAPING: IT'S POSSIBLE TO ASSIGN LOW PRIORITY TO P2P TRAFFIC?
    SQUID: WILL SQUID PACKAGE SUPPORT THIS?

    THANKS FOR YOUR HELP
    ALFREDO



  • No shouting, please.

    Your load balancing will work fine. I've had some issues with PPPOE, so you may want to get a small router to put between your ISP and pfSense, but I wouldn't bother unless you do get problems.

    As to your other 2 questions, I'm interested in answers to those myself.



  • Thanks for your answer,

    Do you have experience with these "small routers" can they support heavy traffic, I can get a Linksys router a WRT54G, could be this enough?



  • To be honest, I don't know how much traffic they can handle. I'm using an Edimax Load Balancing Router in a simple PPOE gateway configuration (the load balancing stopped functioning properly), and it works great. That said, this device is built to handle higher loads.



  • with 32 people doing p2p you will get lots of connections, as far as I know linksys wrt only manages 2000, with alternate firmware (openwrt, ddwrt, etc. ) I think 4096 connections at a time are possible.
    But I've seen 5 people doing p2p bringing a Linksys (or any other brand in that low-price area) down to his knees, network speed drops down to (near) useless.
    By the way, these little routers don't have that much of RAM nor CPU-power, so there are liimitations.

    For doing the "easier" http-stuff, the one you mentioned may be fine. If you could use policy-based routing and send (almost) all P2P-traffic down the other line, allowing smtp, pop, imap, http.. on this interface, it might work well. (Pfsense standard is 10000 connects, but its adjustable from the gui. And given your pfsense has a bit more than 200MHz, 128 MB, then there should be no problem handling some more connections.)

    Squid with loadbalancing on a single machine did not work for me, perhaps somebody has a clue how to do that (I think i read here somewhere, its not working properly, and thus it was removed from standard installation and only available as a packet to install. But memory might be cheating on me?)

    Low priority won't save you any open connections, just reduce the traffic-amount generated by P2P, so this would not help much with the WRT54G



  • As I understand from your comments, the WRT54G will not be powerful enough for the load I have, currently I'm working with a Linksys RV082 with load balance, but I'm not happy with it performance, and I'm not sure how well is the load balance it's doing, so I'd like to test de following configuartion, connect the RV082 to the ADSL Modem and shows a static IP to the PFSENSE port OPT1, connect the Cable modem directly to the PFSENSE por WAN1, as show in the following diagram.

    The PFSENSE PC is a Pentium3 933Mhz, 128MBRAM and will install the latest 1.2 snapshot, do you think this is the right configuration.

    Thanks for your comments
    Regards
    Alfredo



  • At least I would say it's worth a shot!  ;D

    Just kidding, sounds pretty good to me!

    The RV802 has a lot more CPU-Power than the WRT54, so I guess with single WAN interface it should perform pretty good. I would try the RV, if it's already available. perhaps use the wrt on one connection to internet just for the time you set pfsense and RV up, so your students have at least "some" internet access (and perhaps tell them to stop the bloody P2P for the time of the setup, so everybody can get their mail!?!)

    I have a setup with about 30 people on 2 WAN pfSense here much the same as yours, and a P3/667 with 128 MB RAM does the job nicely. I have only bandwithd installed to the standard- pfSense, so I can see who is causing the trouble, if there is any. But we don't have any P2P going on here, it's company policy, to kick anyone who's using it.

    As I can see on my PFsense, 128  MB RAM is enough, had 384 MB in it, but never used much of it, because no proxy is installed and the Load Balance and routing doesn't take much of the RAM. If you plan on Installing more program-packets, the RAM could become a bottleneck, just check the status pages in the first days after installing packets for hints like using swap (didn't occur to me yet, so I think if enough RAM is there, it would not use any swap at all, which is performance-wise the best.)

    With P2P-traffic on WRTs I had better results when setting the timing of how to drop idle connections to a much shorter figure, the only thing relating to this seems to be the option in Firewall mode = aggressive, that's what i would try, if you experience any problems with lots of connections on your pfsense.
    by the way, that tutorial helped me a lot with setting up Loadbalancing, perhaps it's useful for you to?

    http://doc.pfsense.org/index.php/MultiWanVersion1.2

    I have a IPCOP-Firewall with Advanced Proxy and Update Accelerator behind my pfSense, so between them there are some DMZ-Servers, accessible from WAN and LAN. Adv. Proxy uses Squid and is highly configurable from webgui, and update accelerator caches (at the moment it's version 1.0, version 2 is under developement, but 1.0 works fine so far, 2.0 will add further download sources) every M$- Windows -update, any windows client asks for. So after the first client finished downloading the update / bugfix / whatever, all other clients asking for the same update will get it from the IPCOP with LAN speed, without using WAN connection for transfer. Symantec and Adobe downloads are cached too, so this will help keep traffic on WAN "for useful things" like http, smtp …
    There are some little modifications for update accelerator in the german ipcop forum for Apple- updates (OS-X) and some other download locations, that will probably be included in UA v 2.0. Perhaps you want to look at this solution, because, as mentioned above, squid on pfSense did not work for me.  (No Problem really, because i need two firewalls anyway because of DMZ and some other people, who use our internet connection too, but should not be granted access to our intranet. (I know it's doable with only one firewall, but IPCOP does not have (nor will in near future) support for more than 1 WAN, and pfSense with SQUID and traffic shaping caused me some headaches.)
    Those two Firewalls pfSense and IPCOP run on P3-hardware, they use about 100 watts an hour (together), a single P4 or Athlon XP would use the same or even more, and they just lay there, still in good conditions, but not very useful for Windows Vista  ;)



  • Many thanks for your help, I'll try this configuration. Regarding IPCOP I've being using it for a long time, it's very nice but not support for multiwan is a limitation for me, and will be very nice if I could manage everithing in only one box pfsense or Ipcop, that's better for maintenance.
    I'll tell you later how this thing is going.

    regards
    Alfredo



  • @Schnulch:

    I have a IPCOP-Firewall with Advanced Proxy and Update Accelerator behind my pfSense, so between them there are some DMZ-Servers, accessible from WAN and LAN. Adv. Proxy uses Squid and is highly configurable from webgui, and update accelerator caches (at the moment it's version 1.0, version 2 is under developement, but 1.0 works fine so far, 2.0 will add further download sources) every M$- Windows -update, any windows client asks for. So after the first client finished downloading the update / bugfix / whatever, all other clients asking for the same update will get it from the IPCOP with LAN speed, without using WAN connection for transfer. Symantec and Adobe downloads are cached too, so this will help keep traffic on WAN "for useful things" like http, smtp …

    hi Schnulch, sorry for somehow hijacking this thread, i'm interested in your pfSense/IPCop deployment, i'm using advproxy on the cop too since a while, and i'm trying to replace the ipcop machine with two pfsenses for HA, but encountered the proxy issue too (no load balancing). if i understand correctly, you are doing 2 NATs, pfsense then ipcop (internet-[pfWAN-pfLAN]-[ipcopRED-ipcopGREEN]-clients), i'd prefer to avoid double NATs for some no nat-friendly apps i need to run, and use traffic shaper from pfsense instead of ipcop.
    have you tried ipcop running as a proxy only with advproxy without using differents subnets for RED/GREEN? is it possibly going to work from your experience (even with no WAN at all on the IPCop box)? unfortunately i can't test here as i ran out of test machines.

    thanks



  • Hello Bruno,
    perhaps you could use IPCOP as Proxy in non-transparent mode, so all http-requests will be guided through IPCOP (You have to set all Browsers in your net to use this proxy), while the rest of IP-Traffic uses the default gateway!?
    If your "No-nat-friendly Apps" don't use http, they could work through default gateway without double NAT, if they do, I'm at a loss of ideas here

    Schnulch


Log in to reply