Planning network design, introducing pfsense, opinions wanted

SimChi

Sorry, long

what I have - two groups of machines on my network , windows based (original) , and some linux/unix based. Windows machines (1 Win2012Server, 2 Win 8, 1 Win 7) are members of the domain, server is used to automatically back them up (for bare bone restore if needed) , file server, print server, central media repository. Linux machines are a Artic hardware (http://www.arctic.ac/en/p/living/entertainment-center/635/mc001-xbmcus.html) running OpenElec, and an old server I thrown together that runs Mythbuntu using HD Homerun as its network tuner. Other misc devices on the network are Obi network/phone device for googlevoice directly from 'normal' phones , HD homerun and PS3 that gets turn on from time to time to watch blue ray or netflix when in living room.

Connectivity -  two independent internet connections of which I use Comcast HSI  as primary, and ATT Uverse which I get as a backup in case Comcast goes down for significant amount of time). Hardware is Motorola SB6120 for Comcast and 3800hgv-b for att. Cat5E connecting all of my hosts other than 2 laptops, Asus RT-N56U currently serving as router + wireless network provider.

Issues I want to correct

1. Switch between Comcast and ATT is manual and not easy, I am only using a single connection of two I am paying for
2. Windows 2012 does not play nice with router  sometimes switching the members of the domain to use itself as DNS provider (even if told not to)
3. I would love to have "auto sync" between my windows server library and XBMC libraries (one way from Windows ->XBMC or two way if possible). this way I do not have to worry about updating metadata twice, ripping multiple times, or having to manually copy things

Unsure about
a) does it worth considering merging pfsense with any one of the existing linux machines? Openelec does not have other network cards yet (yes I can buy USB options), Mythbuntu is on the different floor from where internet connections are coming in
b) does it work looking at spinning pfsense on a VM (I run oracle virtualbox for other vm needs) or is VM a bad idea?
c) is the best solution is to simply buy one of the ALix boards from PC Engines (especially after upgrades) and put 2 existing internet connections in and one out, and use it as a configurable router?
d) trying to figure out what to do with Windows Server that wants to declare itself the DNS master ( group my Windows machines into separate subnet which Win Server can be master of if it so desires?)

if I go that way, how does these approach sound?

1. get alix, connect to Uverse, configure Uverse to play nice with pfsense, configure pfsense as a switch
2. migrate clients to use pfsense "switch"
3. change the mode on the Asus router, plug into new network to be wireless network provider only
4. plug comcast in as internet connection, configure priority, failover , or even join use/load sharing. I can not heard of pfsense until today so still reading up on it.

Any comments would be welcome

doktornotor

2/ This is not an issue. Domain-joined computers must use the AD DNS servers and no others or you disturb all the AD functionality!

stephenw10

Hi,
1. pfSense can use both connections in a load-balance or failover (or both).

3. I expect you could use rsync between these two machines. Either some windows port or directly from XBMC.

a. No. pfSense is built on FreeBSD so you would  have to find ports of whatever services you need. Even if you could pfSense is a firewall and should not be running extra services.

b. Yes you can do that many people run pfSense as a VM. It does get a bit complex setting up the various virtual adapters and switches though.

c. The Alix is a great box but it's throughput is limited, to about 85Mbps, what speed are your connections?

d. Why not use your Windows server for DNS?

Steve

SimChi

Thank you for your comments, any hardware recommendations?
The Comcast is 25Mb/sec (likely to grow to 50Mb/sec as Comcast upgrade speeds). ATT is 18 Mb/sec . So handling internet connectivity under 50 Mb/sec is required, 100 Mb/sec desired.

Would 100 Mb limit on alix2d13 be a limitation considering the rest of my wiring is cat5e? Are the existing similar hardware with Gb cards built in?

Thank you

stephenw10

The next step up in performance terms from the Alix would be an Atom based box which will firewall/NAT at ~500Mbps.
You wouldn't go wrong with this:
http://store.netgate.com/Netgate-FW-7541-P1846.aspx
It's quite a bit more expensive but some of that goes directly to the project.  :)

You can build your own box of course.

Your wiring will support much more than 100Mbps, probably gigabit unless it's particularly badly run.

Steve

SimChi

Thank you Steve,

May be I did not ask the previous questions correctly -  will getting Alix with its 100Mb ports for switch be a limitation on my network that is otherwise 1Gbs assuming I use 1 Gbs dumb switches to connect the rest of the hosts together? My understanding is that 'no', one switch did what it needs to and issued an IP, Host A and Host B can talk over 1 Gbs between themselves.

The reason I am asking is that one of the core functionality of the Windows network for me is full backups of all workstations to Window Servers with ability to recover file history, specific files from backups or the entire host when booted of the USB that connects to the server and loads the image I want to reimage the machine to good state. I do not want to cut this functionality because I cheaped out and configured my main pfsense 'switch' with 100 Mb ports if that would be an issue.

thank you
Simon

stephenw10

Ah, yes you're right. Traffic between two hosts in the same subnet will not pass through the pfSense box. However you may want to, for example, separate your wifi clients from wired using an additional interface in which traffic would have to be routed.

Steve