Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Dual-WAN design with pfsense (and two noobies =\)

    Scheduled Pinned Locked Moved Routing and Multi WAN
    1 Posts 1 Posters 2.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      Dissidente
      last edited by

      Hello pfsense fans.

      I'm a sysadmin that has discovered recently pfSense while searching for a dual-wan failover solution, given we are experiencing serious connection problems with one of our providers.

      We have a dual-wan setup which is being used the "dumb" way, using DHCP to change user's gateways when our main link goes down. Our objective is to get a propper setup with the help of pfSense.  :)

      Currently our link setup is the following:

      • Dedicated 2 Mb link - 5 public IP's - ISP equipment: cisco voice+data router (managed by the ISP) - Our equipment: PIX firewall » Main Switch

      • ADSL 8 Mb/512 Kb - 1 public fixed IP - ISP equipment: Speedtouch ADSL modem/router in routing mode (managed by us) » Main Switch

      I and another colleague are trying to plan the implementation of pfSense to comply with the following requisites:

      • Dual-WAN Failover

      • Load Balancing (it would be useful)

      • Traffic Shapping (it would also be useful)

      • Squid Proxy for HTTP

      • Public services redundancy during failover (like e-mail relaying, webmail, staging websites, etc)

      • VPN access (through PIX) redyndancy during failover

      • Maintain PIX firewall as the primary network firewall

      Now, some things are bugging me. First let me say that I consider myself to have a good grasp of networking, but some of these issues are a little out of my league, and that is the main reason I'm turning to you for help (and the more documented implementations the better for other users  ;)).

      We came up with two designs: one with pfSense inside our network providing almost everything but the public services requisites (the dedicated link would be protected by PIX, and the ADSL by the Speedtouch firewall, as currently we have it); and other with pfSense doing all the routing, placed between both links and the PIX, in which we would place the staging server(s). You can check the attached diagram of the latter design.

      • How will we have to configure NATting on both pfSense and PIX to be able to keep serving public services as we do now? pfSense FW exceptions and natting to PIX, and PIX FW exceptions and natting to internal servers?

      • The public IP scope of the dedicated link is configured as virtual ip's on the WAN, turning possible to NAT based on the public IP being accessed? (one IP for email, other for staging, other for something else)?

      • Do you advise using the ADSL link (OPT interface) with pfSense dialling up (Speedtouch in bridge mode) or leaving this task to Speedtouch itslef? If the latter, how will we be able to access it's webinterface from the internal network?

      • Access to public services for redundancy is being thought as duplicated A-records with an ip from dedicated link and the ip of the backup adsl link, and the round robin for seemless webmail.domain.com access during failover. Any ideas or sugestions on this?

      • Do you think we will have problems with PIX VPN with the intended design?

      • Do you expect any problem of having squid served at pfSense with the intended design?

      Sorry for the long post folks. This hasn't been easy to manage with our connection problems, and pfSense does seem like the key (even dough it will be a pain to implement, as it seems) :-\

      Cheers
      pfsense-design.jpg
      pfsense-design.jpg_thumb

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.