Two adsl connections separate buildings



  • We have a network that covers three separate buildings. One has the Internet connection which is shared to the other two buildings connected with ubiquiti hardware wireless.

    We are getting dsl installed in the third building which is separated from the first dsl connection by the second building. I would like to have fail over dsl where if the original dsl fails it will use the dsl from the third building.  I know you can have another wan connection to pfsense by installing another Nic and connecting directly to the dsl connection but this is not possible because the dsl connection is on the other side of  wireless network connected to lan Nic.

    Is it possible to have a virtual interface or something? Currently the pfsense lan is connected by wireless bridge to the second building which in turn is connected to a switch which is connected to another wireless bridge to the third building which is connected to another switch and multiple pc's there.

    Any possible way of sharing the second gateway over lan Nic?


  • Banned

    What kind of virtual interface should that be? Another double wireless bridge? I'd much rather get a third DSL to the second building that doubling this madness.



  • I don't know just wondering if it's at all possible in any way.



  • I'd co-locate the DSL connections and just run a DUAL WAN, if possible with load sharing and failover.  Its much more sane to make this work if the DSL modems are together.  I don't know how far away these buildings are from each other, but you could run CAT5 between them if they are close enough or fiber and get all the bandwidth from that first building.

    If you are 100% going to have a modem in building 1 and 3 but not 2, its doable but its not nice.

    Or, like he said, get 3 modems, one for each building.



  • Thanks for the reply. Buildings are a little out of range for cabling. I'm having issues with local authority and two lines in original building so would love to make this work.


  • Banned

    Well, then… what's said above - it would be much easier to have all the DSL connections in one building.


  • Netgate Administrator

    It would be just about conceivable to put VLANs in place to bring your WAN connections to a central location. You would be doing VLAN over wifi which is something I've never tried. However I wouldn't recommend it. I imagine the latency would be all over the place. It seems like a situation that would generate problems faster than it solved them.  ;)

    Steve



  • If you have a VLAN switch at each end of the inter-building wireless links, then you can put multiple VLANs across the port connected to the wireless links - a VLAN for LAN traffic and a VLAN for the remote DSL.
    If the pfSense has an extra port available, then make an ordinary unntagged port in remote DSL VLAN on the VLAN switch and connect it to pfSense with an ordinary cable. If not, then put your existing WAN onto the VLAN  switch also (in another VLAN). Then send both "WAN VLANs" tagged to pfSense, and configure the VLANs on pfSense.
    Having VLAN switches to control your inter-building links will also give you future flexibility to have VLANs for groups of users in various mixes of buildings and bring them all back to pfSense to control the routing between them - if any that is a requirement/useful.



  • What is the distance between each building?



  • About 500 meters



  • Thats ugly.  500M, according to the specs of many devices, is fine, but omni antennas disperse energy by distance^2 so it can't be all that great.
    Using good wireless routers with directional / yagi directional antennas can make your request work pretty well, but that only addresses signal drop.  Not latency.  If you do what you are planning with DSL and wireless spread between the buildings that way, the antennas should be directional and aimed directly at each other between buildings.

    Something like this.  They come in various prices.

    http://www.infinity-micro.com/cisco-aironet-antenna-kit-yagi-7-in-network-adapter-antenna-569.html

    I'd still want my DSL modems co-located but you could use these to get a signal to all your building from a single point.



  • I am using ubiquiti equipment and have 300mbps links with 55dbi signal strength. So according to Phil.davis it is possible. Unfortunately I have no idea what Phil is saying.  I am afraid I am a noob in learning



  • What he is saying is use VLANs and VLAN switches.  Can be done also, but for me the simplicity of having all my modems in one building behind a single pfsense seems so easy.  Then directional high quality wireless link to first building and then a wireless bridge from the second building to the 3rd using similar equipment.

    It just seems so much easier.

    Now, if there is a good reason not to do it all in one building, like if you don't have other seperate lines you can attach additional DSL too, then yeah.  No choice but to split them up.

    I like having 3 modems also.  1 in each building and using VPN to put all the buildings on same net, but thats expense and probably slower.  I've no idea the speed of your DSL UP/Down or your data caps etc.



  • Dig trenches and lay fiber. 9000 times better in so many ways. I have done it both ways, and fiber is so much better.

    You CAN do the VLAN approach. Over Wireless links, it's simply going to stink, IME. You claim to have good links, perhaps you will be happy enough with it.

    OK, You don't grasp the VLAN approach. No shame in that. It's kind of an odd idea to get your head around the first time.

    A VLAN Switch can divide up its ports into "Virtual LANS" - identified by number.

    So, A VLAN Switch at the third building would have most of its ports as the default LAN (Say, VLAN 1) and a port as the second WAN (Say, VLAN 97)

    Then the port that is connected to the wireless link would be assigned to both 1 and 97, and packets leaving that port would be "Tagged" - identified which VLAN they are associated with. The other ports would typically be "Untagged" with VLAN information removed from packets.

    The switch in the second building would have two "Tagged" ports - one for the link to third, one for the link to first.

    The switch in the first building would have a "Tagged" port for the link to second, and an untagged port on VLAN 97 for connection to a second WAN interface on your PFSense - or a tagged port for VLAN97 and VLAN 42, if VLAN 42 is connected to the first building WAN, and you are using VLAN in the pfsense (potentially confusing - basically there are several options that work, depending how you set it up.)

    In all three buildings, the LAN is on VLAN1.

    The VLANs act as "virtual wires" to get the WAN connection over your links and through your switches, while the LAN traffic is also travelling over the same links, without the two interacting (other than they will both take up link space.) VLANs primarily depend on the network switches, which have to be VLAN aware, or capable. Most "managed" switches are. Unmanaged switches are not. If you don't have managed switches, you'll need to buy some.



  • Thanks for the awesome explanation. I really appreciate you taking the time. I will study up on vlan and see where that takes me. Both dsl connections are only 4meg down so it's not high traffic. Would nice to bond them and also have fail over.

    Could I ask why you think it would stink over wireless?



  • I also like fiber.  I picked up a switch a little while ago for $30 that has GBIC fiber modules built in so can support about 1 kilometre separation between switches at gigabit speed…

    Thats my first suggestion, but apparently off the table.



  • Wireless introduces tons of latency - thats even just a simple point A to point B WIFI before you go trying to do VLANs and lots of switching and handling/routing.


  • Netgate Administrator

    Somewhat off topic.
    Many years ago when I was at university a couple of friends of mine connected their computers using an improvised ethernet connection. The two systems were in separate buildings and the hall administrators frowned upon students running cables perhaps not unreasonably. To get around this problem the connection was made directly through the air using missile wire. The cable was so thin you couldn't see it unless you really knew where to look. It worked surprisingly well. Then again 10Mbps was all you could get back then. Fine for multiplayer Doom though.  ;)

    Obviously I'm not advocating that sort of thing…

    Steve



  • I don't know where this building is, or even what country, but if its like ALOT of countries, there is a rat nest of god-only-knows-what wires strung anyway.  No one will notice a tiny black ribbon of fiber running along a phone or electrical cable…

    But, if you electrocute yourself being silly, it wasn't my idea :P



  • @molesza:

    Could I ask why you think it would stink over wireless?

    Experience with between-buildings wireless links. Not the happiest kind of experience, so I avoid them like the plague now. At the time, I didn't have any choice - but the results were never completely satisfying - they might be completely satisfactory (for what they were) one day, but they would drop or go down to absurdly low speeds other days. Rain or snow could be a big issue (2.4GHz is also the band a microwave oven uses, because it is absorbed well by water….) What I've seen out of 5GHz so far is even worse in real life. I can whip the actual throughput of a claimed 300Mbps wireless link with a chunk of 100Mb wire any time I try it. Aside from (or possibly "as part of") the latency issues, there's a lot of chatter involved in keeping the wireless link up - and that takes up room that data would be using. If you really are getting an honest 300Mb though your link and only have 4Mb on your DSL links, you might be fine. But my personal experience with wireless links has lead me to only using wireless for end-user laptop/tablet access, with each wireless device connected to a solid wire/fiber network. Unless it's a huge problem to get a wire to a location, I run wires for all desktop machines.

    Gigabit fiber is vastly superior. I use switches with SFP slots, and ex-FibreChannel 4Gb/s SFPs that also work fine for gigabit ethernet, and set me back $5.79 each when I bought them (I've seen them or less since then.) They are good for 10 km links on singlemode fiber, but work fine at 5m or less as well.

    <add>You may be able to run fiber overhead. I dislike it, simply because it's more exposed to damage, but it can be cheaper in some cases. Do NOT use indoor fiber outdoors. DO shop carefully and throughly. It's not hard to find a factor of 10 price differential on the same stuff.

    Given you have the wireless links already, it certainly cannot hurt to simply try them, and do feel free to report if you turn out utterly happy with them. But have fiber in mind, especially if there is ever at any time a trench opened up for any purpose between buildings. If you do need to buy new switches, get ones that have SFP slots, for instance. They don't cost much more than those without, with adequate shopping.

    Under the heading of "really not where I want to go" and possibly not an option if it's municipal (from each building) rather than the three buildings connect, and that connection goes to the municipal pipe, they do make fiber cables specifically to run in sewers.</add>



  • @Ecnerwal:

    Dig trenches and lay fiber. 9000 times better in so many ways. I have done it both ways, and fiber is so much better.

    You CAN do the VLAN approach. Over Wireless links, it's simply going to stink, IME. You claim to have good links, perhaps you will be happy enough with it.

    OK, You don't grasp the VLAN approach. No shame in that. It's kind of an odd idea to get your head around the first time.

    A VLAN Switch can divide up its ports into "Virtual LANS" - identified by number.

    So, A VLAN Switch at the third building would have most of its ports as the default LAN (Say, VLAN 1) and a port as the second WAN (Say, VLAN 97)

    Then the port that is connected to the wireless link would be assigned to both 1 and 97, and packets leaving that port would be "Tagged" - identified which VLAN they are associated with. The other ports would typically be "Untagged" with VLAN information removed from packets.

    The switch in the second building would have two "Tagged" ports - one for the link to third, one for the link to first.

    The switch in the first building would have a "Tagged" port for the link to second, and an untagged port on VLAN 97 for connection to a second WAN interface on your PFSense - or a tagged port for VLAN97 and VLAN 42, if VLAN 42 is connected to the first building WAN, and you are using VLAN in the pfsense (potentially confusing - basically there are several options that work, depending how you set it up.)

    In all three buildings, the LAN is on VLAN1.

    The VLANs act as "virtual wires" to get the WAN connection over your links and through your switches, while the LAN traffic is also travelling over the same links, without the two interacting (other than they will both take up link space.) VLANs primarily depend on the network switches, which have to be VLAN aware, or capable. Most "managed" switches are. Unmanaged switches are not. If you don't have managed switches, you'll need to buy some.

    If I have the two switches set up in this way in both buildings do I need to configure Pfsense in any way? or just plug the cable for Vlan with modem connection directly to PFsense WAN nic? Will pfsense be blind to this and just basically see a connection straight connection to the modem in the other building?


  • Netgate Administrator

    It depends how many ports you have in the pfSense box. If you have spare NICs you can do all the VLAN configuration in your switches and the pfSense box will just see it as a cable directly to the modem. If you don't have spare NICs you can bring all the VLAN traffic into the pfSense box and separate it to different interfaces in software.

    Steve



  • @molesza:

    @Ecnerwal:

    The switch in the first building would have a "Tagged" port for the link to second, and an untagged port on VLAN 97 for connection to a second WAN interface on your PFSense

    If I have the two switches set up in this way in both buildings do I need to configure Pfsense in any way? or just plug the cable for Vlan with modem connection directly to PFsense WAN nic? Will pfsense be blind to this and just basically see a connection straight connection to the modem in the other building?

    Yes, if set up the way I left in this quote snippet - two physical WAN interfaces on the pfsense. All the VLAN stuff handled in the switches in this case.

    pfsense is VLAN aware (NIC must also be VLAN aware/capable) so it can also be done as I added to be complete, with the caveat that it could be confusing:

    @Ecnerwal:

    • or a tagged port for VLAN97 and VLAN 42, if VLAN 42 is connected to the first building WAN, and you are using VLAN in the pfsense (potentially confusing - basically there are several options that work, depending how you set it up.)

    Here you have, on switch one (numbers are just to have some concrete numbers - the particular numbers don't have any special meaning) The building 1 WAN connected to a switch port on VLAN 42, and the pfsense WAN port connected to a tagged port that's on both 97 and 42. In the pfsense you assign 97 to WAN2 and 42 to WAN1. The pfsense is then connected to both WANs, but over a single wire. In general, I'd prefer the two physical NICs approach unless the pfsense could not hold another NIC - it provides a little bit of redundancy from NIC or cable failure - but it's not that much, really.



  • Considering fiber, managed switchs and VLANs?  Smart.  You will be glad you did that over wireless.


Log in to reply