Installaton cabling and setup behind 2 adsl routers



  • Hi guys,
    I am very new to pfsense and trying to figure its features. A friend of mine has a cyberoam appliance at work that in addition to firewalling and antivirus/antispam filtering does bonding to 2 or 3 adsl lines so that the office always has internet and I was wondering if I can do something similar with pfsense.

    Can you please explain or suggest somewhere to read :

    • how should be the cabling between a pfsense device and adsl routers, switches etc
    • how to setup all these
      Thank you


  • @dim:

    Hi guys,
    I am very new to pfsense and trying to figure its features. A friend of mine has a cyberoam appliance at work that in addition to firewalling and antivirus/antispam filtering does bonding to 2 or 3 adsl lines so that the office always has internet and I was wondering if I can do something similar with pfsense.

    Can you please explain or suggest somewhere to read :

    • how should be the cabling between a pfsense device and adsl routers, switches etc
    • how to setup all these
      Thank you

    1 cable from each modem/router to a managed switch. Be careful not to set up any modem on the management VLAN! Talking about HP switches, ports connecting to the modems/routers should be untagged with a different VLAN each. Depending on your connection, you might get away with older switches (eg 2524 which cost $20 and allow up to 100Mbit total bandwidth through them (eg10x10Mbit connections, 20x5Mbit connections)). Feel free to use other switches with less ports. You can do this without using VLANs, but it's easier this way.
    1 cable from the switch to pfsense. This should be tagged on the switch, and all VLANS should be set up on pfsense.

    Depending on what you mean with "always has internet" double the number of switches (you'll need a bit more work on this to set up redundancy between the switches), double the boxes running pfsense (CARP).
    After that's done see: http://doc.pfsense.org/index.php/Multi-WAN_2.0. Don't forget that you are no longer using physical interfaces, but VLANs so assign them accordingly.



  • Thank you for replying, I must admit that I would need more detailed information but of course this is my problem.

    So, in order to use pfsense at home, where I only have a Speedtouch 585 adsl modem/router and I need pfsense to "clear" the virus/spam that comes in from my Speedtouch, I still need a managed switch ? Isn't there any simple way ?
    I mean, can't I just install 2 NICs on an old PC, install pfsense on it and connect one NIC to pfsense device, that will get all the inbound traffic (good and bad) then pfsense would clear what needed and the other NIC would export all clear traffic to a switch where my LAN would be connected. How can I implement that please ?
    Thanks !



  • Speedtouch 585 modems! love those things  ;D. I thought you were asking for multiple connections. You don't need a managed switch for a couple of connections with those, even when running a CARP setup.

    If you are asking about a single pfsense box running multiple WAN connections, then the only limiting factor is the number of your physical interfaces. If you want to connect 3 different modems, you need 3 different physical interfaces. That's why I suggested a managed switch, I thought you were asking about an office type situation (multiple connections).

    Normally it's 1 port for the WAN side, and 1 port for the LAN side (which is in turn connected to a switch, and all your PCs are connected to that switch). For the virus part see: http://doc.pfsense.org/index.php/HAVP_Package_for_HTTP_Anti-Virus_Scanning. For the spam side I'm afraid unless you run your own email server (in which case see: http://forum.pfsense.org/index.php/topic,40622.0.html) there is nothing that can scan your email (eg hotmail/gmail/etc..) when you go and download email attachments from those. I would love to be corrected if anyone knows of a way to do this. Theoretically it can be done with HAVP I linked previously, but practically you are accessing those on an SSL connection and HAVP can't understand what is passing through it. Unless they only use SSL for the authentication part and pass emails/attachments over regular HTTP in which case HAVP will see it and analyze it.

    To recap, 1 cable from the 585 to a nic on pfsense. 1 cable from another nic on pfsense to a switch. All PCs connected to this switch. Install HAVP on pfsense for virus scanning.

    If I still missed anything, please post again and I'll be happy to try and help you.

    Bonus tip for random readers: Speedtouch 585 modems can be run in a CARP cluster with a bit of "gentle persuasion" without needing a managed switch. Use 2 of them and you have a multi-wan CARP cluster. Officially every single ISP on the entire planet will deny this. They are wrong.



  • Well, the least I can say is : Thank you very much for all these information.
    Yes, first I asked about multiple WAN connections but then after your first reply I thought of starting from simpler things :)



  • @dim:

    Yes, first I asked about multiple WAN connections but then after your first reply I thought of starting from simpler things :)

    Go for it, start simple!
    Use some old PC hardware and build your own pfSense router using the Speedtouch as modem.
    It's fun and you can learn alot.
    Then add some packages as mentioned before.

    For the virus scanning aspect, go and install a good virus scanner on your PC. That should do for home use.

    Good luck!



  • Thank you ! Some first questions please…

    1. On the deployment I described with the 585, the pfsense's NIC that would connect on the 585 should it be declared as the WAN for pfsense ? And the other one that would connect on the switch, as LAN ?

    2. If I don't have a switch and only want to connect a PC at home after the pfsense, can I use a crossover cable to connect pfsense's inner NIC to the PC's NIC ?

    I tried something similar by setting the pfsense's NIC connected to 585 as WAN with ip 192.168.1.104 and then when I assigned the second pfsense's NIC as LAN, all OK. But when I assigned DHCP to pfsense's 2nd (LAN) then I lost connection to the web administration of pfsense that I handled until then from my laptop connect through WiFi to 585 and pfsense (192.168.1.104). The situation corrected only when I chose to reset back to primary settings from pfsense.
    Can you understand what wrong could happen on that ?



    1. Yes and yes.
    2. Yes, and usually these days the NIC hardware on either end of the cable will auto-sense the Rx/Tx pairs and do the necessary crossover, so it is worth a try with a straight-through cable first.

    If your front-end Speedtouch is already using 192.168.1.0/24 subnet to talk to the pfSense WAN, then you have to make the pfSense LAN a different subnet - pick a "random" number for 192.168.x.0/24 - you could make the pfSense LAN IP 192.168.42.1/24 for example.



  • OK, you know my answer : THANKS !



  • thank you


Log in to reply