Has anyone tried to use 2 pfsense servers?



  • Hi first of all I'm a noob not only with pfsense but also networking. i can only understand a few terms.
    I've read the pfsense cookbook and it helped me a lot. I'm an IT for this company of 50 wired users
    and 30 mobilephone/laptop users. I've been using pfsense since December last year and it really did wonders
    at most because it's free. thank you. but please bear with me with my terminologies or when sometimes I couldn't understand
    everyone's explanation.

    I have 2 pfsense servers. both firewalls.
    why 2? one for wired connections [mainpf] and the other for wireless connections [2ndarypf]

    basically my mainpf worked so well with dhcp broadcasting, monitoring reports and blocking websites that I wanted to do the same thing with our wireless router.

    my current setup is
    ISP <–-> [mainpf, dhcp 192.168.1.1-254] <–-> [192.168.1.3 2ndarypf, dhcp 192.168.100.1-254] <–-> [192.168.100.4 wifirouter1 dhcp 192.168.2.1-254] and [192.168.100.5 wifirouter2 dhcp 192.168.3.1-254]

    my current setup is (i couldn't understand what i wrote above)
    our ISP to my [mainpf], broadcasting 192.168.1.1-254…
    using 192.168.1.3 assigned ip by my [mainpf] to [2ndarypf]
    now my [2ndarypf] broadcasts 192.168.100.1-254
    using 192.168.100.4 assigned by my [2ndaypf] to my wifirouter1
    and 192.168.100.5 assigned by my [2ndaypf] to my wifirouter2

    my first question is… is there a way for me to connect my [2ndarypf] GUI using my browser while on [mainpf]?
    I've been exchanging from one cable to another instead… i was wondering if there's another way to do it.
    2nd question is how about to my wireless1 and worelessrouter2 GUI?

    again I'm sorry if understanding this question gave you a much worse headache.



  • Hi daggero, and welcome to the pfSense forums :)

    There is no need for a dedicated pfsense router for only wireless devices. Add another NIC to your primary firewall where you put your wireless access points. You can then add a dedicated DHCP-range and firewall rules for that NIC.

    Just be aware of the fact that when/if you add another network card to your primary router, you may need to assign interfaces again, since the ordering of the NICs might change.

    Edit: Just noticed that you also are using NAT/DHCP server on both your wireless access points. This is not necessary, let pfsense deal with that. I reckon the access points have an integrated switch? Instead of connecting pfsense to the WAN port on the access points, use the LAN ports, and disable the DHCP server on the access points. This will make the wireless access points behave like regular switches.

    To answer your questions in regards to your current setup:

    1. Yes, you could add a firewall rule on [2ndarypf] WAN interface that allows management traffic. You would then use http://192.168.1.3 as the URL for management when you are on the [mainpf] network.
    2. Maybe possible with port forwarding, but unnecessary complex.


  • @vindenesen:

    Hi daggero, and welcome to the pfSense forums :)

    Thank you vindenesen :)

    @vindenesen:

    There is no need for a dedicated pfsense router for only wireless devices. Add another NIC to your primary firewall where you put your wireless access points. You can then add a dedicated DHCP-range and firewall rules for that NIC.

    Just be aware of the fact that when/if you add another network card to your primary router, you may need to assign interfaces again, since the ordering of the NICs might change.

    I ran out of nic slots in my motherboard… the board can only accomodate 2 nics + 1 built in. I'm using the other NIC for our failover ISP

    @vindenesen:

    Edit: Just noticed that you also are using NAT/DHCP server on both your wireless access points. This is not necessary, let pfsense deal with that. I reckon the access points have an integrated switch? Instead of connecting pfsense to the WAN port on the access points, use the LAN ports, and disable the DHCP server on the access points. This will make the wireless access points behave like regular switches.

    Yes I do have enabled DHCP's on both Wireless APs. and Yes integrated switch.
    I just took out wifirouter1 and connected it to my MainPF but It's still connected on the wanport.
    I have wifirouter1 on all access because, every department heads are connected there.
    and they annoyingly demand all access. thanks to pf's traffic shaper. plus I don't want to mix the wifi ip's and Lan ip's
    from my mainpf. (honestly I don't know if there's another way to separate the 192.168.1.xxx and 192.168.2xxx)

    but on wifirouter2 I wanted to do experiments on the 2ndary pfsense and wifirouter2
    because what people are doing here in the office is that they use their mobile phones to connect to
    my wifirouter2 and user their mobile devices as an access point… for other employees...

    @vindenesen:

    To answer your questions in regards to your current setup:

    1. Yes, you could add a firewall rule on [2ndarypf] WAN interface that allows management traffic. You would then use http://192.168.1.3 as the URL for management when you are on the [mainpf] network.

    thanks for this.

    @vindenesen:

    1. Maybe possible with port forwarding, but unnecessary complex.

    okay. I'll disregard the second question.
    I you guys have previous posts or links that I can read about. Thanks in advance :)


  • Netgate Administrator

    I agree with vindenesen, you have a lot of NATing going on that's not really necessary. An ideal situation would be: both your APs running purely as APs (no NAT or DHCP) and connected directly to one pfSense box. Doing that gives you control over all traffic in one place and also allows the most flexibility in configurations.

    You only have 3 NICs and  no more slots. You could get around this by using a dual or quad port NIC. You could also do it by using VLANs with a suitable managed switch which may be cheaper. Perhaps you already have such a switch?

    You can add port forwarding to access all your devices in their current configuration. Have a look here:
    https://doc.pfsense.org/index.php/How_can_I_forward_ports_with_pfSense

    This is also useful:
    http://pfsensesetup.com/port-forwarding-with-nat-in-pfsense/

    Steve



  • Hello,

    I am currently using 2 pfSense boxes, but it's more because said boxes are small (repurposed) thin clients, and they don't have much power. There is only one 32-bit PCI slot, and a 1 GHz single-core CPU in each, not to mention only 1 GB of RAM and a 2 GB flash chip (SSD). One of the boxes is performing DHCP & DNS, as well as Squid and SquidGuard. It has a PCI to PCMCIA/CARDBUS adapter installed, with a 2 GB Microdrive for use as the squid cache and various logs - I don't want to ruin the Flash with too many writes. The other box is has a second NIC, and is doing NAT, and some other stuff.

    Now, to add to the discussion at hand:
    If the 2 WiFi routers are setup as APs only, with DHCP server off on both units, then getting to the web GUI should be as simple as opening a web browser and going to each router's ip address.

    Also, if you need to separate the wifi addresses and corresponding traffic to each router, then, yeah, use a managed switch, and separate out each subnet as needed.

    Alternately, your WiFi routers may already support vlans, but the embedded GUI may not allow access to such settings. Usually the WAN port is part of the LAN switch physically, but is segregated out by way of vlans. For more info on this topic, as well as info on how to get to the advanced features of your specific router, if it is supported, search the Internet for OpenWRT, DD-WRT, Tomato Linux, and related distributions. These are essentially the same idea as pfSense - at least as far as getting a free, open-source router solution. These are specifically focused on actual WiFi routers, rather than custom-built and brand-name computers. I am especially fond of OpenWRT, but it is not as well suited to beginners. It is rather "bleeding-edge" stuff.



  • @stephenw10:

    I agree with vindenesen, you have a lot of NATing going on that's not really necessary. An ideal situation would be: both your APs running purely as APs (no NAT or DHCP) and connected directly to one pfSense box. Doing that gives you control over all traffic in one place and also allows the most flexibility in configurations.

    well I agree with you. but this dual pfsense boxing started when I wondered if I could generate a proxy report using
    lightsquid report on my AP. because I can easily track all IP activities on LAN. but on the AP I couldn't see who's being a pain.
    since… again, that AP has all access. as requested by our management.

    but I'm also bothered with these mobile devices that has Hotspot Feature. since they use their mobile phones
    to access my ap and give open access to anyone. (yes, management also requested their mobile phones too)
    and pfsense couldn't monitor those who are connected to those hotspots... or so I think, or don't have any idea how to.

    @stephenw10:

    You only have 3 NICs and  no more slots. You could get around this by using a dual or quad port NIC. You could also do it by using VLANs with a suitable managed switch which may be cheaper. Perhaps you already have such a switch?

    quad NIC… I never knew such a thing existed. thanks for letting me know. I'll look for one here.
    I'll read about VLANS I just quick googled what it is and It sounds promising. At some point I really don't need another pfbox

    @stephenw10:

    You can add port forwarding to access all your devices in their current configuration. Have a look here:
    https://doc.pfsense.org/index.php/How_can_I_forward_ports_with_pfSense

    This is also useful:
    http://pfsensesetup.com/port-forwarding-with-nat-in-pfsense/

    I'll take a close look on all these links. thanks for the help steve :)



  • @aaronouthier:

    Hello,

    I am currently using 2 pfSense boxes, but it's more because said boxes are small (repurposed) thin clients, and they don't have much power. There is only one 32-bit PCI slot, and a 1 GHz single-core CPU in each, not to mention only 1 GB of RAM and a 2 GB flash chip (SSD). One of the boxes is performing DHCP & DNS, as well as Squid and SquidGuard. It has a PCI to PCMCIA/CARDBUS adapter installed, with a 2 GB Microdrive for use as the squid cache and various logs - I don't want to ruin the Flash with too many writes. The other box is has a second NIC, and is doing NAT, and some other stuff.

    I had to read this 4 times just to basically understand this. thank you I didn't think pf could do that

    @aaronouthier:

    Now, to add to the discussion at hand:
    If the 2 WiFi routers are setup as APs only, with DHCP server off on both units, then getting to the web GUI should be as simple as opening a web browser and going to each router's ip address.

    yes. I understand. but I was wondering If I could do it without bringing a long cable and access it here in my pc
    since they have their own DCHP I don't know If could access AP's gui.  from IP 192.168.1.5 to an 192.168.2.1 AP…

    @aaronouthier:

    Also, if you need to separate the wifi addresses and corresponding traffic to each router, then, yeah, use a managed switch, and separate out each subnet as needed.

    Alternately, your WiFi routers may already support vlans, but the embedded GUI may not allow access to such settings. Usually the WAN port is part of the LAN switch physically, but is segregated out by way of vlans. For more info on this topic, as well as info on how to get to the advanced features of your specific router, if it is supported, search the Internet for OpenWRT, DD-WRT, Tomato Linux, and related distributions. These are essentially the same idea as pfSense - at least as far as getting a free, open-source router solution. These are specifically focused on actual WiFi routers, rather than custom-built and brand-name computers. I am especially fond of OpenWRT, but it is not as well suited to beginners. It is rather "bleeding-edge" stuff.

    subnets and Vlans … I'll do some research on these thanks aaron.

    I really apologize for this It feels like I'm giving everyone a hard time on a really simple problem.
    thanks everyone for helping, I'll go through everything one at a time.


  • Netgate Administrator

    No need to apologise, you're not giving us a hard time.  :)
    If anything it's us giving you a hard time with some unusual suggestions. If it were me I too would look at using VLANs on the access points directly and that might mean running a 3rd party firmware. The reason I would do that is that you could accomplish everything you want without having to buy any new hardware. However if you've never tried dd-wrt, openwrt etc you could be in for a steep leaning curve.

    Steve



  • @stephenw10:

    No need to apologise, you're not giving us a hard time.  :)
    If anything it's us giving you a hard time with some unusual suggestions. If it were me I too would look at using VLANs on the access points directly and that might mean running a 3rd party firmware.

    I definately concur, but moreover, I think most of us reallize there was a time wherein we were sitting in your seat, so to speak. As a community, helping each other benifits the whole community. One might think of it like this: If you know your class is having a spelling bee, you could try to pick only the best spellers. If the other team has already done that, then you just have to educate your "weak links" and make them better than the already good spellers on the other team - In other words, strengthing the team members, also strengthens the team as a whole. It's not that any one is smarter or better than anyone else, so much as some are further along in their quest for knowledge than others.

    Knowledge - pass it on…


  • Netgate Administrator

    Luckily this isn't a spelling bee. Many of us would not make that team!  ;D

    Steve



  • @stephenw10:

    No need to apologise, you're not giving us a hard time.  :)
    If anything it's us giving you a hard time with some unusual suggestions. If it were me I too would look at using VLANs on the access points directly and that might mean running a 3rd party firmware. The reason I would do that is that you could accomplish everything you want without having to buy any new hardware. However if you've never tried dd-wrt, openwrt etc you could be in for a steep leaning curve.

    Steve

    Yes, I'm currently looking at videos about vlans. thank you
    and my AP here is a dd-wrt. and the other AP is a tp-link. I havent seen openwrt yet i think…

    and maaan there are a lot of questions I'd like to ask everyone but I'm a bit busy.
    I guess I'll ask just a few  questions for now. Links if you guys have read it somewhere in the forums :)

    in the Firewall: Traffic Shaper: Limiter. I made 4 limiters

    1mb IN\1.5mb OUT
    These are for those who has All access (management/department heads, the boss himself)
    who wish to have their connection just like at home. without restrictions

    800kb IN\1mb OUT
    and these are for the special employees (brown nosed people for always kissing the management/department head's a$$es)
    restricted but requests facebook to be allowed.

    my question is:
    1. to a single user doing regular office work how much would you limit their IN/OUT?
    2. if inside a single alias there are 5 people in it, and I gave that alias a 1mb limit rule
    yould that mean those 5 share 1mb? or 5 will each have 1mb?

    3. is there "Network/PFsense: best practices book somewhere? haha

    @aaronouthier:

    @stephenw10:

    No need to apologise, you're not giving us a hard time.  :)
    If anything it's us giving you a hard time with some unusual suggestions. If it were me I too would look at using VLANs on the access points directly and that might mean running a 3rd party firmware.

    I definately concur, but moreover, I think most of us reallize there was a time wherein we were sitting in your seat, so to speak. As a community, helping each other benifits the whole community. One might think of it like this: If you know your class is having a spelling bee, you could try to pick only the best spellers. If the other team has already done that, then you just have to educate your "weak links" and make them better than the already good spellers on the other team - In other words, strengthing the team members, also strengthens the team as a whole. It's not that any one is smarter or better than anyone else, so much as some are further along in their quest for knowledge than others.

    Knowledge - pass it on…

    Thanks for sharing the knowledge, and I'll pass it on too.

    @stephenw10:

    Luckily this isn't a spelling bee. Many of us would not make that team!  ;D

    Steve

    LOL


  • Netgate Administrator

    It's almost impossible to give you a recommendation on how much bandwidth you should assign. It depends on how much each user actually needs which varies a lot. What is your WAN bandwidth total? The fact that you have assign limiters with greater outgoing bandwidth than incoming indicates your usage is different that any network I've worked on. Or is that reversed, from the LAN interface point of view?
    Depending on how you've setup the traffic shaping it could be either 1Mb each or shared between all. Traffic shaping is probably to most difficult part of pfSense to understand IMHO.
    There is a pfSense book and it's very good. However the book that's currently available was written for 1.2.3 so it's outdated. There is a new book that should be released 'soon'.

    Steve



  • @stephenw10:

    It's almost impossible to give you a recommendation on how much bandwidth you should assign. It depends on how much each user actually needs which varies a lot. What is your WAN bandwidth total? The fact that you have assign limiters with greater outgoing bandwidth than incoming indicates your usage is different that any network I've worked on. Or is that reversed, from the LAN interface point of view?
    Depending on how you've setup the traffic shaping it could be either 1Mb each or shared between all. Traffic shaping is probably to most difficult part of pfSense to understand IMHO.
    There is a pfSense book and it's very good. However the book that's currently available was written for 1.2.3 so it's outdated. There is a new book that should be released 'soon'.

    Steve

    Thanks Steve.
    sorry. it is from LAN pov.
    we only have 5mb connection. so for 60++ people including everyone's mobile phones and laptops I think I need to shape traffic.



  • Traffic shaping with PRIQ isn't too hard to handle.  There is an excellent HFSC thread going on right now in the Traffic Shaping forum if you need to worry about realtime traffic guarantees.

    Becoming a pfSense Gold Member gives you access to the 2.x manual, which is a work in progress.


  • Netgate Administrator

    Yep the draft V2 book is well worth a read if you have the gold subscription.
    With a 5Mbps connection shared between 60 clients you may need to get some relatively complex shaping to keep things moving.
    Is the connection symmetric, 5Mbps up also?
    For example rather than specifying a bandwidth limit per user you can instead reserve some bandwidth for important tasks/users leaving the rest to be used by anyone. Again it depends what your users need. I have no idea what sort of business you're involved with but maybe most of those 60 clients only occasionally send emails.

    Steve