Would pfsense be able to handle the needs of my company?
-
We have an old Cisco router that we are going to retire for a number of reasons, chief among them being that the vendor that sold it to us, after promising to train us to administer it, didn't train us. The box is getting old and maintenance on it is difficult, so we're looking to change.
Here are the features / requirements for any replacement that we're looking at:
It will need to handle between 20 and 30 users that rely on relatively low bandwidth applications, though their bandwidth use will be constant.
It will need to handle an Exchange server that serves about 50 users, 20 of which are accessing it on the same network, the rest are accessing it over the internet
It will need to be able to handle site to site VPN from our HQ to about 8 remote sites and the users in the remote sites. The remote sites are small and generally have about 5 users in each site.
It will need to handle Active Directory replication to a domain controller in each site.
It will have to be able to provide Option 66 (TFTP) and Option 4 (NTP).
It will have to be capable of handling Multilink PPP (this is because one of our data connections is a bonded T1 that comes in on two RJ-45s and are linked on our old Cisco box)
It will need to be able to handle having different physical NICs: 1 for our cable internet, 2 for our bonded T1, 1 for our internal LAN, and one for our DMZ.
It will have to be able to route traffic between our two internet connections (bonded T-1 and cable). We run outbound SMTP and HTTP traffic on our cable, and our users gathering email from our Exchange server receive their traffic over the bonded T-1. We also have failover set up so that if one connection goes down, all traffic can be run off the other connection.
My biggest concerns are 1) that pfsense running on a blade server will be able to reliably do all this, 2) finding a blade server with 5 NICs, 3) that pfsense can handle the Multilink PPP required to make our bonded T-1 run properly, and 4) that we will be able split out traffic as outlined above.
The most important of these is pfSense's ability to handle the bonded T-1.
Last question: does pfSense's license permit use by business?
Edit: A nice feature to have would be the ability to split our DHCP pool between multiple ranges. Not required, but would be nice.
-
There are no T1 interfaces available for pfSense that I know of. Nor is there and functionality to configure them in the GUI.
Are you positive something better isn't available? 10Mb Metro-E or something?
I think there might be a way for you to get a device that will do the MLPPP for you then basically bridge the result to ethernet for your pfSense WAN.
Perhaps your existing Cisco will do it (greatly reducing its role and complexity to simply that - T1/MLPPP to Ethernet bridge) or something like an Adtran NetVanta 3200 can do it I think.
http://www.adtran.com/web/page/portal/Adtran/product/1203860G1/9
Your T1 provider might also be able to provide a device to convert the T1s to ethernet for handoff to you. I'd start the conversation there - tell them you want ethernet handoff instead of T1s.
Nothing else looks too difficult. I would probably just let your domain handle DNS and DHCP duties.
Why are you married to a blade server? (http://store.pfsense.org/c2758/)
-
Or maybe something similar to a couple of these devices bridging the t–1 to ethernet and pfSense doing the mlppp.
There are many pci-e t-1 interface cards out there but no guarantees on if there is a correct driver to run them or an easy way to config them. You would have to do some research or wait for a reply from someone doing it themselves...
Support from the pfSense portal might be just the ticket for you guys to get you going.
https://portal.pfsense.org/gold-subscription.php
-
Here are the features / requirements for any replacement that we're looking at:
It will need to handle between 20 and 30 users that rely on relatively low bandwidth applications, though their bandwidth use will be constant.
PFsense can do that
It will need to handle an Exchange server that serves about 50 users, 20 of which are accessing it on the same network, the rest are accessing it over the internet
That too
It will need to be able to handle site to site VPN from our HQ to about 8 remote sites and the users in the remote sites. The remote sites are small and generally have about 5 users in each site.
And that
It will need to handle Active Directory replication to a domain controller in each site.
Yep that too
It will have to be able to provide Option 66 (TFTP) and Option 4 (NTP).
Pretty confident it can do that - confirm with someone with more knowledge
It will have to be capable of handling Multilink PPP (this is because one of our data connections is a bonded T1 that comes in on two RJ-45s and are linked on our old Cisco box)
Definitely can do that (though see above posts)
It will need to be able to handle having different physical NICs: 1 for our cable internet, 2 for our bonded T1, 1 for our internal LAN, and one for our DMZ.
Yep can do that
It will have to be able to route traffic between our two internet connections (bonded T-1 and cable). We run outbound SMTP and HTTP traffic on our cable, and our users gathering email from our Exchange server receive their traffic over the bonded T-1. We also have failover set up so that if one connection goes down, all traffic can be run off the other connection.
Yep can do fail over
Last question: does pfSense's license permit use by business?
Yes - Though for timely support, a support registration like a "gold" subscription would be suggested.
Edit: A nice feature to have would be the ability to split our DHCP pool between multiple ranges. Not required, but would be nice.
Yep, can do that.
-
Last question: does pfSense's license permit use by business?
Yes - Though for timely support, a support registration like a "gold" subscription would be suggested.
Just a little correction.
PFSense is free of license charge to use under business environments, however it is best to buy the Gold subscription to have their support.
-
Just for information pfSense Gold is not a support subscription. It's well worth having as a user for what it does provide IMHO but support hours is not one of them.
If you need support consider the support subscription:
https://portal.pfsense.org/support-subscription.phpSteve
-
It will have to be able to provide Option 66 (TFTP) and Option 4 (NTP).
Pretty confident it can do that - confirm with someone with more knowledge
Lots of good info above …
Yes, you can specify TFTP and NTP servers quite simply in the GUI. If the GUI does not offer the direct customization you need for DHCP, the GUI does offer a way to input any text options for DHCP listed here: http://www.iana.org/assignments/bootp-dhcp-parameters/bootp-dhcp-parameters.xhtml (Though I have no personal experience using that method).
I suggest you take a look at the capabilities of pfSense 2.2 in a VM; you'll be amazed at what's there.
-
I've had no problems at all with DHCP Options. So the answer is "yes" on that question!
