Two pfsense for shaper and squid at the same time? how?
-
please, one question:
I'm considering to install one more pfsense box in order to have both traffic shaper and proxy filtering; in this case, would this config work?
[internal network]
^
| _________
| | pfsense1|
–-----| nat | wan (gw is 10.0.0.3)
LAN | dhcpd |--------------
10.0.0.1 |squid | 10.0.0.2 |
|sqguard | |
---------- |
---------------
| S w i t c h |
--------------
|
|lan 10.0.0.3
_______________
| pfsense 2 |
|traffic shaper |
| ntop | wan 200.x.x.x (gw is internet router)
| snort |-----------------> {internet router}
| ip alias |
| nat |
------------------on "pfsense1" I need:
-
squidguard with blacklists, ACLs based on ip numbers (different rules for different departaments);
-
dhcp server with mac addresses in order to users do not change their ip;
on "pfsense2":
-
traffic shaper, configured with different queues, working with different ip aliases groups (labs, library, etc)
-
ntop for network information
-
snort for ids and network information
Well, what I need to know is: does this could work? this way may I have shaper and squidguard working for me, always remembering that both in squidguard and shaper I need different groups with different acls and bandwithd! Untill now this was all installed in the same machine (only two nics, lan -> pfsense ->wan) but when I turned on proxy and squidguard, could not have shaper working anymore.
Thanks a lot!
-
-
You can't shape the different IP-Groups this way. The Shaping pfSense sees all the traffic coming from the wan IP of the squid-pfsense as the proxy is masquerading the clients. This way it can't determine which client IP originally initiated the traffic. Besides that it would work.
I would drop the switch though and use a crossovercable. Less powerconsumption, less points of failures ;)
-
Ok hoba, thanks for your post; I can use a crossover cable; but how can I shape different ip groups using two pfsense? or I cannot do that?? and how about the inverse order of pfsense boxes, lan -> shaper -> proxy -> wan?? would this work?
-
That would work better. I guess you want the following configs:
LAN–-----LAN/pfSense1/WAN------LAN/pfsense2/WAN-----Internet
pfSense1 is only doing shaping. Disable NAT on that one so pfSense2 can see the originating IPs (firewall>nat, outbound, enable manual outbound nat and delete all rules there). At pfSense2 add a static route to the lan-subnet behind pfSense1 with gateway wan-IP of pfsense1. For simplicity I would create pass any any any rules at WAN and LAN of pfSense1. This way you will configure shaping at pfSense1 and everything else at pfSense2.
-
Hey Hoba, thanks a lot for your help, but can you explain better what you mean with this:
For simplicity I would create pass any any any rules at WAN and LAN of pfSense1. This way you will configure shaping at pfSense1 and everything else at pfSense2.
Everything else means all kind of network information programs, proxy, proxy report, etc?? can a simple box (k6-2 500, 128mb ram) do well the shaper work, without lags??
again, thanks a lot!
-
Yes, that was what I meant. What kind of throughput do you need to shape? I would think that this box might work for maybe 10+ mbit/s without issues as pure shaper (see http://www.pfsense.org/index.php?option=com_content&task=view&id=52&Itemid=49 for some recommendations).
-
well, actually I have one 1,5mb (in shaper wizzard I inform 1536 Kb) up/down link to shape with 3 or 4 different groups; this is a light internet connection ;D
thanks again!
-
What does mean:
For simplicity I would create pass any any any rules at WAN and LAN of pfSense1.
And in this config, with pfsense1 only doing shape and closer of the internal network, where should DHCP server be configured? may it be in pfsense 2, even being behind pfsense1, from the LAN clients point of view?? Assuming that pfsense1 is my new pfsense box and pfsense two is the old one, with has already dhcpd enabled.
thanks
srs
-
Only the box that faces the subnet with the clients directly can do the dhcp server (unless you configure dhcp relay but that makes things just unneccesarily difficult). pfSense1 should act as DHCP Server for the lan clients. the subnet between pfsense1 and pfsense2 should be configured statically as you have to add the route back from pfsense2 to pfsense1 as you shutdown NAT at pfsense1
-
ok Hoba, and adding that static route on pfsense2 does means this:
interface: LAN
Destination network: 10.0.0.0/8
Gateway: 10.0.0.2 (wan of pfsense1)is it that right??
if I can use pfsense1 (shaper) to collect network data with ntop, instead of using pfsense2 (distribute disk space between the two box), can I do that? Am I wrong or the traffic will be passing throught two boxes and I can collect network statistics from both?
placing the dhcp server on pfsense1 means that my network clients gateway will be pfsense1, instead of pfsense2? then pfsense1 route the packages to pfsense2 that sends them to the net. would be that?
thanks a lot again!
-
You should use something else for the subnet between pfsense1 and pfsense2 or you will have an adress conflict. Use someting that is not used anywhere like a 172.16.1.1 / .2 for example. Besides that your route would be correct. Trafficstats can be collected on both nodes and should be nearly identical. As you shutdown NAT at pfSense1 you will see the original clients at pfSense2 as well.
-
so this is correct that my lan gateway will be pfsense1 now?
can I use 172.1.1.1/30 even being public address(this gives me 2 hosts, exactally what I need)??
the question about adress conflict, I thoght it could be fine, because I'm using non used ips on all the lans and wans nics…
thanks again.
-
you can't have 10.0.0.0/8 on the LAN and have IPs of that network on your "transfernet" between the pfSense's as well. That is a conflict. 172.16.x.x are private IPs. Use some of that range or some 192.168.ish network, just something that you do not use anywhere at LAN or maybe remote VPN subnets.
Example:
pfSense1:
LAN 10.0.0.1/8 (do you really need such a big network?)
WAN 172.16.0.1/24
Firewall>NAT, outbound: enable manual outbound nat and delete the autocreated rules.pfSense2:
LAN 172.16.0.2/24
WAN 200.x.x.x
system>static routes: Interface LAN 10.0.0.0/8(LAN subnet of pfSense1) via gateway 172.16.0.1(WAN IP of pfSense1) -
I really do not need a such big network ;)
currently I'm separating this network in different subnets for departments, labs, as 10.1.x, 10.2.x, only for trying to 'organize' things.
well, and as I asked, if dhcp will be running on pfsense1, so my lans gateway will be 10.0.0.1 (pfsense1)?? right?
thanks again!
-
Correct.
-
I installed the 2nd pfsense box, manufactured a crossover cable, configured as said before and at least I can surf the net, rss; but have not tested shaper yet; I'll do this tests tomorrow morning.
But one strange thing that i've noticed is that I cannot logon into msn anymore; trafic shapping on both pfsense is enabled with low priority to msn (enabled on both but how I use squid in one, so in this pfsense shaper do not act), but we never had any problem to log into msn or anyother messenger kind.. any idea?
thanks
-
are you by any chance using the imspector package?
-
no, I'm not using it; I discovered now (other users discovered ;D) that gmail isnt working (I think that is some problem with https), and other services that require special ports opened; do I have to do any kind of other config in nat or firewall?
I also cannot access simple sites as http://mail.yahoo.com/ or www.hotmail.com, that isnt in any black list or acl
thanks
-
Can you make sure dns is working correctly? Maybe some hosts are not resolved properly?
-
I configured second pfsense with the same dns servers I used in the first one; I have found something: when I disable transparent proxy everything (the sites that are working) stops work; I think the problem with the sites that are not working is that they have some part in https and cant contact this or it cant retorn to the client… it seems that only proxy is accessing internet; when I turn it off everything stops... what do you think?
thanks