DMZ like IP sharing and Limiter - Is it possible?
-
Hi everyone,
I have two offices that want to share a 100Mbps fiber. There is a catch that 2nd office wants to do it's own routing with it's own whatever router so pfSense would only do IP CARP (??? I guess) for that while Office-A will have pfSense as its router. I am wondering if I can achive all below using one pfSense 2.2.2 router and more importantly how?
1- Share and limit each office to 50mbps upload and download - I am familiar with limiter in traffic shaping (would this work with CARP?)
2- Office-A will have WAN interface on pfSense obtaining IP 105.55.122.226 - This is easy to do on WAN interface and already working
3- Office-B will have it's own Cisco router but will connect to pfSense to obtain IPs 105.55.122.251-254 - Is this were CARP get involved? what should be put in CARP for Office-B to obtain the last three IPs?*Office-B has to be on pfSense since I want to limit their usage to 50mbps.
Following is the /27 example IP network available to me:
Network Address: 105.55.122.224
Gateway Address: 105.55.122.225
Usable IPs: 105.55.122.226 to 105.55.122.254Thanks,
-
If it were me, I'd do this with a L3 smart switch. I'd set bandwidth limits on the ports the two companies edge devices WAN ports connect to.
-
If it were me, I'd do this with a L3 smart switch. I'd set bandwidth limits on the ports the two companies edge devices WAN ports connect to.
I like your simplistic approach. Can you please detail:
1- example of the switch type you have in mind
2- would the switch do IPs and routing? or it will act as a dumb switch in that regards?
3- are all managed smart switches capable of splitting the bandwidth to 50,50 mbps and is that why you were suggesting managed switch?
4- would both my pfsense and office-2 router connect to same switch and obtain the same /27 subnet but just use different usable IPs?Thanks,
-
Is there any reason why the bandwidth has to be split 50:50?
If one office is out/not using the net access, surely its a waste of time for the other office to be waiting twice as long for any bandwith intensive activities?Perhaps you could setup pfsense so it load balances down to a 50:50 split when both lan nics are in equal use?
Perhaps you could Weight on the two lan interfaces abit like what is described here?
https://forum.pfsense.org/index.php?topic=42959.0
http://www.tecmint.com/how-to-setup-failover-and-load-balancing-in-pfsense/How to Assign IP addresss to Lan's
https://forum.pfsense.org/index.php?topic=68793.msg376512#msg376512 -
Is there any reason why the bandwidth has to be split 50:50?
If one office is out/not using the net access, surely its a waste of time for the other office to be waiting twice as long for any bandwith intensive activities?Hi, this is a strict requirement because Office-A has a voip system and data network and Office-B wants to be able to do their own routing. I need to give them 50,50 because of Quality of Service and because they are sharing the bill. I don't mind using a switch if it can do what I asked above. Is your switch solution still a viable one? If yes, please let me know above posed questions.
Otherwise, if I have to involve pfSense, from what I gathered, I should use Proxy ARP.
Thanks,
-
It would be simpler to just do a straight 50:50 split, but with pfsense if you wanted to get a bit more technical you could enforce quality of service as seen here
https://doc.pfsense.org/index.php/Traffic_Shaping_Guide
https://forum.pfsense.org/index.php?topic=50337.0Problem is, you dont really have any QoS control upstream unless its built into your ToS, so your QoS becomes less of an issue on the open internet.
Voip lines generally need around 100Kb for a reasonable call quality per line if you need some figures to work from, but its codec dependent. I've streamed voip call's over 2G and 3G mobile networks not tried 4G yet, but mobile is much less reliable for voip due to the way it works compared to landline based net access.
Whats the data being used for? Synching SQL db's? Just curious but you might have some things to watch out for there as well due to the way some SQL db's synchronise themselves, latency could be a nuisance here. :)
For the billing being split, is it unlimited bandwith/download or are you capped?
If capped, how would a 50:50 speed split work with the different data quantities that can be downloaded by each party?
This might be relevant for managing the different amounts of data each party could download over the month.
https://doc.pfsense.org/index.php/How_can_I_monitor_bandwidth_usage
https://doc.pfsense.org/index.php/VnstatI havent suggested a switch solution, just pfsense, the L3 switch was almabes.
-
If it were me, I'd do this with a L3 smart switch. I'd set bandwidth limits on the ports the two companies edge devices WAN ports connect to.
I like your simplistic approach. Can you please detail:
1- example of the switch type you have in mind
2- would the switch do IPs and routing? or it will act as a dumb switch in that regards?
3- are all managed smart switches capable of splitting the bandwidth to 50,50 mbps and is that why you were suggesting managed switch?
4- would both my pfsense and office-2 router connect to same switch and obtain the same /27 subnet but just use different usable IPs?Thanks,
1. Any decent switch will do port based ingress and egress rate limiting. Some will be easier to configure than others. I just purchased a 48 port Cisco 2900 series gigE switch for ~$180. If you don't care about the two businesses Ethernet traffic being visible to each other's edge device then you can get away with a Layer 2 device. Cisco SG300 switches can be had for $180. Mikrotik switches are supposed to do this too and ~$40 . Tim McManus just got one for a project he and I are working on.
2. A Layer 3 switch can do the routing for you. You can break up the /27 you have been allocated into a few /29 networks and set up separate VLANs.
3. I know most managed Cisco gear will do this. Others? RTFM YMMV
4. You could configure it that way, but you would need some coordination to make sure nobody uses duplicate IP addresses, etc. You could get away with a L2 device then.
-
If it were me, I'd do this with a L3 smart switch. I'd set bandwidth limits on the ports the two companies edge devices WAN ports connect to.
1. Any decent switch will do port based ingress and egress rate limiting. Some will be easier to configure than others. I just purchased a 48 port Cisco 2900 series gigE switch for ~$180. If you don't care about the two businesses Ethernet traffic being visible to each other's edge device then you can get away with a Layer 2 device. Cisco SG300 switches can be had for $180. Mikrotik switches are supposed to do this too and ~$40 . Tim McManus just got one for a project he and I are working on.
2. A Layer 3 switch can do the routing for you. You can break up the /27 you have been allocated into a few /29 networks and set up separate VLANs.
3. I know most managed Cisco gear will do this. Others? RTFM YMMV
4. You could configure it that way, but you would need some coordination to make sure nobody uses duplicate IP addresses, etc. You could get away with a L2 device then.
Thanks for the input.
I was discussing SG800 earlier on Cisco irc channel and heard that Policing / Shaping on it would only control TCP which adheres to limiters and not UDP for example. To me that is not a true port based bandwidth limit. If office-A has an app that uses UDP a lot then it can eat bandwidth from other office.
A- Can you confirm this is true?
B- Co-ordination is possible. What example of layer-2 switch do you have for this purpose around same price?
C- With a Layer-2 switch, office-A and office-B will setup /27 but simply use different usuable IP on their end - is that correct?*I would like to stick to layer-2 as it will be dumb in all other regards but limiting speed to 50mbps per port.
-
http://www.cisco.com/c/dam/en/us/td/docs/switches/lan/csbms/sf30x_sg30x/administration_guide/78-19308-01.pdf
Chapter 25. Page 499 and 500
Configure your two Gig ports with ingress and egress limits and leave it in Layer 2 mode.I've got an unused SG300-10 PoE version at work. I'll bring it home and bandwidth limit the kids as a POC. They'll LOVE that! ;D
-
A. Cisco SG300 does port based bandwidth limiting. It's almost too easy to configure. It can do other types of flow based limiting, but that isn't what you're looking for.
B. The SG300 operates in Layer 2 mode unless you configure it otherwise.
C. You are correct.
-
-
Configured port based ingress and egress limits on the kids.
before (no limits other than the craptastic 100Mb switch they're plugged in to):
Thanks for the test. I guess your test was TCP only. How about any UDP file transfer? I heard that is where this fails or probably with other protocols that do not honor limiters.
-
Being an ISP and doling out public IPs behind your router is a lot easier with a routed subnet instead of a single /27.
You keep mentioning CARP. Are you going to have a redundant pair of firewalls providing this access? If not, you can get CARP off the brain.
I'd get the /27 routed to an address on a /29, carve a subnet out of the /27 for each of them on a layer 3 switch and either limit in the switch or use the shaper in pfSense.
If you limit in pfSense they can both get wire speed to each other if that matters at all.
Decided to do a drawing. It's what I would try to do.
-
Configured port based ingress and egress limits on the kids.
before (no limits other than the craptastic 100Mb switch they're plugged in to):
Thanks for the test. I guess your test was TCP only. How about any UDP file transfer? I heard that is where this fails or probably with other protocols that do not honor limiters.
The switch doesn't care if its UDP, TCP, ICMP, HTTP, VoIP or a caffeinated rat terrier tapping out Morse Code. I did a port based limit, not any QoS or per flow limit. This is how Metro Ethernet ISPs limit your bandwidth when you buy 10Mb from them delivered on a 100Mb loop. The switch just counts the bits moving per second regardless of the underlying protocol.
-
Configured port based ingress and egress limits on the kids.
before (no limits other than the craptastic 100Mb switch they're plugged in to):
Thanks for the test. I guess your test was TCP only. How about any UDP file transfer? I heard that is where this fails or probably with other protocols that do not honor limiters.
The switch doesn't care if its UDP, TCP, ICMP, HTTP, VoIP or a caffeinated rat terrier tapping out Morse Code. I did a port based limit, not any QoS or per flow limit. This is how Metro Ethernet ISPs limit your bandwidth when you buy 10Mb from them delivered on a 100Mb loop. The switch just counts the bits moving per second regardless of the underlying protocol.
Thanks again. That's interstng that you say that. I was on IRC and on Cisco channel where people agreed that such an arrangement doesn't exist. They mentioned Policing and Shaping on Cisco SMB smart switches which would work for all protocols that honor rate limiters but for example in case of a UDP app then it won't. Not, that I have an app that specifically pumps all in UDP but I also don't know what the client might have so I don't want to leave things to chance.
-
You cannot stop someone from sending you traffic. All you can do is limit how fast you send it or drop it if it is sent to you too fast.
-
When I said port in "port based limit", I meant switch interface. I specifically did not mean anything like TCP port 80, or 443 or UDP 5060.
Using a switch upstream of the two edge devices and limiting your ingress and egress to the two interfaces is so simple, and it does everything you want.
I'm a big believer in:
A) Use the right tool for the job.
B) Keep it Simple, Stupid.My test, was speedtest.net. Simple, effective, TCP 80 HTTP test.
The ISP that provides 20Mb bandwidth to my office uses the same kind of limiter, on a Catalyst switch. I pump all kinds of TCP, UDP and who knows what else through that pipe.