Can it do this? How? And What do I need?



  • Ok, here is my situation.  I have been asked by a local WISP to help him fix some networking issues he is having as it seems he is outgrowing his old pentium II freebsd ipfw server.

    The old pc running the ipfw is going down more often than it is staying up.  I want to provide him with a new PC running pfSense to give him better bandwidth shaping and a GUI to help admin the network.

    The main purpose of the old server is for bandwidth limiting.  He manually edits the ipfw rules to limit bandwidth based on IPs.  It is also used to forward on DNS requests.  Don't think it does much more than that.

    The biggest problem is with his Wireless Accesspoints, if too many connections get opened by one or two users (usually due to p2p) the Accesspoints performance drops dramatically.  If we reduce those IPs to 32kb of bandwidth, the connections still stay open and the problems persist.  If we deny that IP, the problem goes away and the customers call to find out why they have no Internet.

    It would be so much easier if we could set a global connection limit per IP to say 30 connections out and 15 connections in.  This this would allow our Accesspoints to run much more stable.  We might also have to allow more for specific IP or MAC addresses.

    Another Issue I have is (and I think it is just my lack of knowledge) is that the old server acts as a gateway for more than one IP block.  It is currently answering to 216.xx.75.1 and 216.xx.76.1 and 10.0.0.1  and he tells me he has 2 or 3 more IPs he will need to add.

    So my BIG question is can pfSense do everything the old server does and more?  We need bandwidth limiting by IP (by MAC ADDRESS would also be a bonus) limit connections and answer under multiple IPs.

    If so, what size of new PC would you recommend we get to work with 200 plus clients (each with 2 IPs one for a bridge and one for a router) and a 10 mbit fiber backbone.  Keeping in mind we will want to add 200 more clients in the next few years.

    I would also be interested in hiring a GURU/Expert to help me get things setup if anyone is interested.

    Greg



  • @GREG3f:

    It would be so much easier if we could set a global connection limit per IP to say 30 connections out and 15 connections in.  This this would allow our Accesspoints to run much more stable.  We might also have to allow more for specific IP or MAC addresses.

    You can limit states per host on a per-rule basis, which would accomplish that. But expect a limit as low as 15-30 connections to cause problems. When you load a web page, it issues a HTTP request for the page plus every image it contains plus CSS, javascript, maybe more. Certain websites will require 50 or more connections to load properly.

    @GREG3f:

    Another Issue I have is (and I think it is just my lack of knowledge) is that the old server acts as a gateway for more than one IP block.  It is currently answering to 216.xx.75.1 and 216.xx.76.1 and 10.0.0.1  and he tells me he has 2 or 3 more IPs he will need to add.

    Possible, requires a little manual hacking to add ifconfig aliases, then manual outbound NAT changes.

    @GREG3f:

    So my BIG question is can pfSense do everything the old server does and more?  We need bandwidth limiting by IP (by MAC ADDRESS would also be a bonus) limit connections and answer under multiple IPs.

    Bandwidth limiting by IP isn't possible (not equal sharing at least) in 1.2, the shaper as a whole in 1.2 is somewhat limited. Though it should be able to help you control bandwidth in this environment, it won't let you equally distribute it amongst all the hosts. 1.3 should, it contains a rewrite of the shaper.

    @GREG3f:

    If so, what size of new PC would you recommend we get to work with 200 plus clients (each with 2 IPs one for a bridge and one for a router) and a 10 mbit fiber backbone.  Keeping in mind we will want to add 200 more clients in the next few years.

    Only 10 Mb, basically anything will do. Using just the features mentioned in your post, you could use an ALIX board. I suggest no less than 500 MHz, though even 266 MHz will handle double the load you're talking about.

    @GREG3f:

    I would also be interested in hiring a GURU/Expert to help me get things setup if anyone is interested.

    We'd be glad to help, we have some WISP commercial support customers already. See the link in my signature.



  • Thanks for the reply!

    Bandwidth limiting by IP isn't possible (not equal sharing at least) in 1.2, the shaper as a whole in 1.2 is somewhat limited. Though it should be able to help you control bandwidth in this environment, it won't let you equally distribute it amongst all the hosts. 1.3 should, it contains a rewrite of the shaper.

    Is 1.3 available now?  If not, is there an ETA?

    Greg



  • No and as always ETA=When it's ready



  • @GREG3f:

    Is 1.3 available now?  If not, is there an ETA?

    It'll be available for testing purposes in a month or less, but won't be a final, stable release until 2009. Though a lot of our users have been running beta versions since the very early days. Once it hits beta, we will be willing to provide commercial support on it with the caveat it may not be as stable as 1.2 yet. No clue and not going to guess when it might hit beta.


Log in to reply