Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Can it do this? How? And What do I need?

    Scheduled Pinned Locked Moved General pfSense Questions
    5 Posts 3 Posters 2.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      GREG3f
      last edited by

      Ok, here is my situation.  I have been asked by a local WISP to help him fix some networking issues he is having as it seems he is outgrowing his old pentium II freebsd ipfw server.

      The old pc running the ipfw is going down more often than it is staying up.  I want to provide him with a new PC running pfSense to give him better bandwidth shaping and a GUI to help admin the network.

      The main purpose of the old server is for bandwidth limiting.  He manually edits the ipfw rules to limit bandwidth based on IPs.  It is also used to forward on DNS requests.  Don't think it does much more than that.

      The biggest problem is with his Wireless Accesspoints, if too many connections get opened by one or two users (usually due to p2p) the Accesspoints performance drops dramatically.  If we reduce those IPs to 32kb of bandwidth, the connections still stay open and the problems persist.  If we deny that IP, the problem goes away and the customers call to find out why they have no Internet.

      It would be so much easier if we could set a global connection limit per IP to say 30 connections out and 15 connections in.  This this would allow our Accesspoints to run much more stable.  We might also have to allow more for specific IP or MAC addresses.

      Another Issue I have is (and I think it is just my lack of knowledge) is that the old server acts as a gateway for more than one IP block.  It is currently answering to 216.xx.75.1 and 216.xx.76.1 and 10.0.0.1  and he tells me he has 2 or 3 more IPs he will need to add.

      So my BIG question is can pfSense do everything the old server does and more?  We need bandwidth limiting by IP (by MAC ADDRESS would also be a bonus) limit connections and answer under multiple IPs.

      If so, what size of new PC would you recommend we get to work with 200 plus clients (each with 2 IPs one for a bridge and one for a router) and a 10 mbit fiber backbone.  Keeping in mind we will want to add 200 more clients in the next few years.

      I would also be interested in hiring a GURU/Expert to help me get things setup if anyone is interested.

      Greg

      1 Reply Last reply Reply Quote 0
      • C
        cmb
        last edited by

        @GREG3f:

        It would be so much easier if we could set a global connection limit per IP to say 30 connections out and 15 connections in.  This this would allow our Accesspoints to run much more stable.  We might also have to allow more for specific IP or MAC addresses.

        You can limit states per host on a per-rule basis, which would accomplish that. But expect a limit as low as 15-30 connections to cause problems. When you load a web page, it issues a HTTP request for the page plus every image it contains plus CSS, javascript, maybe more. Certain websites will require 50 or more connections to load properly.

        @GREG3f:

        Another Issue I have is (and I think it is just my lack of knowledge) is that the old server acts as a gateway for more than one IP block.  It is currently answering to 216.xx.75.1 and 216.xx.76.1 and 10.0.0.1  and he tells me he has 2 or 3 more IPs he will need to add.

        Possible, requires a little manual hacking to add ifconfig aliases, then manual outbound NAT changes.

        @GREG3f:

        So my BIG question is can pfSense do everything the old server does and more?  We need bandwidth limiting by IP (by MAC ADDRESS would also be a bonus) limit connections and answer under multiple IPs.

        Bandwidth limiting by IP isn't possible (not equal sharing at least) in 1.2, the shaper as a whole in 1.2 is somewhat limited. Though it should be able to help you control bandwidth in this environment, it won't let you equally distribute it amongst all the hosts. 1.3 should, it contains a rewrite of the shaper.

        @GREG3f:

        If so, what size of new PC would you recommend we get to work with 200 plus clients (each with 2 IPs one for a bridge and one for a router) and a 10 mbit fiber backbone.  Keeping in mind we will want to add 200 more clients in the next few years.

        Only 10 Mb, basically anything will do. Using just the features mentioned in your post, you could use an ALIX board. I suggest no less than 500 MHz, though even 266 MHz will handle double the load you're talking about.

        @GREG3f:

        I would also be interested in hiring a GURU/Expert to help me get things setup if anyone is interested.

        We'd be glad to help, we have some WISP commercial support customers already. See the link in my signature.

        1 Reply Last reply Reply Quote 0
        • G
          GREG3f
          last edited by

          Thanks for the reply!

          Bandwidth limiting by IP isn't possible (not equal sharing at least) in 1.2, the shaper as a whole in 1.2 is somewhat limited. Though it should be able to help you control bandwidth in this environment, it won't let you equally distribute it amongst all the hosts. 1.3 should, it contains a rewrite of the shaper.

          Is 1.3 available now?  If not, is there an ETA?

          Greg

          1 Reply Last reply Reply Quote 0
          • P
            Perry
            last edited by

            No and as always ETA=When it's ready

            /Perry
            doc.pfsense.org

            1 Reply Last reply Reply Quote 0
            • C
              cmb
              last edited by

              @GREG3f:

              Is 1.3 available now?  If not, is there an ETA?

              It'll be available for testing purposes in a month or less, but won't be a final, stable release until 2009. Though a lot of our users have been running beta versions since the very early days. Once it hits beta, we will be willing to provide commercial support on it with the caveat it may not be as stable as 1.2 yet. No clue and not going to guess when it might hit beta.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.