Multiple WAN with one ethernet interface?
-
So I'm trying to plan out a multiple WAN setup with pfSense before I go out and purchase the hardware.
Basically I've got 6 or so modems all providing WAN IPs (via DHCP, some on same subnet), I would like to load balance these 6 connections with pfSense. The trouble is, I'll probably only have one RJ-45 interface on the box running pfSense. Is it possible to use another piece of hardware (vlan switch is maybe what I'm thinking) to take the 6 connections and merge to 1?
Could you recommend a switch to use and also perhaps a tutorial on how to set it up? I've read the pfSense multiWan1.2 guide but how would it change with VLANs in the picture? Will basic things like port forwarding, load balancing and failover work just as well?
Thanks, any help is appreciated.
-
Read a bit down in this thread:
http://forum.pfsense.org/index.php/topic,9422.0.htmlYour approach with a VLAN switch would work too. (And is imo more "clean")
Basically you have a single trunk form the switch to pfSense on which all the VLAN are permitted to eggress tagged packets.
For each VLAN you then assign a port that will eggress the packets untagged. -
Thanks for the prompt reply.
From the link you gave me, it seems like that person was attempting to do it with just a regular switch, and not a VLAN switch?
Since I haven't bought any hardware yet, I think I'll go the VLAN route since it seems to be preferred (btw, can you recommend a vlan-capable switch? something with just 10 ports maybe). At the moment I don't think I know enough on how VLANs operate (no idea what you mean when you talk about egressing tagged packets) so I'll read up on that first. Also, will all this configuration be possible just through the pfSense web user interface? And again, will load balancing and failover rules work fine?
-
It's normally a 8 or 24 ports. I use a 8 port (ProCurve Switch 1800-8G) fanless gigaswitch (my setup). But it might be too expensive for your needs.
Your checklist imo:
fanless
webgui
At least 1 giga port (The 100Mbit days are over :P) if your pfSense box has a giga nic. -
Nice setup, I really like the guides you made. I'm thinking of picking up this (mainly because it's the cheapest I could find). I should probably ask this once I've got all the hardware, but how do you configure the multiple WANs in pfSense now - do all the different interfaces from the switch show up (as OPT1/OPT2/OPT3 etc)? With the initial pfSense setup, since I've just got one physical interface, do I just assign WAN and LAN to the same interface? Also, can any additional free ports on the switch be used for LAN (and remain behind the firewall)?
Sorry for the noobish questions, I just need get this clarified :)
-
you will not be able to use load balancing if all your WAN ip addresses are in the same subnet. If you get provate ip addresses in different subnets from the modems then you will be able to load balance properly
-
Let's say your nic is em0 then it will be the parent of all your vlan nic's and all the nic's you'll be using.
physical nic name -> vlan ID -> nic name -> your custom easy to remember name :)
em0 -> vlan tag ID 11 -> vlan0 -> wan
em0 -> vlan tag ID 22 -> vlan1 -> lan
em0 -> vlan tag ID 33 -> vlan2 -> opt1 (wan2)
em0 -> vlan tag ID 44 -> vlan3 -> opt2 (wan3)
em0 -> vlan tag ID 55 -> vlan4 -> opt3 (wan4)Also, can any additional free ports on the switch be used for LAN (and remain behind the firewall)?
yes
port 5 is a member of vlan tag ID 11
port 3,4 and 7 is a member of vlan tag ID 22 -
@sai:
you will not be able to use load balancing if all your WAN ip addresses are in the same subnet. If you get provate ip addresses in different subnets from the modems then you will be able to load balance properly
I think I may be able to do NAT on the modems, so I can assign IPs in different subnets to each port on the switch… will this do the job?
Perry, thanks for the explanation! It makes much more sense now, but I'll probably be back once I've got all the hardware.
Now for the hardware.. I'm thinking a mini-itx board would be best because of the compact form factor, but it's hard to come by one with a gigabit LAN port and stay inexpensive. They also come with all the bells and whistles I don't need..
Edit: hmm, these ALIX boards are rather appealing, any idea how much throughput they can support?
-
I think I may be able to do NAT on the modems, so I can assign IPs in different subnets to each port on the switch… will this do the job?
Yes
Now for the hardware.. I'm thinking a mini-itx board would be best because of the compact form factor, but it's hard to come by one with a gigabit LAN port and stay inexpensive. They also come with all the bells and whistles I don't need..
Edit: hmm, these ALIX boards are rather appealing, any idea how much throughput they can support?http://forum.pfsense.org/index.php?action=search keywords throughput +alix.
Pro: very little power usages, nice little box
Con: no packages can be installed, no extra pci slotThe Intel Atom based mini ITX board with a Intel PRO 1000 GT (On board nic not supported) would give more speed. But i don't have any data on throughput and power usages.
-
What kind of cable modem will it be? Most of the cable modems are strictly layer 2 bridges and lack the capability to implement NAT. The only Surfboard that supports it is their all-in-one access point, router, cable modem (SBG900).
-
I think I'll need to compromise either gigabit LAN or low power usage (and small form factor), this is because I need the PCI slot for a wireless card (if miniPCI is unavailable like on the mini-ITX boards)
Con: no packages can be installed, no extra pci slot
All the Alix boards allow you to substitute CF Microdrives, on which you can do a full pfSense install. The Alix1c has a PCI slot (albeit a riser is needed) which I can use for gigabit LAN.. so it just might be the ticket. The alix3c2 would be the best board because of its tiny form factor, but it's got no PCI (it does have two miniPCI slots though.. miniPCI gigabit LAN anyone?)
The Intel Atom based mini ITX board with a Intel PRO 1000 GT (On board nic not supported) would give more speed.
I checked those out and I came across this, I'm guessing I could use a dual riser to get a wireless card and the Pro 1000 GT.. but I'm not sure how well they'd both work from one PCI port. There was also this, Dual gigE Realtek 8110SC ports.. how do you think those would compare against an Intel Pro 1000 GT? These boards look nice but the cons I can think of are: large case, high power usage.
So at the end of the day I think I'll go with the Alix1c. The Alix3c2 is smaller, but its got no scalability (no gigE port/PCI slot). I could probably spec those mini-itx machines pretty cheaply too, but I've listed the cons.
What kind of cable modem will it be? Most of the cable modems are strictly layer 2 bridges and lack the capability to implement NAT. The only Surfboard that supports it is their all-in-one access point, router, cable modem (SBG900).
You're right, I've actually got a few cheap routers lying around here and I was going to hook each one up to the modems and put them in a DMZ, then do NAT from there.
I've got one more question regarding the IP configurations of the entire setup. If I'm getting this right, would this be a feasible setup:
6 modems/routers - each one connected to a port on the switch. The IP on each port would then be something like 192.168.10.1, 192.168.11.1, 192.168.12.1.. etc. The switch itself would have an IP 192.168.1.2 and the pfSense firewall would be on 192.168.1.1.. is this correct or am I completely off?Thank you for your input so far.
-
The vesa kit with wireless sound like a good start. You can always buy a giga card later on.
As your network only contains 1 lan net a better enhancement in the further could be a giga switch, so data transfer between clients can go faster. pfSense -> vlan switch -> giga switchI've got one more question regarding the IP configurations of the entire setup. If I'm getting this right, would this be a feasible setup:
6 modems/routers - each one connected to a port on the switch. The IP on each port would then be something like 192.168.10.1, 192.168.11.1, 192.168.12.1.. etc. The switch itself would have an IP 192.168.1.2 and the pfSense firewall would be on 192.168.1.1.. is this correct or am I completely off?You could keep wan's & lan net's more visible separated, wans 10.0.10.1, 10.0.11.1 etc. and lan 192.168.1.1.
I also like to keep the switch on it's own net as i did in the guide. -
I am not sure if you have purchased any hardware yet, but I have had reasonable success with a setup from jetway, that I purchase off of newegg. I can put one of these boxes together for just under 300, shipped. (this includes 1GB of RAM, a WAY too big 80GB HDD [that is the cheapest size at this point] and a 1.5 ghz C7 VIA processor.) Let me post some links so you can see.
Case: http://www.newegg.com/Product/Product.aspx?Item=N82E16811154084
Extension cable (for inside the case): http://www.newegg.com/Product/Product.aspx?Item=N82E16811154084
Mobo+proc: http://www.newegg.com/Product/Product.aspx?Item=N82E16813153062
RAM: http://www.newegg.com/Product/Product.aspx?Item=N82E16820144151
HDD: http://www.newegg.com/Product/Product.aspx?Item=N82E16822210003
CD/DVD drive: http://www.newegg.com/Product/Product.aspx?Item=N82E16827106086Total price: (sans shipping) 233.94
If you are continental US it shouldn't be more than 25 dollars to ship.
(note, the mobo has two gig nics integrated.)
-
I need to figure out a set up like this.
-
I'm hesitant to purchase one of those mini-itx setups mainly due to the size. The Alix board is perfect for me and I realized I probably won't be maxing it at 100mbit regardless, so theres no point worrying about gigabit lan.
I haven't purchased any equipment yet, will do in a week or two once I'm back in the states.
-
to Perry the link of my setup was cannot be open…
thanks -
i wanna tell if the link that Mr.Perry give to step by step configuration HP 1800-8G switch is cannot be open… is there any other links to that?
thanks -
link fixed