Alle 17:00, martedì 6 giugno 2006, Holger Bauer ha scritto: > There are some limitations of pfSense 1.0 that maybe don't apply to your > setup (also just a quick shot from what comes to my mind at once): > > - The ftp-helper will only work at WAN when using multiwan/loadbalancing OK > - loadbalancing only works for connections running through pfSense > (services that run at the firewall directly like the squid package can't > use loadbalancing or multiwan) OK > - NAT reflection only works for portranges > with less than 500 ports and not for 1:1 NATs OK > - not all services work well > with loadbalancing. this however is NOT a pfSense problem but poor protocol > design or poor application code at the clientside. Do you have news about Citrix > - you need static gateways to use the loadbalancing pool for outgoing > loadblancing OK > - trafficshaping only works for 2 interfaces correctly (at least from what > you can do with the webgui) OK > - if you run CARP (which is something that you > should consider for an install of that size) each node needs a dedicated IP > that can't be shared/handed over, however they still can be forwarded or > used on the single node. 10x > - after CARP failover all already established > connections will be in the default queues OK > - IPSEC only will work with at > least one static IP at one end OK > - Routing via IPSEC needs parallel tunnels to work OK > - shaping and filtering inside IPSEC tunnels doesn't work (however you can > filter traffic incoming at the end before the traffic goes into the tunnel > if you control both ends) OK > - you only can bridge wireless interfaces to > another interface if the interface is in hostap mode 10x > - you only can have a > bridge group with 2 interfaces 10x > - traffic shaping won't work on a bridge OK > - captive portal can only be enabled at one interface OK > - DynDNS can only be used for the original WAN interface OK > > Several of these limitations are already fixed in the head release or seem > to be fixable but need time to be implemented/tested. Keep in mind this is > Version 1.0 and it's feature frozen for several month already while > developement to the head codetree continued. We absolutley don't recommend > to run HEAD atm and we don't support it either just in case you want to ask > why not run HEAD ;-)
Suicide is not my hobby ;-) > > > Concerning Hardware: > > - You should consider using some highend machines with a fast PCI bus as > all traffic has to pass the bus and the CPU and you plan to run several > IPSEC tunnels Sure > - like Bill said, each state takes a bit of RAM. You should > consider this when calculating your hardware > > Holger > 10x very much to everyone for providing feedback so quickly. To the maccaroni-eaters (AKA mandolino-players, pizza-eaters etc.) like me: Grazie anche a te Angelo > > -----Original Message----- > > From: Odette [mailto:[EMAIL PROTECTED] > > Sent: Tuesday, June 06, 2006 4:20 PM > > To: [email protected] > > Subject: [pfSense-discussion] Known PFsense Limits? > > > > > > Hi all, > > > > I need to substitute our production firewall, and I'd like > > to use PFsense > > which I've already successfully used for home or small office > > environments. > > > > The solution I'm going to substitute is based on > > Linux-iptables which requires > > more than 1000 rules. I need more than 25 static routes, and 5 VPNs. > > > > Furthermore, in the next future we are migrating 2 of 3 > > network branches on > > Gbit. > > > > I'd like to try with PFsense, but my boss (I'm sure) will > > kill me in the event > > I spend half a week in setting up the new PFsense and writing > > down all the > > rules to see that PFsense is not the right solution. > > > > Is there a rules number limit or a session number limit > > implemented in > > PFsense? > > > > Does somebody have some expertize in similar situations? > > > > Anybody able to supply info or suggenstions? > > > > Tanks in advance > > > > Odette > > ____________ > Virus checked by G DATA AntiVirusKit
