I have a Linux machine as our company firewall/router at the moment.
Since reading the announcement of pfSense 2.0 (on LinuxToday!), I have
been considering replacing it with pfSense. There are some features
that I see as being big improvements over my existing system, such as
the web interface (which is perhaps slightly more user-friendly than ssh
and iptables scripts) and CARP for failover between two routers.
There are some features of my existing setup that may be difficult to
duplicate with pfSense, and I'm hoping someone can tell me whether these
are easy, hard-but-possible, or impossible - the pfSense wiki has a lot
of information, but it can't cover everything (especially the latest
features of pfSense 2.0). I've read through a fair amount of it, but by
no means all.
First, on the Linux system I have two hard disks, each with two
partitions. The first partition on each is set as a software RAID1 and
contains the OS, configuration, data, etc. The second partition on each
is separate and contains a squid cache. Thus the system will boot and
run fine even if one disk fails (losing half the squid cache will not be
harmful). Can I do something similar with pfSense? I know a great deal
about Linux software raid, but nothing about FreeBSD.
I make use of VLANs on switches to control different subnets for parts
of our LAN, server networks, etc. On some of these, the router has more
than one alias. This means I have network "interfaces" with names like
"eth0.12:2" in Linux (second alias on VLAN 12 connected to the first
physical ethernet card). In some cases there is more than one alias on
the same subnet (192.168.0.1 and 192.168.0.2), but mostly they are on
different subnets on the same VLAN. I know pfSense is flexible about
VLANs - but is it /that/ flexible?
I have two WAN connections. One is a symmetric link (10/10), the other
is ADSL (8/1). I would like to set these up so that the symmetric link
is the main link, with the ADSL as backup. But http traffic can be
balanced between them. Can I arrange that?
On one of the WAN connections, I have several IP addresses (a /28
subnet). Several services coming in on these IP addresses need to be
NAT'ed to different internal servers, depending on the port and the IP
address targeted. It is important that replies from the internal
servers get returned from the same IP as originally targeted. Will that
work with pfSense?
I have two OpenVPN servers on the current system, running on different
ports. Clients on these have access to different servers. Can I have
several OpenVPN servers configured with pfSense?
I would also like to set up an OpenVPN "hub" to handle communication
between external OpenVPN servers and clients. Some of my company's
clients have OpenVPN servers or clients that some of our employee's need
access to. My idea is that the employee will connect to the "hub" (the
pfSense system) with OpenVPN, as will the customers' OpenVPN clients.
The "hub" will also connect to the customers' OpenVPN servers (some have
servers, others have clients). I would like to be able to set up
firewalling rules allowing the employees access to the customers'
systems, but customers' systems will not be able to access each other
(or other interfaces on the firewall/router). Is that going to be
possible? Will it be possible to get alerts (SMTP) or logs when these
OpenVPN connections come and go?
The box is also a DHCP server on various networks, with some static
assigned addresses and some range-based. I presume that's fine for
pfSense? And that it integrates with the DNS server on pfSense?
I am seriously considering getting two pfSense boxes with CARP failover.
Does this require identical hardware on the two systems (or perhaps
just identical network card setups)? How much information is passed
over the link between the boxes - does it cover all setup,
configuration, rules, dhcp leases, etc.? How often does this
synchronisation take place? Am I correct in thinking that each box
needs its own individual IP address on each network interface (including
VLAN interfaces), and they share one or more CARP aliases?
I plan to set up a few virtual machines to play around with this before
trying it out on a real system, but it would be nice to get an idea of
what is possible or not!
Thanks,
David Brown
_______________________________________________
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list