[pfSense] Replacing a Linux router with pfSense

Wed, 21 Sep 2011 04:16:40 -0700

I have a Linux machine as our company firewall/router at the moment. Since reading the announcement of pfSense 2.0 (on LinuxToday!), I have been considering replacing it with pfSense. There are some features that I see as being big improvements over my existing system, such as the web interface (which is perhaps slightly more user-friendly than ssh and iptables scripts) and CARP for failover between two routers.
There are some features of my existing setup that may be difficult to duplicate with pfSense, and I'm hoping someone can tell me whether these are easy, hard-but-possible, or impossible - the pfSense wiki has a lot of information, but it can't cover everything (especially the latest features of pfSense 2.0). I've read through a fair amount of it, but by no means all. 



First, on the Linux system I have two hard disks, each with two 
partitions.  The first partition on each is set as a software RAID1 and 
contains the OS, configuration, data, etc.  The second partition on each 
is separate and contains a squid cache.  Thus the system will boot and 
run fine even if one disk fails (losing half the squid cache will not be 
harmful).  Can I do something similar with pfSense?  I know a great deal 
about Linux software raid, but nothing about FreeBSD.





I make use of VLANs on switches to control different subnets for parts 
of our LAN, server networks, etc.  On some of these, the router has more 
than one alias.  This means I have network "interfaces" with names like 
"eth0.12:2" in Linux (second alias on VLAN 12 connected to the first 
physical ethernet card).  In some cases there is more than one alias on 
the same subnet (192.168.0.1 and 192.168.0.2), but mostly they are on 
different subnets on the same VLAN.  I know pfSense is flexible about 
VLANs - but is it /that/ flexible?




I have two WAN connections.  One is a symmetric link (10/10), the other 
is ADSL (8/1).  I would like to set these up so that the symmetric link 
is the main link, with the ADSL as backup.  But http traffic can be 
balanced between them.  Can I arrange that?




On one of the WAN connections, I have several IP addresses (a /28 
subnet).  Several services coming in on these IP addresses need to be 
NAT'ed to different internal servers, depending on the port and the IP 
address targeted.  It is important that replies from the internal 
servers get returned from the same IP as originally targeted.  Will that 
work with pfSense?




I have two OpenVPN servers on the current system, running on different 
ports.  Clients on these have access to different servers.  Can I have 
several OpenVPN servers configured with pfSense?




I would also like to set up an OpenVPN "hub" to handle communication 
between external OpenVPN servers and clients.  Some of my company's 
clients have OpenVPN servers or clients that some of our employee's need 
access to.  My idea is that the employee will connect to the "hub" (the 
pfSense system) with OpenVPN, as will the customers' OpenVPN clients. 
The "hub" will also connect to the customers' OpenVPN servers (some have 
servers, others have clients).  I would like to be able to set up 
firewalling rules allowing the employees access to the customers' 
systems, but customers' systems will not be able to access each other 
(or other interfaces on the firewall/router).  Is that going to be 
possible?  Will it be possible to get alerts (SMTP) or logs when these 
OpenVPN connections come and go?




The box is also a DHCP server on various networks, with some static 
assigned addresses and some range-based.  I presume that's fine for 
pfSense?  And that it integrates with the DNS server on pfSense?




I am seriously considering getting two pfSense boxes with CARP failover. 
 Does this require identical hardware on the two systems (or perhaps 
just identical network card setups)?  How much information is passed 
over the link between the boxes - does it cover all setup, 
configuration, rules, dhcp leases, etc.?  How often does this 
synchronisation take place?  Am I correct in thinking that each box 
needs its own individual IP address on each network interface (including 
VLAN interfaces), and they share one or more CARP aliases?




I plan to set up a few virtual machines to play around with this before 
trying it out on a real system, but it would be nice to get an idea of 
what is possible or not!


Thanks,

David Brown
_______________________________________________
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list






















					Reply via email to