Hmm, why switch to pfSense from Linux? I am considering the other way round, from pfSense to Linux. Mainly because the lack of wireless drivers with support for N and a buggy Atheros FreeBSD driver.
Right know I'm thinking a base install of Debian, followed by only the packages I need and do the configuring by console. I know about Webmin, but don't know if I can change every setting with that. -----Oorspronkelijk bericht----- Van: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org] Namens David Brown Verzonden: woensdag 21 september 2011 13:13 Aan: pfSense support and discussion Onderwerp: [pfSense] Replacing a Linux router with pfSense I have a Linux machine as our company firewall/router at the moment. Since reading the announcement of pfSense 2.0 (on LinuxToday!), I have been considering replacing it with pfSense. There are some features that I see as being big improvements over my existing system, such as the web interface (which is perhaps slightly more user-friendly than ssh and iptables scripts) and CARP for failover between two routers. There are some features of my existing setup that may be difficult to duplicate with pfSense, and I'm hoping someone can tell me whether these are easy, hard-but-possible, or impossible - the pfSense wiki has a lot of information, but it can't cover everything (especially the latest features of pfSense 2.0). I've read through a fair amount of it, but by no means all. First, on the Linux system I have two hard disks, each with two partitions. The first partition on each is set as a software RAID1 and contains the OS, configuration, data, etc. The second partition on each is separate and contains a squid cache. Thus the system will boot and run fine even if one disk fails (losing half the squid cache will not be harmful). Can I do something similar with pfSense? I know a great deal about Linux software raid, but nothing about FreeBSD. I make use of VLANs on switches to control different subnets for parts of our LAN, server networks, etc. On some of these, the router has more than one alias. This means I have network "interfaces" with names like "eth0.12:2" in Linux (second alias on VLAN 12 connected to the first physical ethernet card). In some cases there is more than one alias on the same subnet (192.168.0.1 and 192.168.0.2), but mostly they are on different subnets on the same VLAN. I know pfSense is flexible about VLANs - but is it /that/ flexible? I have two WAN connections. One is a symmetric link (10/10), the other is ADSL (8/1). I would like to set these up so that the symmetric link is the main link, with the ADSL as backup. But http traffic can be balanced between them. Can I arrange that? On one of the WAN connections, I have several IP addresses (a /28 subnet). Several services coming in on these IP addresses need to be NAT'ed to different internal servers, depending on the port and the IP address targeted. It is important that replies from the internal servers get returned from the same IP as originally targeted. Will that work with pfSense? I have two OpenVPN servers on the current system, running on different ports. Clients on these have access to different servers. Can I have several OpenVPN servers configured with pfSense? I would also like to set up an OpenVPN "hub" to handle communication between external OpenVPN servers and clients. Some of my company's clients have OpenVPN servers or clients that some of our employee's need access to. My idea is that the employee will connect to the "hub" (the pfSense system) with OpenVPN, as will the customers' OpenVPN clients. The "hub" will also connect to the customers' OpenVPN servers (some have servers, others have clients). I would like to be able to set up firewalling rules allowing the employees access to the customers' systems, but customers' systems will not be able to access each other (or other interfaces on the firewall/router). Is that going to be possible? Will it be possible to get alerts (SMTP) or logs when these OpenVPN connections come and go? The box is also a DHCP server on various networks, with some static assigned addresses and some range-based. I presume that's fine for pfSense? And that it integrates with the DNS server on pfSense? I am seriously considering getting two pfSense boxes with CARP failover. Does this require identical hardware on the two systems (or perhaps just identical network card setups)? How much information is passed over the link between the boxes - does it cover all setup, configuration, rules, dhcp leases, etc.? How often does this synchronisation take place? Am I correct in thinking that each box needs its own individual IP address on each network interface (including VLAN interfaces), and they share one or more CARP aliases? I plan to set up a few virtual machines to play around with this before trying it out on a real system, but it would be nice to get an idea of what is possible or not! Thanks, David Brown _______________________________________________ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list _______________________________________________ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
