Re: [pfSense] Triple WAN
Chris Bagnall wrote: I tend to work on the principle of sending your ‘I care about latency’ traffic down one connection: SIP, mail, SSH and various streaming protocols are the ones I normally separate - you may have others to consider. I then create a gateway group for the other two connections in a standard round robin load balance. Would you mind giving a few examples how you do this exactly? I have absolutely no control over the clients on one of my LANs (open hostel wifi), and people tend to saturate my 4 WANs If you can easily separate your clients out on the LAN side, you can go a step further: in one of the offices we supply, floor 1 is balanced across WANs 1 and 3; floor 2 is balanced across WANs 2 and 4. These methods are all to prevent one single client saturating the connectivity into a building. You’ll have to do some experimentation to find out what works best in your environment. One final word of advice: send HTTPS connections down a single WAN. Many ‘secure’ sites will expire sessions if connections come from different IPs and your clients will get upset very quickly if they’re having to re-login to online services every few minutes. That's the only part I figured out myself, all https is from 3 different LANs is going down one WAN connection. Thanks a lot! Ben ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
[pfSense] One Click Hoster Downloads
Hey List, I guess “One Click Hoster” is a bit of an old description, but I am referring to the likes of http://uploaded.net/; https://www.oboom.com and similar. No download from those hosts seem to work for me behind my pfSense box with MultiWAN, MultiLAN set up. “Use Sticky Connections” is set. Anything other idea where to look? (4 ADSL lines on the WAN end, 3 LANs) Thanks Ben___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] [v2.1] configuring OPT1 as hosted services firewall?
I have around 15 years USER experience installing a new version of Mac OS (X) onto a Mac. Around 8 years ago I managed to install Debian on a Powerbook with a lot of help and RTFM but I forgot most of it as `I am not in the business´. I re-read your mail after Adam’s mail and even I spotted the Subnet problem, hidden in your description… Hey, if spelling out RTFM is too much for you,even telling you which manual you should look at… hell… Thanks Adam, please tell me which manual I have to read this way again next time I have a stupid question… Ben On 22, Feb2014, at 00:16 , Ryan Coleman ryanjc...@me.com wrote: And with that, and my 20 years in the industry, I unsubscribe from this list. Learn some fucking tact, Adam. On Feb 21, 2014, at 10:12 PM, Adam Thompson athom...@athompso.net wrote: The obvious problem is that it looks like you have two interfaces in the same subnet. That (generally) doesn't work unless you are a routing guru in the first place and know exactly what you're doing. Which, with apologies for bluntness, you obviously don't. The problem isn't with pfSense, it's with your entire concept of how IP works. Go read a book on IP first, then try again? (Sorry if I'm wrong, but it seems like the problem is at that level...) -Adam On Feb 21, 2014 7:13 PM, Ryan Coleman ryanjc...@me.com wrote: Does anyone have an ideas? Thanks! On Feb 20, 2014, at 4:04 PM, Ryan Coleman ryanjc...@me.com wrote: I’m moving away from single server design on my ESXi box to dedicated guests for each service but I cannot seem to get those dedicated services through the firewall. I have a 29bit subnet (IPs 1 through 5). Everything is internal to the ESXi (5.1) server. .1 = pfSense Firewall .2 = OPT1 interface on pfSense .3 = Customer VM (will port over to OPT2 after this works) .4 = All-in-one hosted VM .5 = Same All-in-one hosted VM I am going to eliminate .4 and .5 as I pull specific services out and into VMs (I’ve already moved the basic part of the FTP, the entire SQL server and LDAP to internal systems). But whenever I set up NAT rules on .2 it seems to be using .1’s stuff. I will have the following pushed through: FTP WWW (one primary, each subserver has functioning Apache for their services) IMAP SSL/SMTP SSH (via pushed ports to each server) Any thoughts would be helpful. The biggest thing I need to get running now is the FTP part - I cannot get it to push through nor will it register on the firewall log that it’s being blocked. — Ryan ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] Bridging 3 virtual interfaces together?
Hi all, following up on this thread: Bridge LAN ports to act like a switch http://forum.pfsense.org/index.php?topic=48947.0 I am looking for a way to bridge 3 VLAN interfaces together so they act as one inside the pfSense box for the purpose of traffic shaping on the bridge. Now the 3 interfaces still need to act as single interfaces running 3 different DHCP servers on each. I looked into the above thread, but just bridging the 3 interfaces together they loose their IP addresses, which is something that I can’t afford as they serve 3 different LANs. I want to *join* the interfaces together inside pfSense so I can throw all the traffic together in one big queue and start shaping according to subnet and ports. Any hints? Thanks Ben___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Bridging 3 virtual interfaces together?
On 5, Jan2014, at 15:59 , Adam Thompson athom...@athompso.net wrote: On 14-01-05 12:49 PM, Benjamin Swatek wrote: Thanks for your help Adam, I got to admit that I definitely do NOT fully understand OSI ;-) Unfortunately, most people working with firewalls do not. It's like an auto mechanic working on your transmission without understanding how gears work, IMHO... Wouldn’t call myself an auto mechanic neither ;-) - Yeah, I only have a little idea of what I’m doing here. The reason for the VLANs was to get the 3 LANs onto one NIC in the first place, hoping that it would be easier to “get them together” for shaping then having them come in on the pfSense box on 3 physical NICs. Looking at your answer this might be the wrong approach. If you have any suggestions as on how I can take the traffic from 3 LANs and pipe it through a traffic shaper where I can prioritise traffic from a certain LAN over another and prioritise certain traffic over other within each LANs traffic, I’d be very great full to hear… 1. Recall that priority/QoS is irrelevant until/unless the link is congested. So unless you plan to push ~ 1.0 Gbps of traffic, stop now and don't waste your time. Unless this is just a learning experience anyway, in which case go right ahead. I’m only looking to push 8Mbps through two 3Mbps and one 2 Mbps ADSL lines (MultiWAN) for each of which I pay more than the national minimum wage - this is Bolivia - trying to satisfy my business’s needs to answer to emails asap as well as my clients expectations for a fast WiFi - that is people who don’t have a clue how expensive 1 Mbps is compared to the 1st world. So yes, my links are constantly congested ;-) 2. Although FreeBSD's if_bridge (we are using this, not ng_bridge(4), right, guys??) supports bridging tagged packets, I don't see anywhere in the docs a way to set and strip VLAN tags the way a real switch would. Perhaps you'll be better off just buying a cheap managed switch off eBay to do this job, for example http://r.ebay.com/CkaSX0 isn't what I'd choose for enterprise use but will be more than adequate for home use. If you don't like used equipment, look at the NetGear GS(105|108|116)* line which are small, cheap and fanless, and will do almost everything you want to do. Minus the QoS, I think... although they have slightly more expensive (but still small and fanless, I think) models that can do QoS. Most vendors have a small, quiet, VLAN-capable switch like this, but I think Netgear's are the cheapest (and have lifetime warranty). I have a TP-Link 8 port switch ( http://tinyurl.com/m2rbcdt ) that connects the 3 LANs and the 3 WANs to the pfSense Box. But I’m not sure anymore what help it is. I had the LANs coming in on their own physical NICs, but couldn’t get them together for QoS neither. I can get them all in their own queue for shaping, but that way I could only limit each LAN individually not taking into account what the other one needs. 3. You could probably get some low-profile Cat5e cable and run multiple runs in the wiring space you currently have a single cable run. This requires skill and tools, however. Cables are there, if that would help at all I can run more. 4. Do all of this with routing instead of bridging. IIRC, you mentioned that due to physical limitations, the pfSense device acting as a switch was relatively underpowered; this will affect layer 2 (bridging) performance as well, so whether you route or bridge, you still won't be able to push a gigabit of traffic, and QoS will likely make the situation worse, not better. There are no real physical limitations around the pfSense Box (Intel Pentium D 3 GHz - 2 GB RAM), all LANs come all the way down to the box, the modems for the 3 WAN connections sit right next to it too. The limit is the available bandwidth here in Bolivia, 3Mbps ADSL costs around $ 200 (US) per month which equals to the local minimum wage. We have 3 of those connections, serving our Office’s LAN, Client PC LAN and Clients WiFi in my Backpacker Hostel with sometimes up to 120 devices connected to the WiFi… So if you have any further suggestion on where to look (RTFM) how to do some routing so I can shape the traffic between the LANs, I am happy to read any manual you could suggest. Thanks Ben ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Bridging 3 virtual interfaces together?
On 5, Jan2014, at 23:48 , Adam Thompson athom...@athompso.net wrote: I've steered you the wrong way altogether! No Problem I have a TP-Link 8 port switch ( http://tinyurl.com/m2rbcdt ) that connects the 3 LANs and the 3 WANs to the pfSense Box. But I’m not sure anymore what help it is. I had the LANs coming in on their own physical NICs, but couldn’t get them together for QoS neither. I can get them all in their own queue for shaping, but that way I could only limit each LAN individually not taking into account what the other one needs. You've got everything you need. The only place you can usefully control QoS in your environment is on the *UP*link to your ADSL provider. If you have NICs dedicated to each subnet, then you're already at 1Gbps dedicated to each subnet. Not really, because pfSense on that hardware can't do 1Gbps, but at least ethernet isn't the bottleneck. By controlling upstream bandwidth, you can have *some* effect on downstream bandwidth. By ensuring that no single upstream link is 100% congested, you will almost certainly improve response time and latency. I thought that is some how what the pfSense Shaper does, I imagined that by keeping responses of certain connections back, it would also somehow limit the downstream or some similar black magic ;-) There will be absolutely no benefit to putting a traffic-shaping policy on inbound traffic; I can explain the logic behind this statement if it's not obvious, but in short: the data has already arrived at the DSL modem (and thereby filled up the pipe) long before pfSense can touch it. No black magic at all so? Not even to limit p2p traffic and prefer pure http/https ? Or give one LAN more bandwidth when needed while more to the other LAN if the first one doesn’t need it? I believe what you need is a standard multi-WAN setup. No VLANs or trunking are needed at all in your situation. You will need to apply a traffic shaping policy on all three WAN connections; you can apply the identical policy on all, or different policies on each. If you're using pfSense's multi-WAN feature with equal weights, I recommend placing the same traffic policies on all three lines. Up and running However, bundling the three DSL connections together this way won't produce the results you expect; pfSense doesn't magically bond uplinks and downlinks together - no standard router or firewall really can do a good job of that. pfSense does a decent job of load-balancing, but the end results are imperfect and do not magically reflect a 3x increase in usable bandwidth. You’d be surprised how good of a Job it does. When the connections are good, less other Bolivians surfing the web, and each DSL line nearly reaches it’s (contracted) limit, the Client WiFi nearly suck`s down the sum of the 3 DSL bandwidth, that is according to pfSense’s traffic graphs :-) You might want to have a look at Mushroom's Truffle router. Yes, I'm serious, that's the real name of the product. It might be useful to you, or it might not. Latency from Bolivia might suck if you use their cloud service on the far end; you might still have to find somewhere to host the server side to get the most out of the bonding mode they offer. I’ll look into this. Thanks ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] MultiLAN ( MultiWAN) Traffic Shaping - How to create a bridge?
Hello List, I'm trying to set up Traffic Shaping in a MultiWAN MultiLAN environment. It seems to me that even the MultipleLan/Wan Wizard still doesn't do the trick for me as it sets up the same queues for all LANs but I need an option to prefer traffic from a certain LAN over another. As my 3 LANs come in as VLANs on one NIC, I guess Bridging would be the magic word so I could bridge all the LANs to one interface and do the shaping from there, first based on subnets, then on type of traffic? But from here I am totally lost, I have no clue how to start with the Bridge, which is probably the main problem. Once I have all the traffic coming in on one (bridged) interface, I hope I can re-direct it into different queues by originating subnet and protocols/ports used. Any hints appreciated. (My Setup: pfSense 2.1-RELEASE x64 on an Intel Pentium D 3GHz, 2 GB RAM WAN Interface with WAN (VLAN2), WAN2 (VLAN3) WAN3 (VLAN4) LAN Interface with LAN (VLAN6), LAN2 (VLAN7) LAN3 (VLAN8) OPT1 - Onboard Control IF - unused but configured The box has 2 more NICs that could be used if needed. The MultiWAN setup works fine using all three WANs, on the LAN interface LAN is my office network, which is totally controlled by me and should later be preferred over everything else by the traffic shaper, LAN2 is a network with free to use PCs and where I can control pretty good what traffic is coming from there (http(s) only / no p2p, no VOIP/Skype), LAN3 hosts the open WiFi with up to a 150 clients at any given time where I have no control what so ever which traffic comes from there, this should be the LAN with the least priority on the shaper and here further shaping will have to happen.) Thanks Ben ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Multi Wan via gateway groups breaking some websites
On 11, Dec2013, at 15:14 , Joe Landman land...@scalableinformatics.com wrote: Hi folks I've run into an issue that has me somewhat confused. Our multiwan router is up and working. This is 2.1 release. I've got 2 ports to two different network providers (different technologies at that). Following the directions ( https://doc.pfsense.org/index.php/Multi-WAN_2.0), I 1) set up a Gateway group called MultiWANGW which has both gateways. Both were originally set as tier 1. More on this in a moment. 2) set up outbound LAN-any mapping to use the MultiWANGW in the Gateway of the LAN rule governing outbound traffic. 3) I have two distinct DNS servers set up per gateway under Systems-General. I've verified that gateway monitor reports them working. Actually everything appears to be working ... except ... One or two sites (Ariba http://www.ariba.com and a few others) seem to have some significant problems if I leave both gateways at tier 1. Once I change it so that one (the slower backup one) is tier 2, it works. This has the impact of not doing an explicit load balance from what I have read on it. So ... my question is, what diagnostics should I try to be able to identify the issue (some sites not working when the system is set in load balanced mode)? I did try setting the sticky mode (System-Advanced-Miscellaneous), though I am not sure this is correct for outbound load balanced multi-wan. Maybe an issue with HTTPS? https://doc.pfsense.org/index.php/Multi-WAN_Version_1.2.x#Setting_up_for_protocols_that_don.27t_like_load_balancing Ben___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Not so sticky connections
On 6, Dec2013, at 11:15 , Nishant Sharma codemarau...@gmail.com wrote: Benjamin Swatek bfts.pfse...@gmail.com wrote: Firewall rules on LANs are set to: Allow Any to MutliWAN Gateway) HTTPS and many other encrypted protocols like IMAPS, POP3S etc can not be load balanced. You need to send them through one link. Go throught the MultiWAN howto on docs.pfsense.org. Regards, Nishant Nishant, thank you very much, this seems to improve HTTPS right away, cheers. Any hints on what to do with downloads? Especially “one click hoster” downloads keep failing, but other http browser downloads fail all the time too. If I use a download manager though it works OK. I can use the download manager myself, but there are too many PCs on my network that are not under my control and I would love if it would work for them too. Cheers Ben ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Not so sticky connections
On 6, Dec2013, at 11:15 , Nishant Sharma codemarau...@gmail.com wrote: Benjamin Swatek bfts.pfse...@gmail.com wrote: Firewall rules on LANs are set to: Allow Any to MutliWAN Gateway) HTTPS and many other encrypted protocols like IMAPS, POP3S etc can not be load balanced. You need to send them through one link. Go throught the MultiWAN howto on docs.pfsense.org. Regards, Nishant Nishant, thank you very much, this seems to improve HTTPS right away, cheers. Any hints on what to do with downloads? Especially “one click hoster” downloads keep failing, but other http browser downloads fail all the time too. If I use a download manager though it works OK. I can use the download manager myself, but there are too many PCs on my network that are not under my control and I would love if it would work for them too. Cheers Ben ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] Help with VLAN setup
Hello all… I’m trying to set up VLANs but I can’t get it to work. I have a TP-Link TL-SL2210WEB switch connected to a pfSense box. The switch should connect to 3 ADSL Modems on ports 2, 3 and 4 and to the pfSense Box on port 1. On the switch I configured port 2 to be part of VLAN 2, port 3 to be part of VLAN 3 and port 4 to be part of VLAN 4. They all tag “Egress Frames” accordingly. Port 1 is member of all those VLANs and does not modify “Egress Frames”. On pfSense I tried to set up VLANs 2-4 too, but something doesn’t work. I created the VLANs during set up, then assigned them to the corresponding interface (fxp0 - I tried with re1 too) and then created OPT interfaces using the VLANs as their network ports. Then I gave each OPT an IP address according to the modem’s configuration (192.168.x.10). I tried creating Gatways when assigning IPs and as well afterwards but no interface gets online or can ping the modems. When I connect my laptop directly to port 1 of the switch and assign it an IP address corresponding to any of the modems connected I get online and can ping the modems too. What am I doing wrong? Thanks Ben (sorry for cross posting on forum and list, I’ll share any knowledge I can gather in bot too.) ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Help with VLAN setup
On 23, Nov2013, at 13:14 , Adam Thompson athom...@athompso.net wrote: What am I doing wrong? My best guess is untagged/tagged confusion on your part, but there are other possibilities. I assume VLAN 1 is your LAN, i.e. the subnet protected by the firewall. Presumably ports 5 through 8 are on VLAN 1 as well, and your other devices are plugged in there. You want port 1 to be an untagged member of VLAN1, and a tagged member of VLANs 2, 3 and 4. If your switch talks about egress and ingress rules, port 1 should be configured to *apply* an 802.1Q tag on egress for VLANs 2, 3 4, and to *strip* (or merely not apply, depends on the switch) 802.1Q tags on egress for VLAN 1. Similarly, the PVID (default VLAN) for port 1 should be VLAN 1, and it should accept tagged packets for VLANs 2, 3 4. Then ports 2, 3, and 4 should be configured to strip (or not apply) 802.1Q tags on egress for their respective VLANs, and should be configured with a PVID of 2/3/4 (respectively) and be set to accept untagged packets. Seems like that was the problem. Thanks a million. Ben ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] Got myself a Switch....
Hello all, Sorry if this is a bit of a general question, any hint on where to RTFM is very welcome. My current set up is one pfSense Box connected to 3 ADSL lines with MultiWAN and a 2nd pfSense Box connected to the first and then connected to 3 different LANs. I am using 2 boxes because that is what was available but none of the boxes offered enough options to connect more NICs. Now I got myself a manageable Switch (a TL-SL2210WEB) which I would like use to cut down one pf-Box. I’m still not 100% sure about the final set up, but if possible (with this switch) I would like to connect the 3 ADSL to the switch and VLAN them to the pfSense Box, and use the 3 lines via MultiWAN to give more bandwidth to the LANS. If the Switch allows, I want to connect the 3 LANs via VLAN too, to the pfSense Box and use traffic shaping to prioritise one LAN over the other and certain kind of traffic over other too. Should it be possible to use the shaper on 3 different LANs if they all come in over 1 NIC but are separated in 3 different VLANs? In my current setup I was told I would have to use a Bridge and gave up at that point just limiting one LAN to a max MBit connection. If it is not possible use the Traffic Shaper as described, I guess I would need to set up a bridge between two NICs somewhere, how would I have to go on about that? Any suggestions welcome. Sorry for the n00b questions, I’m actually just doing this for the fun of it while running a hostel in Bolivia and I couldn’t get any decent network techs to get our internet working properly. As a background, the LANs are our Office LAN, a LAN for various stationary PCs used by the clients and 3rd a WiFi that is freely accessible by all our clients and easily runs up to 100-120 devices connected at any given time. Thanks Ben Wild Rover Hostels La Paz, Bolivia ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
