Re: [pfSense] Multi-Wan Setup, High Availability and Traffic Segmentation

2015-11-13 Thread Chris Bagnall 
On 13 Nov 2015, at 15:09, David White  wrote:
> I have a unique scenario:
> The higher ups require a multi-wan high availability setup, but assuming
> both ISPs are working, some traffic is required to use 1 ISP and some
> traffic is required to use the other.
> I've read in some pfSense docs on how I can setup a high availability,
> multi-wan setup, but those docs say nothing about segmenting the traffic.
> My idea is to setup 2 VLANS, and route 1 VLAN out of 1 gateway and 1 VLAN
> out the other, but configure them so that if 1 ISP or the other ISP goes
> down, both VLANS will go out whichever ISP is working.
> Is this possible?

Yes, it’s far from unique - most of our pfSense deployments are like this. The 
joys of rural locations where one internet connection is neither fast or 
reliable enough.

In a nutshell, you’ll define two gateway groups, something like this:

WAN1Preferred
 - Tier 1: WAN1 Gateway
 - Tier 2: WAN2 Gateway

WAN2Preferred
 - Tier 1: WAN2 Gateway
 - Tier 2: WAN1 Gateway

Then on your VLAN rules pages, change the default (allow all outbound) rule to 
use the appropriate gateway group.

In most of our deployments we segment traffic by type rather than VLAN though, 
usually to force latency-critical traffic (like SIP) away from ‘bulk’ traffic 
(like web browsing).

> Founder & CEO

Yet there are still ‘higher ups’? :-)

Kind regards,

Chris
-- 
C.M. Bagnall
This email is made from 100% recycled electrons

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Multi-Wan Setup, High Availability and Traffic Segmentation

2015-11-13 Thread Chris L 
On Nov 13, 2015, at 7:09 AM, David White  wrote:
> 
> I have a unique scenario:
> 
> The higher ups require a multi-wan high availability setup, but assuming
> both ISPs are working, some traffic is required to use 1 ISP and some
> traffic is required to use the other.
> 
> I've read in some pfSense docs on how I can setup a high availability,
> multi-wan setup, but those docs say nothing about segmenting the traffic.
> 
> My idea is to setup 2 VLANS, and route 1 VLAN out of 1 gateway and 1 VLAN
> out the other, but configure them so that if 1 ISP or the other ISP goes
> down, both VLANS will go out whichever ISP is working.
> 
> Is this possible?

Absolutely.  Look at Multi-WAN, Failover, and Policy Routing on the doc wiki.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Multi-Wan Setup, High Availability and Traffic Segmentation

2015-11-13 Thread David Burgess 
On Fri, Nov 13, 2015 at 8:09 AM, David White  wrote:

> I have a unique scenario: 


That sounds like a fairly standard use of multi-WAN, with vlan thrown in
for flavour. Did you look at this page? If so, do you have any specific
questions or problems with it?

https://doc.pfsense.org/index.php/Multi-WAN

db
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Hostname resolution of OpenVPN-connected clients

2015-11-13 Thread Vick Khera 
On Thu, Nov 12, 2015 at 5:20 AM, Marco  wrote:

> > Setting up BIND 9 to manage a dynamic zone is not very difficult.
>
> Do I need an additional BIND instance besides the unbound that's
> already running on the pfSense box?
>

unbound != bind. I do not know anything about setting up dynamic zones in
unbound. i know how to do it in bind9.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] Multi-Wan Setup, High Availability and Traffic Segmentation

2015-11-13 Thread David White 
I have a unique scenario:

The higher ups require a multi-wan high availability setup, but assuming
both ISPs are working, some traffic is required to use 1 ISP and some
traffic is required to use the other.

I've read in some pfSense docs on how I can setup a high availability,
multi-wan setup, but those docs say nothing about segmenting the traffic.

My idea is to setup 2 VLANS, and route 1 VLAN out of 1 gateway and 1 VLAN
out the other, but configure them so that if 1 ISP or the other ISP goes
down, both VLANS will go out whichever ISP is working.

Is this possible?

-- 
David White
Founder & CEO

*Develop CENTS *
Computing, Equipping, Networking, Training & Supporting
Organizations Worldwide
http://developcents.com
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Hostname resolution of OpenVPN-connected clients

2015-11-13 Thread Marco 
On Thu, 12 Nov 2015 10:42:30 -0800
Geoff Nordli  wrote:

> Not sure how many clients you are going to have,

About half a dozen. Growing. But still, overall a very small
deployment here. RADIUS seems to be designed for larger enterprises
with hundreds or thousands of clients and might not justify the
administrative overhead and cost for us.

> but Openvpn allows you to assign an IP address to a specific
> client.  Look at the ipp.txt file.

This is supported through the pfSense GUI as well¹. But that doesn't
solve the fundamental problem we face. Which is that we cannot
reliably access the clients. Via IP address doesn't work (even if
it's fixed on the VPN) because the hosts (laptops) connect do
different parts of the network and get assigned different addresses.
So we have to address them via hostname. This works like a charm
thanks to the “Register host names in DNS” feature, except when they
connect via VPN. Hence this post.

Marco

¹ http://serverfault.com/a/361103/102215
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold