On 7/26/05, Kev Latimer <[EMAIL PROTECTED]> wrote: > I wanted to use multiple WAN connections (using 1 router per connection, > all attached to the firewall). The primary reason was to support lots > of IPSec VPN connections so I could have them all concentrated on one > endpoint rather than deploying a new firewall for every, say, 6 VPN's. > Now this looks to be possible going by a blog post I saw and some > entries on the mailing list.
Maybe. Multi-wan definitely works, I fixed it up within an hour or two of getting my second WAN connection at home. Create rules and choose the gateway to send the traffic in question. VPNs are a different story and something I hope to find time to work on during our hackathon. We may or may not do what you want, I'd need a little more info on the exact setup you envision. > Also, I saw a checkbox in the web interface labelled "outbound load > balancing" - does this actually redistribute outbound traffic over > multiple WAN connections (ie. does it work?). Maybe...it's been in tree for a long time, but I know of no-one using it. It'll likely get a workout at the hackathon to ensure that it really is working. > The other things that were 'broken' were to do with the way IPSec > tunnels were 'kludged' into the kernel (as one person said) and > therefore stop me from using the IPSec tunnels to do cool stuff. Has > any of this changed now that FreeBSD 6 is used as opposed to 4.11 as a base? I don't really know anything about m0n0 or FreeBSD 4.11...what were the issues? I do wish that FreeBSD tied IPSec tunnels to a logical interface like OpenBSD does, but I hear we can do "stuff" with gif interfaces. I plan on looking into that soon as filtering over VPN today kinda sucks w/out an interface to apply a rule to. > I wanted SNMP traffic stats reported back to an NMS but this couldn't be > done over the IPSec tunnel unless I did some odd static routing to route > the traffic back to the IPSec interface, and when lots of m0n0walls got > involved this made pings and traceroutes look very strange. We've got an snmp daemon. Dunno if anyone is running it over IPSec but I don't see why it shouldn't work assuming your tunnels are setup correctly. > I also wanted to traffic shape stuff before it entered the tunnel, but > as I found out the only thing the shaper could see was ESP traffic, not > what was encapsulated within. I remember Chris replied to me on the > m0n0wall list saying it might never be feasible, but that was before > pfSense appeared. Similar issue. Traffic shaping (queuing) can only happen outbound on an interface (you can only queue what you know about :)), since IPSec doesn't have a logical interface, we can only shape the ESP/AH traffic. This may or may not work in the future. > However, even without these features, having failover with CARP and > finally having a Squid proxy has already given me enough to ditch the > ailing SmoothWall's that still burn on the edges of the network :) I > shall play away today. :) CARP rox :) --Bill --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
