Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - ashima

Pages: [1] 2 3 4 5 ... 10
General Questions / Re: Traffic shapper giving priority to rdp
« on: April 11, 2018, 12:35:49 pm »
Thank you KOM. I know it should go to Traffic Shaper Forum. But I always found this forum to be much faster in response :)

If I  give highest priority to rdp then all the other traffic including that from vlan on same lan will get less priority.

Also there is a 2nd wan through which policy based traffic is passed. So I need not apply traffic shaping to it.

So I need to use wizard with 1 wan and do rest of the settings.

I am sorry if I am sounding quite trivial.


It depends. If you have created firewall rules for the lan interface then it is not inherited by vlans. But if you are running captive portal running then vlans will also inherit it. I think same goes true with squid (not very sure).
I hope this helps.

General Questions / Traffic shapper giving priority to rdp
« on: April 11, 2018, 05:43:55 am »
Hello everyone,

 Here's my scenario. Branches connected to HO through  OpenVPN.

At branches we have 3Mbps leased line. The users rdp to server at HO through vpn (configured in pfsense firewall at both end).

Due to heavy internet usage by guest at the location the rdp users don't get bandwidth. I would like to give priority to rdp users.

I have few questions :

For my usage, a simple PRIQ traffic shapping on WAN would be enough.

I'll give highest priority to rdp.

Is there any thing I need to take care. As the box is already running on site... I don't want to messup things.

Any suggestions.



       That is possible if you are having site-2-site openvpn connection. Then all the systems from Client A side can access 192.168.20.x series and vice versa. As far as I can understand from your post  is that you are running windows based openvpn client software  on individual systems on Client A. If that is the case then I guess you will  not able to access systems on Client A side from 192.168.20.x.

I suggest to put up a device (may be another pfsense device) at Client A and then the two devices can make a openvpn connection. Then all the devices from either side should be able to talk to each other.




   Yes we can take 2 connections from same ISP. My doubt :

Since Its a broadband connection 150 Mbps dn & up both ways ,  the contention ratio  is expected to be  1:16  & having same gateway  unlike  a Leased Line Connection  with contention ratio  1:1  or  1:2 .

Are  there any issues  that you perceive    &   foresee to crop up . . . ?




Well, there will be an upload and download speed restriction through captive portal / freeradius for every user.

I guess this would prevent any one of them  eat up the entire bandwidth. Is there any thing else I need to take care.

I am not load balancing as ISP A is at 150 Mbps  Up/Down and ISP B is at 30 Mbps up/down and ISP C is at 15Mbps/40Mbps Up/Down

So I thought ip based routing would be better. Am I right on this concept ?



 Thank you all for replying. So a big NO to TPlink.

@NogBadTheBad,   All the three ISPs will be connected to pfsense. All the Aps will be connected to this box.

The first  200 dhcp clients will use ISP A the next 50 clients will use ISP B. So depending upon the ip address ISP will be decided by pfsense.

Will be using same SSID across.

Is there any thing else I need to take care.



Thank you Derelict for replying, would need a suggestion .

     For the discussed location what are your thoughts about :-

    1.   Ubiquity Unifi AP AC Lite   vs   Tp-Link EAP 245.

    2.   Ubiquity Unifi AP AC Pro   vs   Tp-Link EAP 330.


General Questions / Can Wifi APs get overwhemed by torrent connections ..?
« on: February 04, 2018, 11:47:46 pm »
Greetings to all,

   Wish  to discuss an upcoming scenario with high density / high population wifi devices in a small area.

Scenerio is for a  Hostel Accomodation,  wireless APs  are needed to be  installed in the coming week.
Each floor has too many 4inch brick walls (5-6) , hence planning several APs on each floor.

ISP available are :-  ISP-A Broadband 150 Mbps, ISP-B Broadband 80 Mbps , ISP-C Broadband 40 Mbps.
                      ( Upload & download speeds being the same in all the 3 ISPs )

Wi-Fi Access Points :-  Considering to  use Ubiquiti unifi ap ac lite   x  21 Numbers spread across 4 floors.
                        Open for suggestion if Ubiquiti unifi ap ac pro  would be more appropriate.
                        What would your comments be on Engenius EAP1200h . . ?

WiFi Coverage :- No Coverage Issues , -55 db  to -45 db. On Laptop the wifi signal shows 4/5  or  5/5 bars.

Networking : CAT6 , Gigabit switches.
             ISP-A (150Mbps) segmented for 3 Floors.
             ISP-B ( 80Mbps) segmented for 1 Floor.
             ISP-C ( 40Mbps) as a failover for  either ISP-A or ISP-B

Firewall :  pfsense configured with Captive Portal , 190 User Logins with Bandwidth Capped at 4Mbps per user login.
            with limit of 2 device per user login.
            Configured to run Captive Portal.    ( Squid is not required )

Each Access Point expected to receive max 30-40 concurrent device connections (Laptops & Mobiles).

Doubt - 1 :  will this desktop hardware be sufficient  for the job of  pfsense box ?
             AMD A-Series APU A4-6300 3.x GHz  - Dual Core  or
             AMD A-Series APU A8-7600 3.x GHz  - Quad Core (open for suggestions)
             8GB DDR3 Ram,  160GB SATA HDD x 2 Nos  ( RAID 0 - zfs mirror )
             5 GbE LAN Ports

Doubt - 2 :  In a particular area of the property,

We have a doubt about  several users  connect to the same WiFi AP simultaneously in a partucular area may use file torrenting on their laptops.  Since we have seen in the past,  a simple torrent file usually opens 40-50 connections & about 1000 half open connections.
Will this become an issue  &  other users within the same WiFi AP  experience disruptive internet performance  ?
Several users using torrent ( within same AP )  can  over whelm the WiFi AP's capacity to handle  per client connection ?

Also, that we do not wish to block torrents in the network.

Essentially, even thought the signals are strong, and the head count of users is just 20 at a given time,
but several users using torrent can  spoil the user experience in that area,  over whelming the particular WiFi-AP.




   You will have to install squid and squidguard.

Also to block https sites you have to enable SSL Filtering. Chose the option Splice whitelist and Bump otherwise. Create a whitelist of https site which you want to pass. Rest all will be bumped.

Hope this helps you.

General Questions / Re: VIP setting
« on: January 28, 2018, 05:54:12 pm »
Thank you viragomann.

I am using mac-ip binding in box1 so box2 always get same Ip.

I can of course make box2 to have static Ip if that serves  the purpose.
My question is about assigning another Ip  (virtual ip) to box2 so that I can access server2 with same port as server 1.


General Questions / Re: Route specific hosts over VPN
« on: January 27, 2018, 12:29:35 pm »
This link might help you.



   You can have two dhcp pools but you cannot tell this client should select from pool A and this client should select from pool B. So all the clients you want to be in pool B give them fixed ip. But remember if any other client which was suppose to get dhcp address from Pool A, fix his ip to pool B then he'll be allowed.

So to avoid this you should either use Managed switch or go for vlan.

If you have all wireless devices, then setting up vlans is quite simple. Only thing then required will be device which can tag the clients. Most of the APs now a days come vlan tagging facility.

If you have desktops then you have to invest in managed switch.

I can help you setup vlans, incase you decide to do so.

General Questions / Re: VIP setting
« on: January 27, 2018, 07:42:18 am »

  I haven't received any response. I just want to confirm if I use virtual Ip with Ip Alias and do a port forward to second server will it work. Since the Pfsense box is at the remote location (at the head office where all branches connect) I don't want to take any chance.

Also should I have to make any change in  BOx 1 (the load balancer) as it is the dhcp server fox box 2.

As I am going to make these changes remotely I just want to confirm my step.

Any Help ?


You can sort of achieve this by ip-mac binding but the best way to do this is either use managed switch or vlan.


Pages: [1] 2 3 4 5 ... 10