Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Topics - smbsmb

Pages: [1]
Installation and Upgrades / reilable install - 2 HDD/CD/USB?
« on: July 11, 2011, 04:17:23 pm »
I have an old PC (Celeron; 512MB RAM; USB boot BIOS option present).
What is more reliable, to install pfSense on:
1. Two gmirror-ed HDDs. If one of them fails, we can boot from another.
If this old PC fails, we can move HDDs and network cards to another old one,
they are extremely cheap.
2. USB flash stick. Is possible also to use gmirror for USBs?
3. To run pfSense from CD and to store the configuration on Flash/FDD?

Please help me to solve this problem:
Workers in our office should have access only to 10-12 sites (for work),
their ACL of these DNS-domains can easily be wtitten.
However, some workers should have access to all sites, by personal password.
The access control cannot be done by ip-addresses,
only by login-passwords, because computers are really not so "personal".

What is the right way to do it:
1.  To setup transparent squid+squidguard, and PPPoE(or PPTP) server.
Users without auth will have limited access,
users with auth - will have full access.
Is it possible to setup a transparent proxy,
which will not intercept traffic from PPPoE(or PPTP) users?

2. To setup firewall rules for thess sites, and PPPoE(or PPTP) server.
The rules will be more safe, because will block not only http to unneeded, but
will block all protocols.
However, there can be problems, if some site's IP-addresses will change
 - I should always correct the rules in this case.
AFAIK, it is possible to define different sets of rules,
for NAT and PPPoE(or PPTP) connections(users)?

Is these a better way to do this site-blocking?

What an interesting, complex problem!

Our second office is located in a place,
where ISPs only provide slow unlimited Internet
traffic with speed not more than 128 Kbps.
So, our office is now connected that way:
We have bought several unlimited internet logins, 128Kbps each (VPN - pptp).
and use a bundle of route rules.

I tested the vpn connectivity to pptp server on main office, it worked.
Note that we didn't buy an external IP-addresses from our ISP (ISP does NAT for us).
So, our ISP doesn't block GRE,
and even such a complex thing -  "pptp through NAT over pptp" works, but the speed is \

Since GRE is not port-based, and all our connections have the same IP-address (ISP's \
NAT server), I'll try a pfSense to send GRE packets to our main VPN server over the \
Internet over all our ISP's connections in round-robins style, to combine their \
speed. It will probably combine ONLY outbound speed of our channels, but it is better \
than nothing.

Does this "outbound speed combining solution" seem to work, and possible with pfSense?

AFAIK pfSense currently support just one(not more) pptp vpn interface as WAN.
Also, I was told in mail-list:

>  Is there a workaround to connect all 8 pptp connections
>  from pfSense simultaneously?

"Not a good one. 8 installs could do it, then put one install inside
those 8 installs to balance between them. If you can use a cheap NAT
device of some sort on 7 of them, connect the NAT devices to 7 pfSense
interfaces, and use one on pfSense's WAN, then it'll work.

Only way PPTP on multiple WANs will ever get implemented is if you can
contribute code or someone else can in the future.  None of the
current developers have PPTP Internet connections."

- Is it possible to run 9 virtual machines on a computer,
   8 of them will run pfSense and connect to PPTP VPN,
   9th pfSense will load-balance between these 8 pfSenses?
- Is yes, which Virual Machine-software with network-between-VMs
  feature do you recommend to use?
- Is it possible to write a non-standard rule fo PF,
which will round-robin only ooutbound GRE packets,
and to add it (how?) to the pfSense configuration?

Pages: [1]