pfSense Support Subscription

Author Topic: load balancing and some network control (expert should predict a price)  (Read 2491 times)

0 Members and 1 Guest are viewing this topic.

Offline hsoldo

  • Newbie
  • *
  • Posts: 21
  • Karma: +0/-0
    • View Profile
Hi,

I need to setup load balancing on 2 wans (one is ADSL, other is wireless router). Right now I did most of things from the forum suggestions and youtube videos but lets just say it works very bad.
Also many times computers in the network start to show dns error for a few minutes. And last thing is to implement some control into LAN (to allow certain users to have free internet, others limit to some websites and some to limit only to have skype)

PFSENSE is now running. wan=9Mb/3Mb, OPT1= 8Mb/0,5Mb.
Name your price because(a reasonable one)  :)

Thank YOu

Offline jikjik101

  • Full Member
  • ***
  • Posts: 193
  • Karma: +0/-0
    • View Profile
maybe i can help but i cannot guarantee it.


1. To load balance your WANs, go to System>Routing>Groups.
Put your two WANs under same tier.

Plan your LAN. How many users/IP are non-restricted and how many users/IP are restricted?
Example, if my LAN is /24, half of it is non-restricted.
Let's say the IPs 192.168.100.1-192.168.100.127 are the non-restricted and IPs from 192.168.100.128-192.168.100.254 are restricted.

2. On Firewall>Alias, create an alias for non-restricted IPs and restricted IPs. Although this is not necessary, but it is much easier to maintain and troubleshoot if you use aliases.


3. Under Firewall>Rules>Floating, add a rule:
Protocol     Source                            Port    Destination    Port    Gateway    Queue    Schedule    Description    
UDP    WAN1 and WAN2 address    *    *            53 (DNS)    LoadBalance    none         

Under Source, select your two WAN interfaces. Select DNS under port and the group you created in step 1 for Gateway.

4. Under Firewall>Rules>LAN, create a rule like this:
Proto    Source          Port    Destination    Port    Gateway    Queue    Schedule    Description    
*            Non-restricted    *    *    *            LoadBalance    none         
*            Restricted            *    *    *            LoadBalance    none         

Under Gateway, use the group you created in step 1.
Also, use the aliases (restricted and non-restricted) you created in step 2 for the source.

To put control on your restricted IPs, you can add a firewall rule that will block some websites.
You can create an alias of URL, then on the firewall rule under LAN, select Block action
*            Restricted            *    Blockedsites    *            LoadBalance    none    

As a good practice, always block everything under firewall rules and only allow specific rules.
And always remember, rules are executed from top to bottom.


EDIT:
SORRY, i am not looking that this is posted in the BOUNTY section. I thought this is in General Questions. But if my post helps the OP, please contribute or give your payment to the pfsense developers.
« Last Edit: June 11, 2012, 01:12:50 am by jikjik101 »

Offline hsoldo

  • Newbie
  • *
  • Posts: 21
  • Karma: +0/-0
    • View Profile
I am going to give it a try these days (it is not simple for me now to reconstruct whole network (about 100 users)
As soon as I get any results from your instructions I will write you to see what is the amount I should donate.

Thank you

Offline jikjik101

  • Full Member
  • ***
  • Posts: 193
  • Karma: +0/-0
    • View Profile
The instructions will only take 10-20 minutes or less if you are using DHCP on your LAN.

Offline hsoldo

  • Newbie
  • *
  • Posts: 21
  • Karma: +0/-0
    • View Profile
and do you know if it is possible to have some protection by mac adress?
as some users have already learned to change their ip adress.

Offline jikjik101

  • Full Member
  • ***
  • Posts: 193
  • Karma: +0/-0
    • View Profile
Use DHCP on your LAN.

It has two features:

Deny unknown clients
If this is checked, only the clients defined below will get DHCP leases from this server.

Enable Static ARP entries
Note: Only the machines listed below will be able to communicate with the firewall on this NIC.

Offline hsoldo

  • Newbie
  • *
  • Posts: 21
  • Karma: +0/-0
    • View Profile
I will try to play with this. If I dont suceed can I count on you to do it for payment?

Offline jikjik101

  • Full Member
  • ***
  • Posts: 193
  • Karma: +0/-0
    • View Profile
i am not familiar with the bounty section and this is just my first time posting here (accidentally :D)

i think you need to read this first: http://forum.pfsense.org/index.php/topic,23514.0.html

Quote
Configuration help bounties

There are a lot of bounties for people asking for configuration help.  For those of you who need help getting your system set up in a specific way, consider paying for a commercial support package.  Its a great way to support pfSense and pay the developers for their time, plus you can be assured that you're getting someone who really knows this system to look at your network environment and help you configure pfSense properly.

It is better to pay for a commercial support package and let the support team do its job.
Sorry but i am not part of the support team and i am not an expert of pfsense.