I've been running the 2.0 betas for a few months and I'm quite happy
with it. Some network and hardware upgrades present me with a few
questions, and maybe I'm overthinking it, but I thought I would ask
the opinion of the wise ones.
I'm running mlppp and it works beautifully. For the last 2-3 months
it's been just 2 DSL connections, so they each got a dedicated NIC on
the net5501. Now I'm upsizing significantly to 8 DSL lines, and since
there's no reasonable way of getting enough physical ports into the
5501, I'm obviously forced to use vlans to get all the DSL and LAN
connections up. I have a single smart swith with vlan capability, but
a second smart switch is not in the budget at the moment. Therefore,
my DSL and LAN ports will be on the same switch, different vlans. This
brings me to my first question.
1. Given that
-nobody but me has physical access to pfsense or its connected switch,
-nobody outside my immediate family will have access to the
management vlan of the switch,
-nobody but me will have access to the web UI or console of pfsense,
-WAN packets will be split across 8 DSL connections,
what are my risks? I know it has been said on this list that WAN and
LAN should be physically separated. At what point does 'should' become
'must'?
Next, I have decided to replace the net5501 with a dual-Atom board
(the Supermicro X7SPA of legend), which has 2 Intel GBE NICs*. Next
question.
2. Given that
-my WAN and LAN interfaces will coexist on a single switch,
separated only by vlans,
-my total throughput will be well below 1 gbps,
-I have switch ports to spare,
is there any advantage or disadvantage to using either one or both
physical NICs on pfsense? Do I gain any security by running the mlppp
member vlans on one physical NIC and the LAN/OPT vlans on the second
physical NIC? Would I save any power by parenting all the vlans on a
single physical NIC and leaving the other one (and another switch
port) unplugged? Am I splitting hairs on this one?
Thanks for your thoughts. I'm very grateful for the quality of the
pfsense product, and for the unequalled body of expertise on this
list. I considered posting this on a networking-specific forum, but
I'm not convinced there is one quarter the talent hanging out there.
db
*I'm a little disappointed to retire the 5501 from firewall duty so
soon. I chose it over other embedded hardware specifically for it's
advantage in RAM and number of NICs, but my needs grew rapidly and
before I ever really got to load it up I found myself needing more
ports and faster storage. Ah well, I think it may still make a good
monitoring tool and perhaps pbx and/or seedbox.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
Commercial support available - https://portal.pfsense.org
