The "alias" VIP-type will be in pfSense 1.1. CARP only works if the additional IP is in the same subnet of the real interface IP. If that is the case it should work. You'll need additional firewall rules for the CARP IPs to allow this traffic depending on the rules of the Interface the additional IP is configured on.
You only were referring to the wifi clients accessing the dsl modem in your previous posts. Actually a lot a whole bunch of routes is needed at pfsense1, pfsense2 and the DSL modem if the Modem should be accessable from everywhere.
Thanks for letting me know what truely was the limitation on DHCP. I assumed it not working was deeper than the problem of always having your gateway address change. Everything appears to be working great now. and time to start digging/tweaking some of the other features.
There are some problems with the Squid package (or maybe not) and probably the inerent rules it creates (that I don't know how to see them).
To have access from a workstation to the Net (HTTP, HTTPS, FTP) with or without Squid I had to:
1. configure Squid in transparent mode (still I can use it manually by chosing de IP from pfSense and the port 3128 (I usualy chnage the Squid port to 3328).
2. Service -> Squid ->Network Access Control - Allowed Subnets -> 192.168.1.0/255.255.255.0
3. Edit /usr/local/etc/squid/squid.conf and change the line "http_access deny !pf_networks" to "http_access allow pf_networks". This was the only way I found to get HTTPS and FTP, besides HTTP, working under Firefox with a manually configured proxy.
I don't know if this helps anyone or anyone can help me.
Able to open incoming connection from internet to lan for spesific port via Port Forward and NAT 1:1 via WAN interface.
FTP download is very-very slow on WAN interface from internet (already open TCP FTP and TCP 55000-60000 for Passive FTP).
Unable to ping the OPT1 interface from any (already open ICMP connection to it's IP).
Unable to ping virtual IPs on OPT1 interface from any (already open ICMP connection to it's virtual IP).
Userland applications on FreeBSD are not multi wan capable (in a nutshell).
The reason we get multi-wan in pf is because pf bypasses the internal routing table in this case. So when we redirect FTP to userland, we loose multi wan capabilities. Same holds true for squid as well.
Its built into slbd, but without the static routes its pinging out the primary wan, which is most likely up.
I have created a gateway pool (which is running ok), but slbd never started up.
I tried to launch it myself (without any argument) and it's running, but I don't think it is checking anything about the gateways.
I can read this in the LB log tab :
Mar 14 21:56:29 slbd: Using r_refresh of 15000 milliseconds
Mar 14 21:56:29 slbd: Using configuration file /var/etc/slbdcap
/var/etc/slbd.conf is empty
/var/etc/slbdcap doesn't exist .
I have been attempting to successfully configure Dual WAN connections to my PF Box. I have tried unsuccessfully for 4 months using every possible combination that I can find in the Forums and in Tutorials and WIKI and think of and I have not been able to get Dual WAN to route traffic correctly. Even in the Dual Wan configuration, only WAN1 passes traffic in both directions.
LAN 1 IP: 192.168.1.1 (Default)
WAN IP: 172.16.10.0
ROUTER1 IP: 172.16.10.0 ADSL: STATIC IP
OPT1 IP: 22.214.171.124 (WAN2)
ROUTER2 IP: 126.96.36.199 ADSL: STATIC IP
The PFSense Box is NOT running as pppoe.
ROUTER1 & ROUTER2 Configured to authenticate and NAT. If either are connected directly to a PC or Network, Traffic flows perfectly. With every attempt WAN2 ROUTER2 does not pass traffic through to ISP. I can ping the Router2 Ethernet Address, but not the ROUTER STATIC IP when WAN is disconnected.
If WAN is connected to ISP and WAN2 is connected I can Ping the ROUTER2 STATIC IP and when doing a tracert its path goes through WAN1 and ISP account and back tracks to the ROUTER2 on the Internet side. If the ROUTER1 is Disconnected ROUTER2 Ethernet IP Can be pinged but No traffic is transferred and the Statci IP is unreachable. I looked at the Firewall Log but nothing unusual shown.
For one brief moment after a new install Beta2, I was able to ping and tracert ROUTER2 Direct without going out to the internet. But as soon as I disconnected ROUTER1, ROUTER2 was unreachable. After a restart, neither Router1 or 2 passed traffic and a format and reinstall was necessary to enable traffic flow.
I know that I must be missing something during the configuration that others are doing out of habit and not thinking to record the action. I have followed everything exactly and still dual wan / load balancing does not work for me.
I dont know if others are having as much trouble as I am settinh up Dual Wan, but I would dearly like to see incorporated into PFSense a wizard to suit multiple config setups. EG: Select MultiWan, Failover, Carp, Load Balance etc during the initial setup so that it becomes fool proof and in the end a fully configured PFBox as the users needs. Just enter the details of the IPs of LAN / WAN / OPT1 / OPT2/ ETC and GW's and if it requires Load Balance.
check out this article from the wiki: http://wiki.pfsense.com/wikka.php?wakka=OutgoingLoadBalancing
you basically have to modify the rules and create rules for different traffic (like destination any ip port 25) and select the appropriate gateway at the bottom of the rules page of each rule. the loadbalancing pool is optional. you can skip this part from the wiki for what you want to do.
i am getting back to my firewall project. what is "next hop gateway (router) IP addres"?
i think that the answer is the IP address of either the aDSL or the cable modem. The gateway shown by the interfaces page for the aDSL is a 10.x.x.x and its ip is 70.x.x.x(the interface page also lists DNS servers, curiously it shows 192.168.1.1 which is the ip address of LAN, why?). For the cablem modem the interface page shows an ip address but no DNS servers.
i want Lan1 and the DMZ to be assigned to the aDSL connection and the Lan to be assigned to the cable modem. in the box that asks for "the next hop gateway (router) IP addres" what do i enter there?
i understand what ure trying to do, but with that what ure trying it wont go…
This is to make subnetting a bit more understanding (if this is wrong, somebody correct me please): At first, you chose /30 (255.255.255.252) subnet, wich allows a maximum of 3+1=4 hosts (252 in bin is 11111100, so u have only 2 bits for hosts), i suggest u to use /28 (240) or smth like that, because i think u have more than 4 wifi clients a ? ;)
So the easyest way would be to: 1.) But a atheros based wifi card ; 2.) But a Linksys wrt54gs, flash it with dd-wrt, set it in ap mode, disable wan, connect it to lan, set it up, and select AP isolation...
I now know why the dumb switch was dieing… I had 2 ports that were going to the same MAC address so it froze. the way to work around that would be to spoof a Mac on the Opt1 interface so the switch thinks it is a different device and doesnt get all confused. both vlan 10 and 11 pointed to the PF box even though the 2 ports couldnt talk to eachother the switch saw 2 ports with the same MAC. Yippy it works :)
my AP is just being a transparent bridge. I can access both networks on the other side. the AP isnt even on the same network (the are in the 10.x network. thx alot peeps :)
monitoring does not work atm so it doesn't matter. it will be used for checking if the connection is still allive. you can ping the gateway for example or even an ip of google.com. if the ping fails the connection is assumed dead and will pe temporarily taken out of the pool until the ping is successfull again.
We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.
Subscribe to our Newsletter
Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.