hi you first need to add your ip block as Virtual IPSs. then, as you suggest, you could use 1:1 NAT to route the virtal IPs which will now appear in the nat rule. don't forget to add some firewall rules to allow traffic over your new routes. gordon

Ah!  Hadn't even thought of that!  I'll grab a 8-port managed Netgear then :) I passed the setup by our "PCI auditor" and he approved it, and didn't catch the unmanaged switch either, useless auditor…...

@dsteel0: Hey all, I'm slowly getting my head around PFSense 1.2 RC3 (which I assume is 1.2.3? The "Versions page makes no mention of 1.2 RC3), but I have a couple of questions, if I may: RC versions are release candidate versions,  all of them old and outdated by now and not recommended for normal use unless there's a good reason for using them. 1.2.3 is the latest official release of pfSense.

I know this might be for a different post but I did change those setting and will see how it goes.. My next question is let say my dsl goes down (that's my 10mb down and 1 up) now it's on my cable. How do I keep my Queues right? I have my queues set for the dsl because that is my main I have the bandwidth set at only 7.5 down and 650 kb up  leaving lots of room for VoIP  but if cable goes online then I only have 1 mb down and like 200 up or something not sure need to test again. recap- DSL  goes down now it's on cable    now the queues are not right  can you make queues just for the cable or opt1 wan port?

or if u really want to have pfsense for the entire setup.. i did it by having 2 pfsense dealing with each of the pppoe connections.. and then another pfsense for dealing with the load balancing.. its tedious to manage the NAT rules in this kind of setup though :P

I know about the IP. Those ip's are atm but will be changed once I get the set up right. I'm using 1 router atm for the server but I cant even get that one to work ><

Yup,  I had that thought too Dotdash, but when I attack this similar problem in my setup, I'm going to try my darndest to get rid of any box I can. BairdMJ, pick your approach and choose your poison.  Degree of difficulty is up to you.  Me?  The harder stuff always plagues me for a second attempt after I wimp out the first time. –J

I edited the ascii diagrams to make it more clear. There is no tunnel between Office 1 and 2 like in OpenVPN routing mode. Router 2 at Office 1 and the Router at Office 2 are making a IPSEC net to net connection. So the static routes should be ok like in the ascii diagram i think. But still an Roadwarrior traceroute to Office 2 ends always at 192.168.10.4.  ???

@mericksonj: I've always seen true multi-wan as advertising your single IP address space through your backup WAN provider to the internet.  This space should be public and as long as the two ISPs peer properly to allow it, this is by far ideal in every way. Round robin DNS is your secondary cludge to make use of two sets of IP addresses, but it works and is probably what I'll set up in my home datacenter when I get to it. For that to work you need to get your own set of IPs and do BGP routing on both ISP links. For many, that can be cost-prohibitive, but it is the ideal solution.

I see nothing wrong with it, it seems a very good solution, just remember to set the gateway on the IP configuration for your OPTx interface, and set rules, routes and such appropriately to allow (or dis-allow) access. The DNS issue however, may be because the DNS doesn't have a route back to your network to reply to the DNS queries. If that's the case, even your forwarder would have a problem.  You'll also have to be prepared with static routes or routing on the PFsense#1 to handle any DNS resolved destination IP you get in reply to your query…

Regarding your suggestion to use IPSEC for failover,  and who's responsibility is it to provide internet access. The MPLS provider would/should be able to provide internet access for you if you'd like, you can also reject their internet service or ask them to use a separate VC/VLAN/DLCI on the CE<>PE connection that will be direct to internet.  You can most definitely use IPsec across their MPLS network, and it may even still be suggested if you don't want unencrypted raw traffic on their "trusted" network. (remember, from their core perspective, there is nothing confidential about MPLS, just a few protocol shim headers "popped" and your IP datagram and company secrets are exposed.) It will not be difficult to firewall your internet access (if provided by the MPLS provider) with the PFsense in this scenario. The best option is to put your own PFsense on the LAN side of each CE (customer edge) router they give you and treat them as an un-trusted network if you go this route. If you want a separate DSL or other ISP services at each site for failover VPN  and internet purposes, you can still do that with the PFsense using an OPTx interface and another set of IPSEC tunnels to be back-up. your IPSEC tunnels can be run PF<>PF from site to site over the MPLS and if that goes down, the DSL would/should automatically take over.  Just run the cost/benefit analysis; an MPLS architecture, if they're doing it right, is redundant by itself.  As long as they have redundancy in the core it should re-route itself easily.  Your only protecting yourself from a "last mile" outage and hoping that your MPLS proider isn't on the same transport run/LEC as your DSL/ISP provider. Hope this helps! –James

That should be possible. You can set the policy routing up however you like, and the port forwards/NAT as well. You might consider instead of making WAN1 only for LAN1, that it would use a load balancing pool that merely prefers WAN1 and would fail to WAN2 if it goes down. You can set that up both ways so that LAN2 will prefer WAN2 but use WAN1 if it goes down. You can follow the multi-wan setup guide on the Doc wiki to get an idea of how it is done: http://doc.pfsense.org/index.php/Multi-WAN_Version_1.2.x

This is not possible with 1.2.3 afaik 2.0 will have this ability. You should be able to configure the modem on your OPT to do the authentication for you and present a normal ethernet interface.

and for all streaming video site? to complicated with all ip

You dont understand. New connections will always go to the WAN which is topmost and up. If the primary wan goes down and comes back up, new connections will go to the primary wan but old connections created while it was down will stay on WAN2. There is no way to reassign already established connections.

It's not yet possible to have multiple paths to reach the same destination network in that way, even if they are all internal. You might be able to pull this off if all of the involved routers can run some kind of dynamic routing protocol (RIP? OSPF? BGP?), but someone else may have to chime in on that if it's even possible.

No, but neither has it appeared again for me to know it's still an issue in 1.2.3 final.