Add a static route at system>static routes for the dns server/32 at interface opt1, gateway opt1-gateway.

hi,

i'have also a problem with the routing, my WAN interface have 212.21.69.97 and the default gateway ip is 192.168.23.8.
i'can ping the default gw very well but i dont get traffic over the gateway only if i set up a static route, for example to dns-server.
the i'can ping the dns-server but nothing more around the world.

i'work 5 years with freebsd and pf an hfsc … and i'dont understand it. the routing table look ok but the pfsense dont do it. ???

maybe someone have the same problem and know a workaround.

nice day for all ...
merl

You'll need a properly configured vlan-switch to attach all the modems to that goes to the trunkport of the pfSense but it will work.

I only can give you some advice for the ipsec part of this setup:

Create two identifiers other than IP-Adress (like user full qualified domain name) Switch the tunnel that you already have up between 192.168.1.0/24 and 192.168.2.0/24 to use one of the identifiers create a second tunnel between the same public endpoints but with the following local and remote subnet tunneldefinition:
  192.168.1.0/24 at dc1 and 10.1.1.0/24 at office
  use the second identifier that you created for this tunnel

Now you have 2 parallel tunnels between the same endpoints, one that covers the next hop network at dc2. At least the traffic from dc1 to dc2 will get to the office now. You possibly have to do something similiar at the dc2 site for the openvpn tunnel like pushing a route. However, as I don't use openvpn and don't have too much experience with it somebody else has to help you with that part.

If not using the ftp-helper you need to froward all ports (controlport, usually 21 and the passive portrange) and you should try to make the server aware of the public IP the clients see it coming from.

Hello,

I wonder if the problem is in your rule set somewhere.  I have VPN tunnels configured to my workplace where I have access to both Windows Remote Desktop and VNC based hosts.  Appart from my VPN rules for each of my required VPN subnets (Firewall: Rules @ LAN - Protocals = All, Source = LAN Subnet, Port = All, Desination = VPN Subnet, Port = All, Gateway = Default (*) <– NOT a balancer gateway here), I don't have any VNC rules set via policy based routing, and I have a dual WAN configuration.  In fact, I don't have any VNC specific rules for inbound VNC or outbound VNC.  I should add that I don't access VNC hosts which aren't being encrypted in some way - either by SSH or VPN, so I can't really test if outbound VNC is working to clients on the internet somewhere.  I suspect that policy based routing might be required for this on a per port basis.

Speaking of ports, I remember playing with the ports within the server/client to get things working, but I attributed that to the fact that I have local VNC hosts running on my home LAN.  Maybe you do too.

In order to get it to work, you could try changing the "display number" within VNC on any of the hosts you can control.

Display # 0 = 5900 (default)
Display # 1 = 5901
Display # 2 = 5902
etc..

You may want to try to specify the actual port within the VNC client (eg. 192.168.1.125:5904 vs. 192.168.1.125:4) to get things working. (I needed to for some clients, but not for all)

Give these suggestions a shot.  Like I said above, I don't have any rules configured for inbound VNC as I tunnel in via SSH for LAN side connections... this way I get VPN like encryption when on the road without having to get my local host (hotels etc.) to open ports on their firewalls.  Try turning off all VNC related rules to see if it makes a difference.

Sorry if this is as clear as mud, suffering through a bit of insomnia these days, and its the middle of the night here... I'm off to try to find sleep again.

Good night and good luck.

-- Phob

@OrCAD:

ok, but the FTP Helper? My balance don't work with passive mode…  :-\

You didn't ask about that.

–Bill

You either want a bridging setup if the internal servers should have their public IP or you want several virtual IPs and 1:1 NAT.

Help on bridging can be found at http://pfsense.trendchiller.com/transparent_firewall.pdf .

The other option looks like this:

create all the public IPs at firewall>virtual IPs (most likely proxy arp should work for you; I have heard carp has issues running on a VM) create 1:1 nats to associate the virtual public IPs with the internal server IPs at firewall>nat, 1:1 create firewallrules for the needed ports at firewall>rules, wan

@eric:

thanks scott

netstat -rn does not show either dns ip address.  traceroute works fine on one dns ip address and not the other (sends out the same interface both times)

It should… If it is not then there lies the problem I suspect.

I dont see your static routes. hoba suggested that you will need these. pls post your static routes.

Show us your static routes. Also make sure it's not a firewall issue.

I believe you're right about using the external service to check the external IP address.  I think it's using HTTP to do so, which I have set to always use WAN1.  When I get time I'm going to try to figure out where it's going to do that, so I can tell it to use the WAN2 gateway.

Thanks a lot!!!

Lubo

True. If that is what you primarily need, I wouldn't recommnd this router. We only have one server so we don't really need to do any incoming load balancing :)

Yes, you got it. If the routers that you use in front have a DMZ/expedited host feature enter the LAN IPs of the pfSense there.

Did you reconfigure your PCs behind the pfSense? They now have to use the pfSense as gateway and have to be in the LAN subnet of the pfSense. Somehow sounds like they are still using public adresses.

@khuetam:

@DanielSHaischt:

OMG - SmoothWall as a replacement for pfSense :'(

Hi all,
Does Smoothwall support multi-wan?

Maybe not the right forum to ask about smoothwall but afaik it doesn't.

@hoba:

Just install an additional nic in your machine. Then after powering up go to interfaces>assign in the webgui. There should be a + icon now as there is a nic that is not yet assigned. Just click it and the nic will be assigned.

Thanks for fast answer.
Follow your help, I added the fourth NIC to my pfsense.

What was used for this?  Was it Quagga or openospfd?

nb

@sullrich:

Not at the moment although it's something we want to look into.

I'll revisit the OSPF package in a moment and atleast get it where you can telnet into it for configuration and make sure it auto starts, etc.

@Timmeh:

Hi everyone, I would really appreciate some help if possible.

Here is my current setup:

WAN1 –[Modem]–----
                               |
                             [pfSense]–-----------LAN
                               |
WAN2 --[Modem]–----

Modems are Dlink DSL 300T.
These modems pass the public IP addresses over to each PfSense interfaces.

Pfsense Interfaces:
LAN IP = 192.168.1.254
WAN1 IP = Static IP (manually configured) = x.x.x.46/30 | GW: x.x.x.45
OPT1 IP = Static IP (automatically Via DHCP) = x.x.x.9 | GW: ??

The LAN users are currently using the WAN1 for internet access, everything is working fine.
The LAN users cannot use OPT1 for internet access for some reason. The link is up and ping-able from outside.
I think it has something to do with routing.
The default route for pfSense is set to the Gateway address of WAN1 (x.x.x.45).
However the Gateway address of OPT1 is set to 127.0.0.1.

I have read almost every post on the forum regarding dual WAN and load balancing which are relevant.
I have also read the two guides available on the pfsense website.
One thing that is still not clear is about the hardware side of the situation.
Is it absolutely necessary to use a router in between each modem and pfsense in order to set up the outgoing load balancing and automatic failover?

I am also having trouble setting up the load balancing configuration because of this.
What IP addresses can I use for the monitor IP's?
PfSense tells me it cannot use the IP addresses already assigned to the interfaces.
I do not have enough public IP addresses to add any to a pool either.

Many thanks in advance for any input given or anyone who can point me in the right direction regarding the load balancing pool with specific details.

Follow this:
http://doc.pfsense.org/index.php/Multi-Wan/Load-Balancing

I successed with this document.