So, I've a INTERFACE called DDOS-GUARD, and that interface has a static IP, provided by DDOSGUARD, and my WAN has an other public IP, so I want to redirect all the traffic from the DDOS-GUARD interface to my lan server 192.168.15.240, I tired to do that in System -> Routing -> Static Routes. But when I did that, my lan server 192.168.15.240 didn't have internet connection.

@Ryu945:

Any ideas on what is the proper way for a one network with all the LAN ports on it?

Yes, that's called a switch. Not a router.

@Ryu945:

I see plenty of guides on VLANs but nothing on basic LANs.

That's what you ment … well, because your "basic LANs" aka a switch, is nothing you will want to do in software.
There's one exception in the netgate line of pfSense hardware currently and that is the SG-3100. It has 3 interfaces, WAN, LAN and Opt1 with LAN being a managed switch internally.
Otherwise all pfSense devices are routers only.

Run your own BIND servers inside the firewall. In other words off the firewall. Not the BIND package on the firewall itself.

Having your resolver traffic sourced from the firewall itself only makes things 1000% harder. pfSense policy routing is applied when traffic enters the firewall. If cannot be applied to traffic originating on the firewall itself.

You will have to - at a minimum - explicitly set the source address or interface for the specific paths so the correct interface is used. That will be a real trick with a dynamic address such as your vpn provider link. Maybe it is possible if you can use the name of an assigned interface as the source and not the address itself.

With the DNS server on the inside you could set up several STATIC local addresses on it and source from those different addresses based on the path you want the queries to take. The you can simply policy route the resolver traffic on the pfSense interface however you like.

If you really want to use the BIND package, put another pfSense on the inside for just that purpose.

That will all depend. I can't imagine you will see any line-of-sight issues but I have never knowingly pointed a point-to-point through power lines. Distance to the lines will probably be key there. 15 feet is pretty close. The frequency should be way down at 60Hz though.

Put that end up and do whatever the engenius equivalent of ubnt's airview is. If the channels are clear you should be ok. But you'll probably have to try it and see.

Then you'll have to look again when everyone's air conditioners are running on a hot, August afternoon.

The fix, if you run into trouble, is probably a mast to get the radio above them.

That seems like a silly way to do it.

Yes you can use a separate interface but it won't do you any good with a /32. Did they really give you another /30?

If the latter you could do this:

WAN  24.52.70.234/29 <–-> 24.52.70.233 Gateway

WAN2 2 24.52.70.42/30 <---> 24.52.70.41 Gateway

You would set them up like any other multi-wan. You would need an outside switch.

Seems pretty stupid to do that since it only results in one additional address for you at the cost of four addresses plus a router interface on your side. If they just routed 24.52.70.40/30 to 24.52.70.234 you could use all four addresses as VIPs and not have to mess around with multi-wan.

Yes, routing is only possible if any packets of both direction has to pass the router.

PC –---- router 1 ------ [router 2] –---- internet

@GoldFish:

@kcallis:

I noticed that my WAN interface was still showing the 172.16.0.0/24 network as opposed the public address.

I would look at the rules. Personally not a big fan of double nat

Thank for suggesting to look at my rules. Of course, the issue wasn't my rules, but the search mode of looking for everything caused me to look for other things that were out of whack. I was looking at the Dashboard and noticed that I was seeing on top of the normal DNS servers, I was also seeing 127.0.0.1 (localhost). I took at look at System/General Setup and realized that I had not checked the Disable DNS Forwarder. One check of a box, and lo and behold packets were resolving and running out into the wild frontier of the internet.

Another nice thing was that finally I was able to get the IP Passthrough working and now my WAN interface now shows the public IP address. Life is groovy!

There is an alternative way.

First, you need build a custom kernel to enable multiple routing table.

http://wiki.stocksy.co.uk/wiki/Multiple_default_routes_in_FreeBSD_without_BGP_or_similar

Then use DNS forwarder (dnsmasq), which provide a nice feature called ipset. It will add the resolved IPs from matching hostname to a pf table. You also need to manually edit /etc/inc/filter.inc, to add a custom pf rule, which force IPs listed in a pf table go through a route other than the default WAN.

Why is it people buy great router/firewall device and then when it comes to wifi they just buy utter home luser crap?

Buy wifi that can do vlans - then come back and ask how to use it if you need too ;)

Answer to self

I did get it to work, by creating firewall rules in between the interfaces in the bridge (allow all any).

But according to the pfsense docs:

A bridged interface can filter traffic without being involved in the IP layer of the connection.

By creating a FW rule, I opinion is that the IP Layer is involved somehow?

That's exactly what those graphs represent. Trex generating approximately 350K states though 4- and 8- interface load balance configurations.

Works fine.

Is there like any reason why you can't do this with just one firewall/router? What you now have is an asymmetric setup (assuming you had those correct routes set up at the draytek) where every host in between the draytek and pfSense will be talking to the hosts behind pfSense using different routes. For example PC1 when it wants to talk to VLAN20 will first go trough the draytek because it's the default gateway but the repiles to that traffic will never reach the draytek because pfSense knows to send those replies back directly to PC1. The proper way for this if you still want to have multiple routers is to use a transfer net between the draytek and pfSense with no hosts on that network.

dont worry about this now as im not going to do it this way no more

the reason is because i would need to spend £££££ on a NAS to get a top dog one to install plex on so it can do the transcoding to 1080p

Sorry also I get free usage from the satellite provider from 00:00 till 06:00 am. Would it be possible to get all the traffic to go through the satellite WAN 1 interface during those times or between 01:00 am till 05:00 am.

Cheers,

Rajbps

I'm using the forwarder and have mine set up this way (I also have IPv6 set up) and was having the same problem until I added the last 2 entries.
Under System/General Setup on the DNS server settings I have 6 entries.

2001:4860:4860::8888  WAN_DHCP6  (google IPv6)
2001:4860:4860::8844  WAN_DHCP6  (google IPv6)
208.67.222.222  WAN1_DHCP  (openDNS)
208.67.220.220  WAN1_DHCP  (openDNS)
8.8.8.8    WAN2_DHCP  (Google)
8.8.4.4    WAN2_DHCP  (Google)

If I failover to WAN2 it will use those two google DNS servers, if I am running normally, it uses openDNS.

Note, I don't know if I can have duplicate DNS server IPs with different interfaces. I've never tried.

Well, I got the last bit I wanted to work - I can now get into my 172.16.1.0/24 network :)

How? I found this blog post: https://networkguy.de/?p=409

I based a static route on my Netgear router (Attach 1) on his 2nd picture with the "route -p" command listed at the bottom of the
picture, mapping his numbers to approximately what I have in place on my network.

Basically: I made a static route to the destination network (172.16.1.0/24), through the WAN IP of that pfSense router (192.168.1.101).

The asymmetric routing is still there, but only in specific connections:

The pfSense router (172.16.1.1) Ping Redirects the router and any computers in 10.0.0.0/24, but pings the entire 192.168.1.0/24 normally.
VMs behind that router ping everything normally, including the 10.0.0.0/24.

My iMac (192.168.1.5) has a Redirect Host to both subnets (10.0.0.0/24 and 172.16.1.0/24)

My other pfSense router (10.0.0.1) Ping Redirects anything in 172.16.1.0/24 network.
It also Ping Redirects any computers in 192.168.1.0/24, BUT it pings the router (192.168.1.1) normally.
Any machines behind this router ping both of the other networks (172.16.1.0/24 and 192.168.1.0/24) normally.

Again, my current router has no option for an additional interface (off the shelf model), but even with redirects, I managed to get everything to communicate,
so that's definitely something to be happy about - just in time for class to start tomorrow night as well, so I'll be able to do plenty of network testing.

Any thoughts about the weird redirects couldn't hurt - how can your router/gateway ping redirect to an entire network (first example), but all the machines behind it can ping that same network normally?

Weird.

Anyway, hope this can help someone, and thanks to everyone who helped me along to finally getting my stuff working (if not 100% cleanly.)

-Bryan


No it doesn't. Of course we can play in the game "provide more details" for example fro #1, here: https://forum.pfsense.org/index.php?topic=142162.0

You have also created an asymmetric routing scenario.

https://forum.pfsense.org/index.php?topic=142090.msg775011#msg775011