Thanks!

Thanks for your responses.

Our current setup in a nutshell:

• Just running Trunk VLANs from the switches (Dell PowerConnect) all the way up to the pfSense VM.
• Each physical ESXi NIC port is tagged so it can carry all the VLANs.
• Each VLAN has its own vSphere Port Group and pfSense has a dedicated vNIC “Trunk” with VLAN ID 4095 and then we create other interfaces on top.
• Single vSphere vSwitch on each host. The edge router is our upstream provider gateway.

The WAN optimization appliance apparently requires 2 x vSwitches (LAN and WAN) however our WAN uplink is just an access port on the switch and then an interface on pfSense VM. It does not run on a separate vSwitch.

What is the best method to set this up with the In-line mode?


Am I allowed to run a command like the following?

ip route add default scope global nexthop via 192.168.3.1 dev em0 weight 1 nexthop via 192.168.3.100 dev em0 weight 1

The above command works in the linux version if you first run ip route del default and replace em0 with eth0.

How is the same done in pfsense?

Alternatively, how about using a pfsense VM to make the one NIC look like two virtual NIC's with different gateways associated, and a second pfsense VM that does standard multiwan?

Hi johnpoz,

thank you very much for pointing me in the right direction. I will check out Suricata and Snort inline. I was not aware of such an inline mode (which sounds very promising) and the default configuration of snort in pfsense felt more like adding a clever sniffer on some interface. I will keep you updated - if someone has other ideas for this scenario, please let me know.

Cheers,
Mario

Let me get this right… You have bunch of isp devices connected to a "dumb" switch?  And now you have that connected to 1 wan interface on pfsense?  And you want to put a bunch of different networks on your 1 wan interface?

Get yourself a smart switch and setup vlans for your different ISP connections.. Then setup vlans on your pfsense wan interface..

Initial signs are that unselecting the sticky connections did the trick. Thanks! I'm still learning. I thought the sticky connections enabled the load balancing too… didn't realize it'd still work without it on.

hi guys, I am interested in this topic (link bonding) as well. Are there any news?

This is something like that :

ESXs are both clients and servers for shared Data.
It's all about EMC ScaleIO SDN (Software Defined Network). This is a competitor to vmware VSAN.
The main advantage is that the client dont need to be an ESX but can be any Linux/Windows/vmare host. Same thing for the servers.
Pretty nice scale out SDN. So far the main concern is cost.

PS : the config is ok now using linux gateway and pfsense is now located on a ScaleIO SDN Datastore ;)

So they can not just tag the other network range with a vlan ID?

Look for a better isp would be my suggestion..

Your switch solution works - but means your running those different layer 3 networks on the layer 2 connection from you to them.. How many other customers have different IPs on this layer 2?  Be interesting to sniff and see how any different IP address via broadcast/arp

Hi V3lcr0!

You are absolutely giving me good info.

When i connect to vlan 5 i dont reach internet. I get an ip 192.168.5.100 wich is correct. And i can log on to pfsense 192.158.5.1 + unify controller
My switch stops traffic to other nets, and in unify controller all ap's are disconnected…

When i go back to my normal wlan the router dont change ip, i get the 192.168.5.100 i stead of 192.168.0.100. So then i connect with a cable and get my 192.168.0.100. And then in controller ap's are adopted again except the one i have tagget out from router vlan id5

I have 2 wans, but i only use one due to difficulties to understand this, first i need t get this vlan5 work.

I see pacets from the net when capturing vlan and LAN while on vlan5

From "normal" wlan i reach internet easy, but not from the wlan id5

I also got some help from ubnt to controll switch setup and controller setup for VLAN5 and wlan on tag 5 so i think it is OK now.

Yes rebooted pfsense also, no change.

I really dont know the next step... shit...

Could be anything at this point…to dovetail Wroxc...maybe connect a PC before each switch(starting with your LAN) to narrow down your problem.

Did you add rules to VLAN interfaces? Did you add VLAN interfaces? Are you getting leases? Firewall logs? Switches tagged correctly?

@jimp:

There are other load balancing and multi-wan options there. And System > Routing has no options page.

Though at some point the options will reach a critical mass and warrant a "Settings" tab under System > Routing rather than being lumped under Misc.

Also that setting is known to be broken in certain cases (especially with a PPPoE WAN) so we don't want to encourage its use.

Hi!, I know this is an old post, but couldn't find information as specific like this. If the gateway switching is not desired, how do you set the alternative gateway for the firewall itself?, I'm running PPPoE as a second uplink

Problems like this bring out the tenacity monster in me and in the spirit of completion I am posting the solution to my own question in case anyone else has this same issue.

It turns out that the LTE Gateway I set up did not like using the same IP address for the gatewayIP and the monitorIP. This is despite the fact that that this type of arrangement works for my cable wan connection. Perhaps it's because the IP provided by the mobile connection is an unaddressable IP i.e. 10.X.X.X.

In any case by changing the monitorIP on the LTE Gateway to the IP address of one of the DNS servers on the LTE interface the LTE gateway is now online and failover works nicely.

Now I just have to get some aerials for my dongle so that I can get an LTE signal from inside my comms cupboard. WCDMA is definitely not cutting it! :) :)

What exactly is the point of a pfsense box with just public IPs on it and no lan?  If it only has 1 network attached how is it routing/firewalling anything?  What are you using it for?

Btu sure connect them together with a transit network and route whatever clients you wont out the the other pfsense box with the public /24

How does the openvpn traffic get to pfsense?  That would be pfsense "wan" interface.. The interface pfsense uses to get to or from other networks would be a wan interface..

Hello everyone,

thank you for your support!

Now i try to explain better that situation. Yesterday i found, maybe, a good idea that causes this block.
Yes, the explanations were not very clear, but the reason is that I do not know my network very well.
Anyway, yesterday from various pc i launched the tracert command and, yes,  my diagram isn't correct!

For example :

from a LAN 10.160.3.1 the result is this :

1    1 ms    1 ms    1 ms  10.160.3.201
2    3 ms    2 ms    2 ms  10.10.0.10
3    4 ms    4 ms    4 ms  10.10.0.2
4    4 ms    4 ms    7 ms  10.10.0.1
5    4 ms    9 ms    3 ms  10.160.99.36

so there are many other passages before the packet get to the PFSENSE
and above all it is no longer the network that I imagined at the last step…

From this LAN pfsense doesn't work and the pc can't surf on internet.

And i believe i have to work in pfsense for make it work, but I do not know how to do it.

Instead, from this other LAN, 10.160.2.0,
the tracert result is this :

1    4 ms    6 ms    1 ms  10.160.2.201
2    <1 ms    <1 ms    <1 ms  10.160.99.36

and PFSENSE works like a charm.

and obviously from the network, 10.160.99.0,
the tracert command shows that there is only one passage
from my pc to PFSENSE, and yes it works.

Summing up, when I try to connect at pfsense from the networks that pass
on this way doesn't work.

10.160.3.201 or 10.160.4.201 or 10.160.5.201 =  there are the gateway of the LAN
10.10.0.10
10.10.0.2
10.10.0.1
10.160.99.36 = PFSENSE

I hope i was clear. Thanks a lot!