• Captive Portal with Multi-WAN

    2
    0 Votes
    2 Posts
    705 Views
    S

    Can anyone tell me how to port this feature in FreeBSD 10.3? For me as soon as I use route-to in the PF ruleset, it breaks the pfil  ordering.

    For me, the input chain is ipfw –> pfil and output chain is pfil --> ipfw.

    When I do not use the route-to rule, everything works fine, however as soon as I use the route-to feature in PF, it breaks the order.

  • Creating Static Routes for different subnets on the same physical interface

    61
    0 Votes
    61 Posts
    21k Views
    johnpozJ

    you sure seem to have a lot of ports for no real reason ;)  And like to use them up via lagg that seem to just be there to use up ports not for any sort of real load balancing or failover need, etc.

    What routing are you doing that you need downstream layer 3?  I doubt your pfsense box can route/firewall at 10ge - but what what sort of traffic would be going between segments that would need/use 10ge?

    Why can you not just use your pfsense box as your router/firewall between all your segments and just use a switch be it the juniper or the other in layer 2 mode?  If you want line speed between say clients and your servers that are on different segments at 10ge then sure your going to need something that can do that as downstream router.

    I love the 10ge and am a bit jealous to be sure.. But can you even leverage it?  What sort of speeds can you get out of your storage?

  • Routed Subnet - Need Advice

    4
    0 Votes
    4 Posts
    1k Views
    DerelictD

    @DanC:

    For switches - I'm using Ubiquiti Unifi 48 port switches.  It seems they do not have bandwidth limiting available.  My connection is a symmetrical gig.  I'd like to limit each tenant to 100 mbps (10 total in the building) and deny P2P.  Are you saying that pfSense is not capable of doing that (or at least not efficiently) across 10 VLANs

    No, not at all. For that scenario I would use limiters on VLAN interfaces. That will be fine.

    I'll talk with my boss and my ISP about increasing our subnet size.  I really only see this working if I'm supplying at least /30's to each tenant.  As you said - do it right the first time.  Is there anything stopping me from breaking up a subnet into mixed sizes, or is that just poor form?

    For 10 customers you need at least a /26 to give them each a /30.

    No, making different size subnets is fine. /31s are your friend here. You might want to leave

    The way I'm planning on setting up the firewall - does that expose anything for me?  Is there a better configuration for that?  I need to make sure there are no security vulnerabilities as the LAN on that pfsense has the building's access control on it.  I also don't want to expose access to pfsense itself.

    On the customer interfaces, pass anything on the firewall they need access to like DNS, then block any any any to This firewall and any management or private LANs, then pass all traffic.

  • [ASK] What does dpinger result trigger please ?

    18
    0 Votes
    18 Posts
    6k Views
    luckman212L

    Hmm ok yes I was able to log dpinger triggering rc.gateway_alarm during WAN UP events as well but it wasn't consistent.  I believe as Denny said, sometimes other processes or scripts are killing dpinger and restarting it and thus it doesn't trigger the call to rc.gateway_alarm. I haven't had a chance to review the code in your PR but I will look at it.

    I know Renato wants to do things "right" - of course that is always best but sometimes when the SHTF you gotta do what you gotta do.

  • 0 Votes
    6 Posts
    3k Views
    F

    Bumping this one more time. Any ideeas?

  • Trying to load balance 10x DSL connections through Vlans

    12
    0 Votes
    12 Posts
    3k Views
    M

    Hi @Skid,

    This kind of setup really requires a good understanding of VLANs, how they work and how to configure them.  I get the impression you are not so familiar?  Go online, read up on access ports and trunk ports, tagged and untagged, VLAN IDs - different vendors vary the terminology a bit but it's all the same stuff!

    I've just returned from doing a temporary event with a very similar setup - only five ADSL connections on the WAN side but they were dotted all over site and had to pass through multiple switches to get to the router (a pfsense VM on a DL380).

    You need to define a few bits first:
    1. Assign a VLAN ID to each WAN (eg. 51, 52 … 60).
    2. Create untagged (access) ports on the cisco switch which connect to each modem.
    3. Create a trunk (tagged) port on the cisco switch which passes all those VLAN IDs (ie. 51..60).  Connect that port to you r pfsense router and configure each VLAN on it's own interface in pfsense.
    4. Don't use DHCP of PPPoE on the WAN connections, I had major issues doing it this way when a connection went offline.  Configure them all in their own subnets as you describe and set a static IP address for each WAN interface in pfsense.
    5. Configure load balancing / traffic shaping in the pfsense router.

    You also need to create and configure a LAN connection - ideally via a physically separate network port but this could be a VLAN too, of course you'll need a suitably sized subnet and DHCP scope to cope with the number of users.

    What's your location?  I might be happy to help you with this.

  • Flush states on gateway group failover?

    1
    0 Votes
    1 Posts
    684 Views
    No one has replied
  • I have two WAN , one of the is wireless

    3
    0 Votes
    3 Posts
    781 Views
    M

    @KOM:

    I don't have a multi-WAN configuration but these might get you started:

    https://doc.pfsense.org/index.php/Multi-WAN

    https://doc.pfsense.org/index.php/Gateway_Settings

    Thanks
    but right now my problem is config wireless lan wan card
    I do not know how I should config it

  • Is this possible??

    5
    0 Votes
    5 Posts
    1k Views
    P

    Thank you for this information I will change my configuration and get a core switch. The reason I bridged the interfaces is so that the switches could utilize some of the additional bandwidth. I currently only have 10/100 switches and thought that if I bridged the interfaces which are gigabit I could better utilize the bandwidth, but now I understand that I was in that thought process.

    Thank you for pointing me in the correct direction.

  • Five ADSL connections with DHCP gateways and DNS servers (2.3.2)

    1
    0 Votes
    1 Posts
    630 Views
    No one has replied
  • Dpinger log flooding

    2
    0 Votes
    2 Posts
    3k Views
    dennypageD

    Error 55 ENOBUFS: No buffer space available.  An operation on a socket or pipe was not performed because the system lacked sufficient buffer space or because a queue was full.

    https://doc.pfsense.org/index.php/No_buffer_space_available

  • Two WAN , WAN1 is wireless network card and WAN2 is wire network card

    1
    0 Votes
    1 Posts
    556 Views
    No one has replied
  • How to route PC to OVPN-Client to WAN

    11
    0 Votes
    11 Posts
    2k Views
    PippinP

    Your not showing it as a site to site..

    First the NAS connected to RA server but as I mentioned it was advised to add a StS because also have road warriors connecting to RA.
    So I added a StS and just modified/copied the client config to NAS and it connected.

    Sure you could bring up a tunnel on pfsense, and have another IP on pfsense and have traffice that goes to its lan IP 2 go down the tunnel and traffic that hits is IP 1 not go down the tunnel. Then you could route on your PC.

    Thanks for that, that sounds like what I need.

    Then it would also be possible to add another VLAN that uses OpenVPN as GW and then exit at NAS to www?
    Then on PC switch between those VLAN`s.
    Hmm… that way more machines could use it and maybe is easier to manage?
    Would it then be better to add an RA server instead of StS?

  • QuaggaOSPFd advertising non-existing, previously learned routes

    5
    0 Votes
    5 Posts
    2k Views
    D

    Okay…just did that...but where do I put those lines the install process is asking?

    defaultrouter="NO" quagga_enable="YES"
  • Simple Policy Route results in routing loop (TTL Expired in Transit)

    5
    0 Votes
    5 Posts
    7k Views
    johnpozJ

    Why would your proxy be down??  If your proxy is down then internet should be down.  I assume your proxy does filtering, etc.  So if you just send traffic out the internet with no filtering you have no protection users surfing porn vs working, etc. etc..  Its madhouse I tell you a madhouse ;)

    If you don't want internet to go down then setup your proxies in HA, etc.

  • Weird multi tap-tunnel bridge lagg setup needs some help

    1
    0 Votes
    1 Posts
    615 Views
    No one has replied
  • DUAL WAN Failover Issues

    1
    0 Votes
    1 Posts
    2k Views
    No one has replied
  • Redistribute specific static route to Ospf Quagga

    1
    0 Votes
    1 Posts
    807 Views
    No one has replied
  • MultWAN Failover (Gateway Group WAN+MODEMppp) does not change default GW.

    3
    0 Votes
    3 Posts
    2k Views
    M

    I think you are on to something.  I checked the Hangout video for MultiWAN that explained it.  Thanks for steering me in the right direction. :-)

    //Danne

    @kennsington:

    Just from your description it sounds like you have the gateways and groups setup correctly.

    Have you actually directed traffic to your gateway groups? You would do that in Firewall > Rules. Create a rule on LAN that Originates with LAN Net and is destined for anything. Change the gateway to your gateway group.
    Take a look at step 5: http://www.tecmint.com/how-to-setup-failover-and-load-balancing-in-pfsense/2/

    There is an option in the settings to automatically change the default gateway, but that's not necessary when using gateway groups.

  • Gateway Monitoring Errors

    9
    0 Votes
    9 Posts
    3k Views
    dennypageD

    The core issue appears to be a defect inside AT&T's cellular network. I have an MiFi which I pulled out to test, and I see the issue as well. I tested an iPhone hotspot on AT&T and it shows the same problem with both LTE and 4G. The smallest data payload acceptable is 20 bytes. I would report the defect to AT&T, but I don't know anyone inside.

    I'd also like to know if the issue exists in Verizon's network, but I don't have a Verizon phone to test with. If someone does, and would like to test, I'd appreciate it. No need to hook the device up to pfSense, you can test from your laptop. Just connect to the hotspot and try to ping.

    Example commands (for a Mac):

    ping -s 0 8.8.8.8
      ping -s 16 8.8.8.8
      ping -s 20 8.8.8.8
      ping -s 56 8.8.8.8

    Thanks.

Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.