Got it working  ;D

Needed the Advanced -> NAT, "Disable all packet filtering." unticking.

Thanks jimp.

GE

@mikol22:

Hi guys, im still in the configuration of my pfsense server but i cannot configure it right. My setup was…

can you please please  help me….

OPT1 - 192.168.0.x
WAN - 192.168.0.x
LAN - 192.168.1.x

Check your OPT1 and WAN subnets, try changing OPT1 to 10.0.0.x/255.0.0.0.

@askWinters:

Any luck figuring out/finding information on how to configure your bridged/transparent pfSense 2.0 system?

I've got one working with pfsense virtualised in VMWare ESXi.

Have a look here - http://forum.pfsense.org/index.php/topic,40345.0.html

I'm jealous of your IP ranges. I have a single IP. As you are evaluating pfSense and will wan't to take advantage of it's enhanced security, I would think seriously about redesigning your network.

Not knowing what you use the internal networks for, or if you deliver any services externally, it's hard to say what you should do.

NAT offers another layer of security, some flexibility, but a little more complexity, but the benefits outweigh the risk of changing things.

Your ISP is routing to those /25's for you to /30 IP on your WAN, Yes. So..

I would probably create a /24 NAT (maybe 10.x.x.x) on your LAN using Private IP's and a different /24 your DMZ (172.x.x.x) and/or Wireless access on your OPT1 interface.
Put any services you deliver externally in the DMZ and statically NAT any IP's to one of the public /25 IP's that you have. The other IP's I would probably use for internal user services like VPN, PPTP etc.

This would give you a great deal of flexibility for growth, and security.

are they operating out on the same interface? can you provide a pic of the fw rules you have in place?

R

Thanks CMB!

That seems to have sorted it… was starting to drive me insane :)

Perhaps something needs to pop up/check that when you put a static rule against the same DG network it says "You need to do this..." or something :)

Anyways, thanks a lot!

@kumarnarain:

Thank you Nachtfalke
Got it to work. Had overlooked the firewall rule to have the named gateway
;D

Regards

Kumar

:P

indeed :)

i was wondering if there was some option which i could pass thru the advanced options or maybe edit the file for haproxy configuration.

thnx anyway!!

cheers

You would probably have to match the NAT and rules configuration unless you created the rules in floating. Failover and balancing was not really made for internal services. If you want true failover, then you have to have a provider give you 2 drops with the same IPs available on them and then run 2 boxes in a cluster or two drop and LAGG (mainly datacenters). MultiWAN is more of an outbound (internet) thing to me. Reason being that you have to have DNS setup just right for websites and SMTP to continue to flow behind the firewall in case of a failure. Don't forget to use sticky connections to help.

Thanks .. .Firefox worked just fine!!

Thanks again!!

Are the two pfsense boxes in the same location?

You have some redundant rules that while they appear to me to be unnecessary are probably not hurting anything…

To simplify things, have you considered deleting the second subnet of the pfSense 1 box and using the second subnet of the second pfSense box to connect directly to the first subnet of the first box?

Then treat the second LAN subnet like a second WAN on the second box.

But for now-  Are you seeing anything in the firewall logs of either box?  I doubt you are but have to ask...  I believe you have to add a gateway still to both boxes under "System/Routes"

Why do you have a gateway defined for LAN? And why is it the default?

Normally for your LAN, it does not have a gateway in System > Routing, and the WAN gateway (your ISP) is your default route.

Some people have mistakenly set it that way to disable NAT for routed IPs on the LAN subnet, when what really needs to be done is to go to Firewall > NAT, on the Outbound tab, switch to Manual, and delete any rules that reference the LAN subnet.

The tutorial suggest you to change outbound nat to manual instead of automatic.

The problem you have is communication between lans or lans to internet?

Greetings dhatz,
Thanks for the reply. I would have tried this and you may have saved me some time. As old as I am, time is very important.
I am still fishing in the dark, not sure what to do, or if I can do it. I am at a lose. Any direction would be a big help. I was also thinking of a custom dnsmasq script, or is it as simple as adding option 3 and the new server to dhcp on both systems.

@dhatz:

@krisken:

http://www.youtube.com/watch?v=zrBr0N0WrTY

Could this be the right way to do so? Or not?

Using IP Alias for multiple WAN IPs wouldn't be my first choice.
It depends on how your ISP routes the additional IPs to you.

I'd recommend that you read section #6.7 in the pfSense book.

They do it as "next-hop".  Maybe that's the info you need?

Ip alias is the easiest solution, cause you don't have to think is it on same network segment(C-ARP) or not, or does it work with squid (P-ARP doesn't work).

@phil.davis:

I think this would work. Add 6 rules, 2 on each inside LAN, to force traffic for the 2 other "local" outside subnets to the gateway you want.
Here are the 2 rules for WLAN_inside:
On WLAN_inside, pass all protocols, source 10.200.115.0/24, destination 130.225.127.0/24 and in Advanced Features, Gateway, select the WLAN_outside gateway address.
On WLAN_inside, pass all protocols, source 10.200.115.0/24, destination 192.38.116.0/25 and in Advanced Features, Gateway, select the WLAN_outside gateway address.

Excellent idea - and it even works :)

Thanks.

changed my frontend passthrough to stick-table type ip size 30k expire 30m
removed the passthrough on the servers

Cleared the ssl cache in IE.  It appears to be working ok…

But now that I think about my app... we'll have users starting on non-ssl and then moving to ssl (typical ecommerce), so I might just want to use a shared session state so that we don't care at all what server the users go to :)

I do have some legacy apps that I'd like to round robin the ssl... but I might just 1:1 nat em ;)

thnx once again!!

i published haproxy in an internal ip address as well for the stats, it was not necessary to assign any backend.

best regards

Found the answer in the book "The Definitive Guide to pfSense".  I'm not wild about how the book is laid out, but it had the information I needed…Guess it turned out to be a $35.00 question.  If you're looking to do the same configuration, I'd go read that book.

-Herald