sorry for the confusion
lets remove the proxy in this scenario, i only say proxy because this is my currebt setup
lets change the proxy box to a simple pfsense box

ill try what you suggest

my goal is

there is no specific machine that run torrrent
what i need is to capture the port their using in my example is 9999
i see this port on my box b but not on multi wan box
changing the gateway to my multiwan box is not an option for me because i have packages running on my box b, all will go through box b and yet needed to monitor the port their using through multiwan box

Sorry for piling on an old thread (is it more appropriate to start a new one?) but I have a (somewhat) similar situation and jimp's post gives me hope.

I have a PON from a local ISP. Originally we were assigned a single /28 subnet as follows:

Usable IPs: X.X.X.225 – X.X.X.237
Subnet Mask: 255.255.255.240
Gateway: X.X.X.238

A while back due to a unique setup I was trying to work around I had them split that range up into two /29 subnets as follows:

Usable IP Range: X.X.X.225 – X.X.X.229
Subnet Mask: 255.255.255.248
Gateway: X.X.X.230
–--------------------
Usable IP Range: X.X.X.233 – X.X.X.237
Subnet Mask: 255.255.255.248
Gateway: X.X.X.238

Now that I'm going with pfsense, I would like it to handle the routing for the entire IP range. I have asked the ISP to recombine the two subnets back into one to make things easier (as well as gain back a few usable IPs) but they are dragging their feet (under new ownership). I still have some hope I can persuade them to do it, but in the worst case scenario I would have to keep things the way they are now, with the two /29 subnets.

As jimp said, both of these subnets come off the same physical device (so the gateway of both subnets maps to the same hardware address). So with that in mind, how would I set this up properly in pfsense 2.1? Do I need to set up both gateways on the interface? Or can I just "pretend" (as far as pfsense is concerned) that it's still just one big /28 subnet and send everything out the X.X.X.238 gateway?

Much appreciate any guidance here. I would really prefer to not have to deal with VLANs for this. I'm going to keep trying to get the ISP to play ball but I need to prepare for the possibility of having to keep the two /29 subnets.

Thanks!

Just done some quick tests and "seems to work" (sadly i can't test during longer time or with more traffic).

Test done, using 2 PPPoE 1mbps/512kbps connections from same provider (both using same GW)

Sorry, i forgot to add the "GW groups" & LAN rules" Screenshot

pf_Dashboard.PNG
pf_Dashboard.PNG_thumb
RRD_WAN1.PNG
RRD_WAN1.PNG_thumb
RRD_WAN2.PNG
RRD_WAN2.PNG_thumb
Speedtest_WAN1.JPG
Speedtest_WAN1.JPG_thumb
Speedtest_WAN2.JPG
Speedtest_WAN2.JPG_thumb

@Nachtfalke:

Using squid and Multi-WAN on the same machine needs additional configuration.

Aha. I will search the forums for such configuration. Thank you.

ahhh we have the problem me thinks :P

your question about the gateway on the web servers got me thinking and i checked the /etc/network/interfaces on the servers… it was set incorrectly :P

Thank you for all your help!!! i am so sorry it turned out to be me being a complete idiot....

I have no multiwan by myself, but for any help it would be neat to have screenshots of your rules

The setup looks fine.

You do not need this * * * * * rule on wan.

On dhcp server you will see a configuration for each interface on pfsense, if you have two lans, then you can setup two dhcp ranges.

Check if form pfsense console you can ping wan2 router. As you posted pfsense could not check state for this gateway.

another thing you can try is to disable gateway monitoring on system -> routing

Thanks for your help.

Thanks for all the advice.  Adding a VLAN to the LAN interface would be the way forward, but every time will do it, it kills the firewalls built in openvpn access, and we have to send someone to the datacerter, restore a config, reboot it then it works.

Agreed, multihoming is not the answer.

So we thought of another solution: to connect the spare interface (opt-2) to a separate (VLANed) network.  We have done this, but the machine on this new network (anothe pfsense box) cant even ping the main pfsense box.  What magic has to be done in pfsense to make opt-2 behave like the LAN, not a WAN?  When you go into the LAN interface settings in pfsense, you can just set the ip (and optionally bridge).

When you go into opt-2, you have a lot of WAN type settings which I dont think we need.  I set the address to static, bridge:none, ip is 10.10.10.1/24.

Now I connect another pfsense box on this network (i.e. connected to the same switch, with both ports in the same VLAN), give it 10.10.10.2 for its WAN, try and ping 10.10.10.1 and it cant see it.  Do I have to bridge anything?

the reason there is two pfsense boxes, is that the first one is the datacenter main perimiter box, and the second one is a staging environment ment to act the same as the production environment, so we want to be able to play with a staging copy of the production fws etc).

Any ideas?

I was able to get the 1:1 NAT working from the LAN, but I'm still having problems accessing the NAT from the outside.  I did notice that the connection is very slow from the LAN.  I just want to map one IP from OPT1 to an IP on WAN.  What am I overlooking?

@marcelloc:

Ok.
you will need to nat from lan to wan on pfsense or set a static route on gateways to reach the network That is behind your gateways.

On pfsense, as well as I read on forum, if you set a gateway on interface it will nat with pfsense ip.

If you removed the gateway from interface tab, then you may need to configure automatic outbound rules to get it working.

Well, I believe I have automatic NAT'ing enabled, I've never had an issue with anything before.

Where should I look to see if this is the problem? Automatic NAT is enabled in Outbound Rules or whatever you call it on the NAT settings area.

In my experience you often have to reboot pfsense after making interface assignments. Sometimes nothing else will get things to behave as expected.

In that case I have to tell ddns-client if failover-WAN is used, or am I wrong? I dunno how often ddns-client checks the IP.

cu Floh

hello,

thank you for reply !

I understand now… I think that I will use the pfSense Load balance as we have 2 servers and will try to configure it ...

once again thank you for helping !

Tom

How would making a rule on Opt1 which is my 2nd WAN actually affect the latency of the traffic traveling on the LAN? Both my 10 network and 192 network are on the lan interface. I have a firewall on the 10 network and a static route on the PF sense firewal to get to that network

Is there an easy way to verify, I am struggling to find a way to capture a session effectively on the wan, there is so much background chatter going on that it is hard to track, the logs end up huge and finding out if a packet belongs to the session being tested is proving somewhat of a challenge.

I did set up a capture filter that says between source (i.e browser) and anywhere but this revealed no change in target IP but it doesn't seem possible to sniff both WAN's concurrently into the same 'capture' in pFSense, I could do this on a Windows box by adding 'probes' to the interface (standard feature for Observer), is there a similar mechanism for pFSense?.

Can't statefully filter asymmetrically routed traffic. System>Advanced, Firewall/NAT, check "Bypass firewall rules for traffic on the same interface"