its hard to keep up while shaped - your are answering faster than I can upload the replies.

Now that I have some success, I will re-test each connection and look at the bridging option - I cant see anything available yet, so Ithink it will be a double NAT/port forwarding.

All help is really really appreciated

Mick

I dont get what you have done.

If you set it up on the WAN and OPT1, then isn't that for in coming connections from the internet?

My logic to me says to add the rules to the LAN set.

I am struggling with a similar setup where I need to use two different WAN connections for specific applications.

Mick

We also encountering this problem  :'( :'( :'( :'( :'( :'(

but no luck to block it

That is covered in the doc wiki, the book, and here on the forum. It's just like a two-wan setup, just add the third wan in the same way. See the links in my sig.

@Kirill:

@eirikz:

Why create a double NAT ? :-)

Just disable the DHCP on the "router" (I'm guessing this is a commercial home router with WLAN ?) and plug the connection from the pfsense side to one of the LAN-ports instead of the WAN port.

Hella lot easier.

Yeah, it's a Netgear WNR3500L… But I need the Wi-Fi for my 360, 2 laptops and my 2 Nokia N900  8)
Will try this out this weekend, will come back with the results after the weekend.

Cheers
Kirill

eirikz's advice is exactly how I have my WiFi setup. Netgear router with DHCP disabled. Manually set an IP on the LAN side so I can access it, and connect LAN to LAN.

http://doc.pfsense.org/index.php/Multi-WAN_Version_1.2.x

ok heres what i've tested… i have a multi wan pfsense in my network. I install squid in another computer and had its gateway pinting to the pfsense box. i went to google whats my ip search pages found out that my ip changes when i refresh the page. i think you guys can have another pfsense box and install with squid in your network and it might work.

LAN ---------->pfsense + Squid (transperent proxy) --------------------> pfsense + multi wan ----------------> the internet

i think you can label your pfsense+squid as kraken ^^

need a static route, 10.10.8.254 my server vlan gw. dhcp-dns+firewall in this vlan. dhcp server ip 10.10.8.4 gw:10.10.8.254 , pfsense firewall ip 10.10.8.8

hp procurve switch default route 0.0.0.0 0.0.0.0.0 10.10.8.8 ….  need a static route in pfsense 10.0.0.0 255.0.0.0 10.10.8.254

Thanks for the super fast reply GruensFroeschli.
I'll give it a go.

Many changes in 2.0. It's completely redone. There's a sticky post in the 2.0 forum with info, it will eventually go into the wiki.

I did a lot of searching on this topic and really I found nothing that gave the full setup and explanation that made sense to me, so I ended up going back to an older version(1.231) of Monowall to clear up the issue. I then updated until Hamachi stopped working. Looking at the version change log I found that there was a change that made the firewall remap the ports for UDP connection. Where this is slightly more secure, it is also not compatible with Hamachi.

False Hope(Skip this if you don't care to know what not to do.)
Before I found the correct solution,I first had a false positive correction where I setup each internal Hamachi instance to have its own port to connect with. This is done by setting up the UDP IP and port for the Hamachi instance in Hamachi advanced settings. Then Adding a port forward for each one in the firewall. This seems to work at first but when you have PCs that disconnect and reconnect over time they will all go to Relay Tunnel. This is because at first the ports that are assigned are used but at some point they get remapped. This can be confusing because if you restart the internal Hamachi instance, it will clear up for all connected clients. This is not a solution. Since you will find your self running around every day resetting Hamachi instances or setting up restart times for the Hamachi service.

To make Hamachi work on either Monowall or Pf-sense, you have to create an Outbound NAT rule for your Lan network Subnet that has the disable port mapping checked. Then turn enable Advanced outbound Nat. When you don't have (AON ) turned on there is a rule just like this created for you but without the port mapping turned off.

Basically your rule should look something resembling this(see below) if you have a Lan setup like with 192.168.0.x / 24 (Subnet:255.255.255.0) .

Create a NAT Outbound mapping entry that has these settings.
(see attached image for monowall screen shot.)
Interface:wan
Source: 192.168.0.0 / 24
Destination: any
Target: blank
Portmap: checked
Description: [what ever you like]

Don't forget to turn on AON (check box )

If this entry is correct you should not see any changes to your FW operation. The only real difference you should see is that Hamachi and other UDP using traffic should start to work as expected.

Hope this helps someone, I know it would have helped me save several days of experimenting.

monowall_AON-Hamachi.png
monowall_AON-Hamachi.png_thumb

Un-ticking 'Use sticky connections' in System -> Advanced -> Load Balancing did the trick!

You don't really need multiple failover pools.
A single
wan1 fails to wan2 fails to wan3
should be enough.
(Of course the WANs should be in the order in which you want them to failover).

Yes this should be possible.
With 2.0 you will have the possibility to terminate all the PPPoE links directly on the pfSense.
However if these links are from the same provider you might run into the problem, that two links are not allowed to have the same gateway.

;D

Ok, we'll do that then.

Problem seems to have solved itself somewhat, it appears we're getting a /28 from the start as those 2 free addresses weren't enough anyway.

Thanks for your advice :)

The overlapping VPN endpoints is the key – we won't be able to control what network ranges they might happen to use on their side, so I guess I'll just need to get pfSense installed and test things out..