• WAN emulation

    Locked
    2
    0 Votes
    2 Posts
    2k Views
    S

    Not in 1.2 but it is in 1.3-ALPHA.  We will be releasing a version soon.

    In the meantime you can contribute to the traffic shaping bounty if you want an early version.  See the bounty section for more information.

  • 2WAN+DMZ+LAN1+LAN2

    Locked
    4
    0 Votes
    4 Posts
    3k Views
    P

    First: in Firewall>Rules>DMZ, if I add a rule the rule is applied only to the the packets coming in the DMZ interface (i.e. packets sent by DMZ hosts), correct ?
    In this case I dont understand the "Interface" field inside the rule (the hint said: "Choose on which interface packets must come in to match this rule. ").

    Which interface does this rule apply to, you could say

    And second: the "Gateway" in the rule. This field means that if the packet satisfy the rule it is routed to this gateway overriding all other routing ?

    *, opt1, opt2 etc. You could remember it as * belongs/is pfSense while everything else has nothing to do with pfSense and it's routing.

  • Strange Routing Issue

    Locked
    6
    0 Votes
    6 Posts
    3k Views
    R

    @hoba:

    To get issues with online banking solved just create a rule for https traffic that will use a failover pool instead of balancing. These applications won't cause much load so it's no problem to have them only at one wan and they will still be available if one of the wans go down this way. At my setups I have a portsalias and a hostsalias for such ports and destinations that don't work with loadbalancing. It's easy to just add ports or IPs later this way.

    Excellent advice, thanks for that, works perfectly now…

  • Dual WAN Failover bounces on and off…

    Locked
    16
    0 Votes
    16 Posts
    7k Views
    T

    Cable is WAN and DSL is OPT1…

    Yeah, I only set it up to fail over to DSL.  My Cable connection is 16mbps compared to my 1.5mbps DSL, so I don't really care about load balancing.

  • MultiWAN and MULTI LAN

    Locked
    4
    0 Votes
    4 Posts
    2k Views
    H

    How many memory does that hardware have currently? 87% is a bit too close to the edge for my liking. It might happen if you enable some more services or see high traffic load that processes are randomly dying or the system is becoming terribly slow in case this is a full install as it starts swapping to hdd. I would add more ram.

  • Assign p2p trafic to WAN1

    Locked
    6
    0 Votes
    6 Posts
    3k Views
    P

    Diagnostics -> States  reset states

  • Leased Line with IPSec Backup

    Locked
    5
    0 Votes
    5 Posts
    2k Views
    E

    it seems script is not available atm. ;)

  • Inbound LoadBalancing Question

    Locked
    4
    0 Votes
    4 Posts
    2k Views
    H

    It depends where your domain is registered. You might also be able to use pfSense for this when having the dns-server-package installed. Probably talk to your hoster for that domain about what you want to do and what's the easiest way to achieve this. They might be able to setup roundrobin dns for you or advice you how to do it.

  • Inbound Load Balancing is not balanced

    Locked
    7
    0 Votes
    7 Posts
    3k Views
    B

    I have to say I'm having a similar issue with load balancing. This morning is the first time I have really played with it. Here is my setup ina nutshell :-

    2 firewalls in a carp cluster, static public IPs on the WAN, static public IPs on DMZ, and Private IPs on LAN.

    NAT is only used for the LAN -> WAN connection. The DMZ servers can route to special ports / IPs on the LAN

    I set up a pool containing 2 LAN IPs and setup a virtual server on the LAN carp address. The DMZ connect to the virtual server to process some fast-cgi stuff. I added a rule on the DMZ interface to use the POOL as the gateway as suggested by GruensFroeschli (although this feels more like its for outbound load balancing of WAN connections, not inbound server balancing?).

    Sticky connections is off.

    The server always connects to one backend server (POOL is set to load balance, not failover). If I stop the service on the LAN IP thats getting all the connections, the first couple of connections fail, then they start going to the second LAN IP.

    After starting the service on the first LAN IP again, the next connection continues with the second LAN IP, then after that all connections revert back to the first LAN IP again.

    I'd like to :-

    a) Have it share the connections round robin style against the two LAN IPs

    b) When one does go down, have all connections seamlessly go directly to the second, not have a couple of failures like I see at the moment.

    Is this possible?

    Regards

    Ben

  • MOVED: Assign computers behind pfsense to WAN interfaces

    Locked
    1
    0 Votes
    1 Posts
    1k Views
    No one has replied
  • Redirect Inbound HTTPS/HTTP Requests Based on URL

    Locked
    4
    0 Votes
    4 Posts
    5k Views
    H

    That's the only solution that came to my mind or let's say the easiest one.

  • Multiple interfaces connected to same vlan

    Locked
    7
    0 Votes
    7 Posts
    7k Views
    ?

    Indeed, only 1 VLAN ID can be associated to untagged traffic on each port…

    Yes, with VMWare you have a number of virtual switches and you can add a number of virtual nics to your VM guests. The numbers and features available depend on the edition/version/host type you're using.

    Now if you could bridge one "port" of this virtual switch to a real NIC, and connect as many virtual NIC's to this virtual switch as you want to get DHCP leases.

    Yes, that's what I'm doing. In my setup, on the pfSense VM guest, I bridge 1 virtual nic to my main LAN VLAN, and the other 3 to the VLAN connected to the cable modem (all 3 to the same VLAN) - see attached screenshots. Inside pfSense, I see 4 adapters, everything is working. I was just trying to migrate it to a physical setup due to performance issues on this specific VMWare Host…

    (Does the 4 NIC limit still exist?)

    Yes, but it is going up to 10 on the next version (I think it's already up to 10 in the latest WS). With VMWare Server 1.x on a Windows host, you get 10 "Unmanaged Virtual Switches/Networks" - out of which 3 are used by VMWare, effectively leaving you with 7 in most setups. VMWS 1.x guests are limited to 4 virtual nics, but VMWS 2.0 will allow 10 nics (but I think it's still limited in the number of networks). VMWS under Linux already supports more networks (100?) and I believe more nics.

    VirtualLans.jpg
    VirtualLans.jpg_thumb
    VirtualNics.jpg
    VirtualNics.jpg_thumb
    InterfaceAssignments.jpg
    InterfaceAssignments.jpg_thumb

  • Routing all traffic through an OpenVPN Site2Site tunnel

    Locked
    4
    0 Votes
    4 Posts
    4k Views
    GruensFroeschliG

    Actually you can do that via the GUI.

    Take a look at the -redirect command.
    http://forum.pfsense.org/index.php/topic,7001.0.html

    This changes the routing-table of pfSense so that everything gets routed through the tunnel.

    Since you only want some traffic to be routed through the tunnel you change the "allow all" rule not to use the default routing table but force it out a specific gateway (in your case the WAN).
    –> create a rule for everything that shouldnt go over the tunnel with as gateway "WAN" and NOT *

    This way you have:

    traffic you specify in the rules goes out the WAN. everything else goes over the openVPN tunnel.
  • Failover works for a short time then stops working

    Locked
    7
    0 Votes
    7 Posts
    3k Views
    F

    I think I solved the problem in my case.
    I hacked the php-script, which generates config file for dhclient so that an additional option is saved in the config file. Specifically I added the option```
    reject 192.168.100.1

  • Routing for pfsense and nat question

    Locked
    5
    0 Votes
    5 Posts
    8k Views
    H

    Did you setup a static route at pfSense for the network beind the router? Please note that the default lan to any rule only covers your lan subnet as source. To allow other subnets you either have to add rules for it or you have to change the default lan to any rule to any to any.

  • Banner say: there were error(s) loading the rules

    Locked
    6
    0 Votes
    6 Posts
    3k Views
    H

    Try to restart from scratch and test frequently while configuring to see where it breaks.

  • Subnet/VLANs with managed and unmanaged switches

    Locked
    29
    0 Votes
    29 Posts
    20k Views
    GruensFroeschliG

    @g:

    Maybe you mean if multiple VLANs are assigned to a NIC and have IP addresses, that same NIC should not be assigned to WAN or LAN?

    I mean about that.
    Only WAN and LAN can be VLAN too.

    Simple: Dont assign a real interfaces if you have VLANs running on them.

    On my WRAP this would look like this:

    availlable interfaces: sis0, sis1, sis2

    LAN:  VLAN 1001 on sis0
    WAN:  sis2
    OPT1: VLAN 1101 on sis0
    OPT2: VLAN 1201 on sis0
    OPT3: VLAN 1301 on sis0
    OPT4: VLAN 1401 on sis0
    OPT5: sis1

    As you can see: i dont mix normal assignments and VLAN assignments on the NICs.
    But still LAN can be a VLAN, even WAN could be a VLAN.

    WAN and LAN are separate NICs. I got it working. But. All access to WAN works. With LAN (thru sk0), I can only ping or telnet to any of the listening ports. Web/SSH, all traffic shows passing thru the firewall but doesn't come back.

    What exatly do you mean with "all traffic shows passing thru the firewall but doesn't come back."
    Where does this traffic go to? Does the destination know the route back to you?
    Did you create rules on all interfaces that allow traffic? (per default everything on a new interface is blocked)

  • Can't Ping OPT2 Interface IP

    Locked
    2
    0 Votes
    2 Posts
    2k Views
    jahonixJ

    Do not set the source to Opt2 subnet but any and from the 'Destination' dropdown box use "OPT2 address".

  • Need help routing real IPs!

    Locked
    12
    0 Votes
    12 Posts
    5k Views
    GruensFroeschliG

    Hehe.
    If you want smaller hardware: http://pcengines.ch –> ALIX
    With that you can route/filter (almost) at wirespeed.
    The power consumption is around 5-10 W.

    But i think your setup should work without an imminent explosion ;)
    It's just a bit strange because of the /32 WAN.
    Now you just need to check if users can access your public IP's from the internet.

  • Multiwan and DNS

    Locked
    10
    0 Votes
    10 Posts
    4k Views
    W

    Afaik you can add a third and a fourth DNS-entry in the config.xml.
    So you can have a primary and secondary entry for for the first interface, and a tertiary and quaternary on the second interface.

    That's brilliant, I'll be adding all my DNS IP's in then, and adding static routes to them.

    Thanks for clearing all that up for me.

Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.