Not in 1.2 but it is in 1.3-ALPHA.  We will be releasing a version soon.

In the meantime you can contribute to the traffic shaping bounty if you want an early version.  See the bounty section for more information.

First: in Firewall>Rules>DMZ, if I add a rule the rule is applied only to the the packets coming in the DMZ interface (i.e. packets sent by DMZ hosts), correct ?
In this case I dont understand the "Interface" field inside the rule (the hint said: "Choose on which interface packets must come in to match this rule. ").

Which interface does this rule apply to, you could say

And second: the "Gateway" in the rule. This field means that if the packet satisfy the rule it is routed to this gateway overriding all other routing ?

*, opt1, opt2 etc. You could remember it as * belongs/is pfSense while everything else has nothing to do with pfSense and it's routing.

@hoba:

To get issues with online banking solved just create a rule for https traffic that will use a failover pool instead of balancing. These applications won't cause much load so it's no problem to have them only at one wan and they will still be available if one of the wans go down this way. At my setups I have a portsalias and a hostsalias for such ports and destinations that don't work with loadbalancing. It's easy to just add ports or IPs later this way.

Excellent advice, thanks for that, works perfectly now…

Cable is WAN and DSL is OPT1…

Yeah, I only set it up to fail over to DSL.  My Cable connection is 16mbps compared to my 1.5mbps DSL, so I don't really care about load balancing.

How many memory does that hardware have currently? 87% is a bit too close to the edge for my liking. It might happen if you enable some more services or see high traffic load that processes are randomly dying or the system is becoming terribly slow in case this is a full install as it starts swapping to hdd. I would add more ram.

Diagnostics -> States  reset states

it seems script is not available atm. ;)

It depends where your domain is registered. You might also be able to use pfSense for this when having the dns-server-package installed. Probably talk to your hoster for that domain about what you want to do and what's the easiest way to achieve this. They might be able to setup roundrobin dns for you or advice you how to do it.

I have to say I'm having a similar issue with load balancing. This morning is the first time I have really played with it. Here is my setup ina nutshell :-

2 firewalls in a carp cluster, static public IPs on the WAN, static public IPs on DMZ, and Private IPs on LAN.

NAT is only used for the LAN -> WAN connection. The DMZ servers can route to special ports / IPs on the LAN

I set up a pool containing 2 LAN IPs and setup a virtual server on the LAN carp address. The DMZ connect to the virtual server to process some fast-cgi stuff. I added a rule on the DMZ interface to use the POOL as the gateway as suggested by GruensFroeschli (although this feels more like its for outbound load balancing of WAN connections, not inbound server balancing?).

Sticky connections is off.

The server always connects to one backend server (POOL is set to load balance, not failover). If I stop the service on the LAN IP thats getting all the connections, the first couple of connections fail, then they start going to the second LAN IP.

After starting the service on the first LAN IP again, the next connection continues with the second LAN IP, then after that all connections revert back to the first LAN IP again.

I'd like to :-

a) Have it share the connections round robin style against the two LAN IPs

b) When one does go down, have all connections seamlessly go directly to the second, not have a couple of failures like I see at the moment.

Is this possible?

Regards

Ben

That's the only solution that came to my mind or let's say the easiest one.

Indeed, only 1 VLAN ID can be associated to untagged traffic on each port…

Yes, with VMWare you have a number of virtual switches and you can add a number of virtual nics to your VM guests. The numbers and features available depend on the edition/version/host type you're using.

Now if you could bridge one "port" of this virtual switch to a real NIC, and connect as many virtual NIC's to this virtual switch as you want to get DHCP leases.

Yes, that's what I'm doing. In my setup, on the pfSense VM guest, I bridge 1 virtual nic to my main LAN VLAN, and the other 3 to the VLAN connected to the cable modem (all 3 to the same VLAN) - see attached screenshots. Inside pfSense, I see 4 adapters, everything is working. I was just trying to migrate it to a physical setup due to performance issues on this specific VMWare Host…

(Does the 4 NIC limit still exist?)

Yes, but it is going up to 10 on the next version (I think it's already up to 10 in the latest WS). With VMWare Server 1.x on a Windows host, you get 10 "Unmanaged Virtual Switches/Networks" - out of which 3 are used by VMWare, effectively leaving you with 7 in most setups. VMWS 1.x guests are limited to 4 virtual nics, but VMWS 2.0 will allow 10 nics (but I think it's still limited in the number of networks). VMWS under Linux already supports more networks (100?) and I believe more nics.

VirtualLans.jpg
VirtualLans.jpg_thumb
VirtualNics.jpg
VirtualNics.jpg_thumb
InterfaceAssignments.jpg
InterfaceAssignments.jpg_thumb

Actually you can do that via the GUI.

Take a look at the -redirect command.
http://forum.pfsense.org/index.php/topic,7001.0.html

This changes the routing-table of pfSense so that everything gets routed through the tunnel.

Since you only want some traffic to be routed through the tunnel you change the "allow all" rule not to use the default routing table but force it out a specific gateway (in your case the WAN).
–> create a rule for everything that shouldnt go over the tunnel with as gateway "WAN" and NOT *

This way you have:

traffic you specify in the rules goes out the WAN. everything else goes over the openVPN tunnel.

I think I solved the problem in my case.
I hacked the php-script, which generates config file for dhclient so that an additional option is saved in the config file. Specifically I added the option```
reject 192.168.100.1

Did you setup a static route at pfSense for the network beind the router? Please note that the default lan to any rule only covers your lan subnet as source. To allow other subnets you either have to add rules for it or you have to change the default lan to any rule to any to any.

Try to restart from scratch and test frequently while configuring to see where it breaks.

@g:

Maybe you mean if multiple VLANs are assigned to a NIC and have IP addresses, that same NIC should not be assigned to WAN or LAN?

I mean about that.
Only WAN and LAN can be VLAN too.

Simple: Dont assign a real interfaces if you have VLANs running on them.

On my WRAP this would look like this:

availlable interfaces: sis0, sis1, sis2

LAN:  VLAN 1001 on sis0
WAN:  sis2
OPT1: VLAN 1101 on sis0
OPT2: VLAN 1201 on sis0
OPT3: VLAN 1301 on sis0
OPT4: VLAN 1401 on sis0
OPT5: sis1

As you can see: i dont mix normal assignments and VLAN assignments on the NICs.
But still LAN can be a VLAN, even WAN could be a VLAN.

WAN and LAN are separate NICs. I got it working. But. All access to WAN works. With LAN (thru sk0), I can only ping or telnet to any of the listening ports. Web/SSH, all traffic shows passing thru the firewall but doesn't come back.

What exatly do you mean with "all traffic shows passing thru the firewall but doesn't come back."
Where does this traffic go to? Does the destination know the route back to you?
Did you create rules on all interfaces that allow traffic? (per default everything on a new interface is blocked)

Do not set the source to Opt2 subnet but any and from the 'Destination' dropdown box use "OPT2 address".

Hehe.
If you want smaller hardware: http://pcengines.ch –> ALIX
With that you can route/filter (almost) at wirespeed.
The power consumption is around 5-10 W.

But i think your setup should work without an imminent explosion ;)
It's just a bit strange because of the /32 WAN.
Now you just need to check if users can access your public IP's from the internet.

Afaik you can add a third and a fourth DNS-entry in the config.xml.
So you can have a primary and secondary entry for for the first interface, and a tertiary and quaternary on the second interface.

That's brilliant, I'll be adding all my DNS IP's in then, and adding static routes to them.

Thanks for clearing all that up for me.