Thanks … that got rid of the syntax error.

-- Phob

You need to use the lan ip if as source if you try to ping through the tunnel from the pfsense itself. Try from a client behind the pfSense or use as source the LAN IP. At the webgui for example use interface lan at diagnostics>ping. Other option is to add a static route to remotesubnet via gateway lan IP of local pfSense.

I didn't find any software commercial products with theses features.

The only hardware capable that i found, it's from a french manufacturer :

http://www.bewan.com/bewan/products/bsecurellx/index.php

Look like with theses models you could get FailOver and LoadBalancing for VPN on MultiWAN, but i think it will only work if all the VPN gateways are from Bewan  ;)

You might consider getting a multi port PCI, however as you machine still has ISA slots I consider it quite old and maybe you should replace it anyway then  ;)

ok i did some testing today with a few old computers i've set PfSense up on.
Right now i'm able to get to the internet with loadbalancing from every "private" lan.

i'v set up firewall rules:

pub. == "not private address-range"
pri. == "private address-range"
1to2 == link-interface-name for connection between pfSense1 and Pfsense2

LAN-Interface
destination: pub. –> gatewaypool WAN & 1to2
destination: pri. --> gatewaypool 1to2

If i find the time i'll setup a test-system in the network-labor at school which will look about like that:

6
      /  | 
    /    |   
  5----1-----2
  \    / \      /
    \ /    \  /
    4------3

If i'm not mistaken i will have to make a lot of different pools.
i'll post them here to have them written down when i'll do them ^^"

PfSense1:
from LAN
dest. = pub. --> pool WAN, 2, 3, 4, 5, 6
dest. = priv. --> pool 2, 3, 4, 5, 6

from 1to2
source = 2, dest. = pub. --> pool WAN, 3, 4, 5, 6
source = 3, dest. = pub. --> pool WAN, 4, 5, 6
source = 4, dest. = pub. --> pool WAN, 3, 5, 6
source = 5, dest. = pub. --> pool WAN, 3, 4, 6
source = 6, dest. = pub. --> pool WAN, 3, 4, 5

source = 2, dest. = priv. --> pool 3, 4, 5, 6
source = 3, dest. = priv. --> pool 4, 5, 6
source = 4, dest. = priv. --> pool 3, 5, 6
source = 5, dest. = priv. --> pool 3, 4, 6
source = 6, dest. = priv. --> pool 3, 4, 5

and so on for every interface on every PfSense.

this would be a lot of work whenever a new PfSense gets added to the system and i think it's still not quite good with how the traffic can take long ways.

edit: moving questions regarding OLSR/RIP

Thanks for the hint. Didn't know it's linked there too.

No, I am not using dual wan. It is only dsl modem, witch is working as bridge, and pfsense computer with a static wan ip adress after it.

The file that gets loaded into pf is located at /tmp/rules.debug. You can view it either at diagnostics>edit file or by downloading it via  diagnostics>command.

OK

I have made some progress on this.

It seems there may be a compatibility issue betweem my Linksys Router (Model BEFSR41V4) and pfSense Loadbalancing. At this stage I am not sure if it is an inbuilt firewall rule on the Linksys Router (which prevents pings after a certain amount of time) or the type of Broadband Cable connection I have. In Australia my ISP (Telstra Bigpond) utilises a unique Heartbeart Signal/Authentication System (a real pain in the behind).

Anyhow, I changed routers (i am now using ipcop to connect to my ISP) and loadbalancing works fine.

I will do more investigating and try and get to the root of the problem and post here if successful.

The difference between policybasedrouting and multiwan is not that big. You even can use both simultaneously (send some special traffic out WAN, other special traffic out WAN2 and use loadbalancing for everything else for example). The main difference is that you use one of the interface gateways as gateway for your firewallrules or a pool of gateways as gateway.

When to use which:

There are some special applications that won't work well together with loadbalancing (https, pptp, ftp,…). You should use policybasedrouting to make these go out only one of the WANs.

Other applications can be distributed across both WANs without issues.

No luck without the workaround :(

This is completely wrong. You don't need any static routes. You need the subnets in the tunneldefinition the way I posted them. IPSEC has nothing to do with static routes or if you want to see it this way: it will "somehow create the routes" the way that you specify the subnets in the tunnel definitions.

I haven't noticed a DHCP client bug yet but I have to admit that I either use static IPs or PPPoE connections everywhere. However PPPoE is dynamic with 24h forced disconnects by the provider with IP-Change. PPPoE works fine this way. Anybody else noticed DHCP client problems with portforwards/firewallrules?

Let's assume your DNS-Servers ar 1.1.1.1 and 1.1.1.2 for WAN and 2.2.2.1 and 2.2.2.2 for OPT-WAN.

At system>general enter one DNS Server of WAN and one of OPT-WAN like 1.1.1.1 and 2.2.2.1

Then at system>static Routes add a route:
Interface OPT-WAN
Subnet 2.2.2.1/32
Gateway OPT-WAN-Gateway (either look this up at status>interfaces or at interfaces>OPT-WAN if it's static).

Save and apply.

thank u everybody for ur help! I finaly route and make my dhcp serveur up!  ;)

@j2sw:

I was reading on some other threads about Dual Wan and 1:1 Nat. We just moved up from a single wan to a dual wan setup. I am used to going in, adding a 1:1 Nat, adding a firewall rule to pass traffic to the host, and adding the proxy arp.

From what I read the Dual wan setup requires port forwarding to work properly? Is this true?  If so any tutorials I am missing?

Thanks,
Justin

I suspect most people don't have actual IP blocks in their multi-wan configs, just single IPs, so 1:1 nat's are in infrequent use.  I think you'll be ok to do 1:1 via one wan.  You should also be able to specify a port forward range of 1 to 65535, which from the outside would achieve the same result.  Inside out, you can just use regular advanced outbound NAT to map the internal workstation to a given IP on each WAN.

–Bill

This setup is not supported unless you use vlans and a vlan capable switch.

Thanks to all responders

That should just work fine though if the webproxy is the only thing you need you should have a look at the squid package. Maybe you get it up without smoothwall in the same time that you would need to set up pfSense with smoothwall in this scenario. Is the smoothwall transparent proxy? There is one thing in this scenario that is not that nice the way you painted it: If you want to forward something from one of the WANs you have to configure the passthrough at the smoothwall and at the pfSense. I would suggest a setup like this:

  WAN1       pfSense LAN--+------smoothwall   WAN2            |                   +------clients

If the smoothwall can't be run with only 1 Interface try this setup (you will need 4 nics in your pfSense for this):

  WAN1    OPT2-----------------------------+       pfSense                              |   WAN2    LAN--+------LAN/smoothwall/WAN---+                 |                 +------clients

You can either block Internetacces from LAN to either of the WANs on port 80 or even redirect it back to the smoothwall. The smoothwall itself then will send the requests out via it's default gateway, the OPT2 Interface of the pfSense. I have this setup using an IAS as proxy at a customers location.