Looks to me like if you could drop the dual-wan-router and the netscreen and just use 1 pfSense (unless you use something special not mentioned in your post).

You only will have one CARP IP at the LAN as gateway that can be shared between the both boxes so you don't have to manually change all your clients gateways. Each box will have their own WAN. If you setup PPTP for example you can tunnel in to the slave pfSense and then go to the webgui at the master pfsense to disable CARP so you can do that remotely even if the master pfSense's WAN is down.

@sullrich:

DJBDns == TinyDNS.. Same thing.  DJ is Daniel Bernstein(sp)

http://cr.yp.to/djb.html

stupid me  ::)

I think you're saying you have to run two pppoe connections, which ATM is not part of current gui implementation.  It may be possible just working via ssh though.  I know you can do this with two routers sending the PPPoE, and the load balancing has worked for me

There was one hit for that query and I'm replying to it. :)

Martin

I can setup a box for multi wan testing.  I have two cable modems with different IP subnets and would be willing to setup a box for a time to help develop the product.

I'm currently running a multi-wan setup and would like some more development on the FTP side.

Sean

As Pootle said you only want rule 2

      Proto --- source --- port --- destination --- port --- Gateway         ------------------------------------------------------------------- 2      any        Lansubnet  any            any        any    LoadBalancer pool

Aisay agar aik WAN bund ho gaya, doosra chalta rahay ga, agar 'LoadBalancer' pool sahi hai to. Loadbalancer ka screenshot day do.

I mean delete the rule and then add it again. If you are getting an error while adding it there is a mistake somewhere and the rule will not be used by the firewall, so your setup will not work properly.

remove rule 4

and test by removing the kable of the wan interface
then plug back in
and remove the one from the opt1 interface

The answer is still the same like above.

@port1mm:

Since the pools can now be set up with the interface names does this also alleviate the requirement of separate subnets for each WAN interface?

Sorry, no, they still have to be in unique subnets.

How would DynDns work with dual wan?  I have an email server and several others that I need to port forward to using Dyndns.  Any example setups would be appreciated.

This will work for incoming mail, as long as you have a way of updating the dyndns service with the changed IP (I'm not sure how you would do that bit), but unless both your connections are with the same ISP, you may not be able to send mail whan failed over as it won't be coming from an acceptable subnet.

The static route for the dns server at wan is not needed as this is covered by the default route. Remove it. This shouldn't mess things up though.

thanks ! ;)

It's all a question of firewallrules and nat. If you only want to route you have to shutdown nat first (firewall>nat, outbound tab; enable advanced outbound nat and delete the autocreated rule at the bottom; save and apply). If your WAN lies within a private subnetrange you have to disable "block private subnets" at interfaces>wan. Additional to this you have to setup firewallrules to permit desired trafic (firewall>rules). Also make sure all clients have routes to the other subnet though the pfSense as gateway.

After a quick rebuild I've got a clean copy of my config to share if you would like to try it out in your network.

Here's the setup

WAN <-bridge-> OPT1
LAN -> Internal/Management

WAN IP 192.168.0.1 / 24
      GW 10.0.1.1
      DNS 10.0.1.10
      DNS 10.0.1.11

OPT1 Bridge with WAN

LAN IP 10.0.1.2 / 24

Firewall rules

LAN
*  LAN net  *  *  *  *

WAN
TCP  *  *  *  80 (HTTP)  *  HTTP  ( and others…no need to list them all)

OPT1
BLOCK -  *  LAN net  *  *  *  *
PASS  -  *  *  *  *  *  *  *

Not sure why it didn't work with WAN/LAN bridge and OPT1 for management…

Also, I still seem to be having issues with Snort on 1.0.1-SNAPSHOT-02-27-2007

Anyway, here is the config, feel free to try it, change the IP settings to match your network and let me know it's short comings lol

http://www.crackedconsole.com/Downloads/pfSense/pfSense-Config.zip

The login and password are the defaults admin:pfsense

Thanks

Traffic is always filtered incoming at an interface, so you got your rules right. Filtering traffic from OPT1 subnet has to happen on the OPT1 tab therefor. Any chance you are running a pfSense 1.0? This version had a bug where sometimes filterrules have not been applied on changes and you had to reboot. Upgrade to 1.0.1 or the latest snapshot ( http://snapshots.pfsense.com/FreeBSD6/RELENG_1/ ) if this is the case.

Add a virtual IP of type CARP to the LAN Interface for the second IP. (Firewall>Virtual IPs in the webgui)

Oh, it is changed at the modem. OK, so you could go with the last one and maybe still use the 192.168.0.XXX numbers. Well i would just say play around with it. I know there is a router in there somewhere. Good luck.

I configured it as suggested.  Works 100%. Thanks

Sorry your bug report is less than stellar.  "It does not work" and "faulty" tells us nothing.

So please read:

http://www.netlife.co.za/content/view/34/34/
http://www.pfsense.com/mirror.php?section=tutorials/policybased_multiwan/policybased_multiwan.pdf
http://doc.pfsense.org/index.php/Multi-Wan/Load-Balancing