@XK:

I have two DSL connections and I want to use PfSense as firewall / NAT router.
I want to use load balancing for all my traffic but I will route some specific traffic on WAN1 or WAN2.
If one WAN drop, is it possible to automaticly route all its specified traffic on the other WAN interface?

A parital solution to your problem is discussed here:
    http://forum.pfsense.org/index.php?topic=2583.msg15171

Please note that this is not officially supported by the pfsense devs, so do not file bug reports or complain if this solution does not work for you.

Reflection is only supported on the LAN interface.  There are no workarounds.

Sorry.

No one has any clue?  Seems like this would be a common setup.

Hi,
I finally had time to Change my Wan Interface from PPPOE to a static Ip with a Modem router in front of it. After the change I rebooted. An now Portforwards are working with Advanced Outbound NAT on the OPT-WAN Interfaces and Policy Based routing.
From my point of view there seems something not real working if you use PPPOE on the WAN interface, maybe the developers could take a look into it.
Regards

You have to use one dns of each of your wans at system>general setup. Also add a static route at system>static routes through the optwan to the dns-ip/32 of the optwan.

@scarpy:

Thanks very much for BACKUP function on PFSense!!  ;D

I'd like to modify Raja's monitor-gw script to add this function to my PFsense box:
When monitor-gw script changes the default gateway,
i want it to change the 1:1 NAT rules for my PCs
In other words:
I need to NAT my LAN IP addresses in different ways depending on which is the
default gateway at the moment.

Some details:
My LAN is 10.0.0.0/24 with static IPs.

My WAN1 is 192.168.1.0/24 (PFSense NIC is 192.168.1.1)

My WAN2 is 192.168.2.0/24 (PFSense NIC is 192.168.2.1)

My default wan is WAN1.

I want to use NAT to change each LAN ip from 10.0.0.x to 192.168.1.x.
When my default wan (WAN1) is down, PFSense must use WAN2 and must nat each ip
from 10.0.0.x to 192.168.2.x

Thanks in advance for any help.

Bye,
Alex

you can do that 2 ways a hard one and a simpel one
the hard one you need to edit the rules.debug file on the fly from the monitor script and chanche the wan interface there to the one that is active

the simpel way is to copy the rules.debug file to 2 files
/tmp/wan1.rules and /tmp/wan2.rules
edit the wan="interface" line in both files to the correct interface
let the script afther chancing the wan interface
the correct rules file run

pfctl -f /tmp/wan1.rules
      for wan1
pfctl -f /tmp/wan2.rules
      for wan2

That did it!

When changing the gateway from LBtoWans to default I noticed there was an "OPT2 - OPT2" gateway appearing in the dropdown menu. Don't know where it came from.

Anyway, thanks a lot hoba, great support and great product!

http://wiki.pfsense.com/wikka.php?wakka=OutgoingLoadBalancing

Thanks … that got rid of the syntax error.

-- Phob

You need to use the lan ip if as source if you try to ping through the tunnel from the pfsense itself. Try from a client behind the pfSense or use as source the LAN IP. At the webgui for example use interface lan at diagnostics>ping. Other option is to add a static route to remotesubnet via gateway lan IP of local pfSense.

I didn't find any software commercial products with theses features.

The only hardware capable that i found, it's from a french manufacturer :

http://www.bewan.com/bewan/products/bsecurellx/index.php

Look like with theses models you could get FailOver and LoadBalancing for VPN on MultiWAN, but i think it will only work if all the VPN gateways are from Bewan  ;)

You might consider getting a multi port PCI, however as you machine still has ISA slots I consider it quite old and maybe you should replace it anyway then  ;)

ok i did some testing today with a few old computers i've set PfSense up on.
Right now i'm able to get to the internet with loadbalancing from every "private" lan.

i'v set up firewall rules:

pub. == "not private address-range"
pri. == "private address-range"
1to2 == link-interface-name for connection between pfSense1 and Pfsense2

LAN-Interface
destination: pub. –> gatewaypool WAN & 1to2
destination: pri. --> gatewaypool 1to2

If i find the time i'll setup a test-system in the network-labor at school which will look about like that:

6
      /  | 
    /    |   
  5----1-----2
  \    / \      /
    \ /    \  /
    4------3

If i'm not mistaken i will have to make a lot of different pools.
i'll post them here to have them written down when i'll do them ^^"

PfSense1:
from LAN
dest. = pub. --> pool WAN, 2, 3, 4, 5, 6
dest. = priv. --> pool 2, 3, 4, 5, 6

from 1to2
source = 2, dest. = pub. --> pool WAN, 3, 4, 5, 6
source = 3, dest. = pub. --> pool WAN, 4, 5, 6
source = 4, dest. = pub. --> pool WAN, 3, 5, 6
source = 5, dest. = pub. --> pool WAN, 3, 4, 6
source = 6, dest. = pub. --> pool WAN, 3, 4, 5

source = 2, dest. = priv. --> pool 3, 4, 5, 6
source = 3, dest. = priv. --> pool 4, 5, 6
source = 4, dest. = priv. --> pool 3, 5, 6
source = 5, dest. = priv. --> pool 3, 4, 6
source = 6, dest. = priv. --> pool 3, 4, 5

and so on for every interface on every PfSense.

this would be a lot of work whenever a new PfSense gets added to the system and i think it's still not quite good with how the traffic can take long ways.

edit: moving questions regarding OLSR/RIP

Thanks for the hint. Didn't know it's linked there too.

No, I am not using dual wan. It is only dsl modem, witch is working as bridge, and pfsense computer with a static wan ip adress after it.

The file that gets loaded into pf is located at /tmp/rules.debug. You can view it either at diagnostics>edit file or by downloading it via  diagnostics>command.

OK

I have made some progress on this.

It seems there may be a compatibility issue betweem my Linksys Router (Model BEFSR41V4) and pfSense Loadbalancing. At this stage I am not sure if it is an inbuilt firewall rule on the Linksys Router (which prevents pings after a certain amount of time) or the type of Broadband Cable connection I have. In Australia my ISP (Telstra Bigpond) utilises a unique Heartbeart Signal/Authentication System (a real pain in the behind).

Anyhow, I changed routers (i am now using ipcop to connect to my ISP) and loadbalancing works fine.

I will do more investigating and try and get to the root of the problem and post here if successful.

The difference between policybasedrouting and multiwan is not that big. You even can use both simultaneously (send some special traffic out WAN, other special traffic out WAN2 and use loadbalancing for everything else for example). The main difference is that you use one of the interface gateways as gateway for your firewallrules or a pool of gateways as gateway.

When to use which:

There are some special applications that won't work well together with loadbalancing (https, pptp, ftp,…). You should use policybasedrouting to make these go out only one of the WANs.

Other applications can be distributed across both WANs without issues.

No luck without the workaround :(