Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Using pfsense with multiple WANs

    Scheduled Pinned Locked Moved General pfSense Questions
    144 Posts 5 Posters 42.7k Views 6 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L Offline
      lewis @Patch
      last edited by

      @patch said in Multi LAN networks to one pfsense:

      @lewis could you not just replace one of the pfsense units with a level 2 switch and use that to route the second WAN and remote VLANs all to a single pfsense router?

      I wish it was that easy but it was a server turned into a firewall using pfsense. Nothing can be changed in that network, meaning, one cannot change hardware to something else, it's all servers in there.

      I had mentioned that it could be possible to convert pfsense to a software router but that will only solve a problem after everything is moved over.

      I've been thinking about this a lot and the main server/service that is a problem seems to be only the database server. It seems that if I move the DB server to the new network then find a way to re-route all connections to that to the new network, everything else could fall into place.

      Then later, I could solve the issue of either using pf or a sw router for the rest.

      1 Reply Last reply Reply Quote 0
      • johnpozJ Offline
        johnpoz LAYER 8 Global Moderator @lewis
        last edited by johnpoz

        @lewis said in Multi LAN networks to one pfsense:

        they gave me what they can

        No they didn't - you just don't know what to ask them for or what to do.

        If you have L2 that is connected between location A and location B... Then use that to connect to switch at location A and then Location B and you have 1 extended vlan..

        Do this sort of thing every single day in multiple DC across the freaking globe.. Your thinking its some quantum physics problem when its 2+2..

        If they have some "dclan" vlan that connects your locations.. There you go you have an L2 between your locations - connect this to your current "lan" at each location and you have 1 LAN...

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

        L 1 Reply Last reply Reply Quote 0
        • L Offline
          lewis @johnpoz
          last edited by lewis

          @johnpoz said in Multi LAN networks to one pfsense:

          @lewis said in Multi LAN networks to one pfsense:

          they gave me what they can

          No they didn't - you just don't know what to ask them for or what to do.

          If you have L2 that is connected between location A and location B... Then use that to connect to switch at location A and then Location B and you have 1 extended vlan..

          Do this sort of thing every single day in multiple DC across the freaking globe.. Your thinking its some quantum physics problem when its 2+2..

          It's odd that you keep blaming me like I planned things this way. There is no reason for you to act like you're frustrated with me and it's certainly not helping the tone of was a very friendly thread so far.

          No, I don't think it's that complicated, I already told you I simply have never had to deal with something like this so asked for help in these forums.

          It isn't that simple. The servers are in different areas of the DC and the new hardware is partly to consolidate everything into one place.

          They didn't even seem to like the idea of giving me a VLAN connection between the two locations. There is no direct connection between one area to the other, they simply gave me a separate Ethernet connection to their 'LAN' network where my VLAN exists within. I have no control over the connection or switches that traffic goes through.

          If you have L2 that is connected between location A and location >B... Then use that to connect to switch at location A and then >Location B and you have 1 extended vlan..

          If you have some ideas, feel free to the steps I should take since as I've told you several times, this is not something I've done before.

          johnpozJ 1 Reply Last reply Reply Quote 0
          • johnpozJ Offline
            johnpoz LAYER 8 Global Moderator @lewis
            last edited by johnpoz

            @lewis said in Multi LAN networks to one pfsense:

            It isn't that simple. The servers are in different areas of the DC

            Yes it is.. Dude I have worked with DCs for like 20 years.. Maybe just don't understand how they work - its not magic, its a bunch of switches and wires that connect different racks together. Any rack can talk to any other rack - since its just a vlan on the switches that have to be configure, or some wires that have to be moved from this patch panel to that patch panel.

            I know its not "your" fault - but its like watching a monkey figure out how to start a fire with 2 sticks.. When there is a box of matches right there - he just doesn't know what "matches" are..

            Connect your "lans" together.. Ask the DC to do that for you! They might charge you a cross connect fee at the worse case.. Depending where your location A is and where B is in their DC..

            https://www.datacenters.com/news/data-center-connectivity-everything-you-need-to-know-about-cross-connects

            "internet" connection can be brought into any location in the DC.. So why can you not just move the public IPs that your currently using in location A to B? Who exactly are you talking at this so called DC? What DC is it exactly - PM me the name if you don't want to post it.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

            L 1 Reply Last reply Reply Quote 0
            • L Offline
              lewis @johnpoz
              last edited by

              @johnpoz

              Monkey? Wow, thanks for that.

              I did get a cross connect installed. The 'lans' are 'connected' for lack of better words.

              There is just a VLAN across their own LAN which apparently doesn't route across all sections of the DC.

              It's not just one LAN connecting to another LAN otherwise, this would be simple. The servers off of pf02 aren't just in one place, they are in different areas of the DC.

              I already explained what the public IPs have to be routed this way.

              I posted here because I don't have that level of knowledge but you're more interested in telling me how much of a monkey I am than actually helping.

              It's fine, this thread is obviously going to devolve into drama so there's no point in continuing. Thanks to everyone who tried helping. I'm sure I'll find a solution and will even be sure to come back and share it so this whole thing doesn't go to waste.

              1 Reply Last reply Reply Quote 0
              • P Offline
                Patch
                last edited by

                @lewis said in Multi LAN networks to one pfsense:

                it was a server turned into a firewall using pfsense. Nothing can be changed in that network, meaning, one cannot change hardware to something else, it's all servers in there

                @lewis said in Multi LAN networks to one pfsense:

                They didn't even seem to like the idea of giving me a VLAN connection between the two locations. There is no direct connection between one area to the other, they simply gave me a separate Ethernet connection to their 'LAN' network where my VLAN exists within

                @lewis said in Multi LAN networks to one pfsense:

                I did get a cross connect installed. The 'lans' are 'connected' for lack of better words.
                There is just a VLAN across their own LAN which apparently doesn't route across all sections of the DC.
                It's not just one LAN connecting to another LAN otherwise, this would be simple.

                I still find what resources are actually available at each location a little confusing.

                • Each has a server. Is this your hardware with a set number of physical NIC or do you have a virtual server with virtual NIC

                • WAN is available at each rack location. Is that a physical cable or logical connection

                • Cross connect is that a physical connection. I appreciate your data centre is connecting to your other rack using their VLAN but on your cable is do you see their VLAN setting or is your connection isolated so you only see a LAN. If so it is possible their VLAN supports a VLAN over a VLAN which would mean you could use your own VLAN configuration to acheive the required network configuration.

                1 Reply Last reply Reply Quote 0
                • stephenw10S Offline
                  stephenw10 Netgate Administrator
                  last edited by stephenw10

                  Ok, there's confusion all round here!

                  But to clarify:

                  You do already have a L2 (VLAN) that is common to all the physical locations.

                  Given the constraint that the servers have hard coded IPs and need to talk to one another using those none of the NAT'd/routed solutions we previously discussed will work.
                  The only thing you can do is to use 10.0.0.0/24 as the common L2 subnet.

                  So remove the GRE tunnels and the VIPs and the DCLAN interface from pf01.
                  The servers 'behind' will need to be on the same LAN L2.

                  Now you can move the servers to the new location and nothing will have changed.

                  However as I mentioned before the problem you may see with that solution is that each server will need to be configured to use a particular gateway (pf01, pf02 etc) and will not be able to receive external traffic from another gateway. That would create an asymmetric route. Thus if you move an existing server to the new host and it is receiving connections from the public IPs on pf02 it will not be able to accept connections from the new public IPs on pf01.

                  The only way around that would be to outbound NAT the connections on one or both firewalls. But doing that would hide the source IP from the server and the applications running on it which may be a show-stopper?

                  Steve

                  1 Reply Last reply Reply Quote 1
                  • L Offline
                    lewis
                    last edited by

                    I thought I should come back and update this now that I have part of my solution. Doubt anyone will ever read to the end but if they do, they will find this.

                    It's not completed but it's allowed me to migrate everything as I needed and the last step will be a final configuration.

                    First, the DCLAN was disconnected and not used after all.
                    Both pfsense LAN interface were connected to the same DC LAN / VLAN.

                    Before doing this, I made sure all devices had unique IPs otherwise this would break things.
                    I then migrated all of the servers/services I needed to for now over to the new network (where you see the servers).

                    Almost nothing had to change other than putting the gateway into the DHCP config for servers that get DHCP IPs and hard coding the gw on those that don't. Almost all machines start off by getting a DHCP IP so I can get their MAC then usually just assign a permanent DHCP so I can keep track of assets.

                    What's nice about this is that I can just change the gw on a device and it then uses the pfx that I need it to.
                    Still have some problems but I think most of it is ARP caching that will eventually clear up.

                    Right now, this works for what I need. The final config will be along the same lines but working out any problems that would be found during this migration period.

                    I do not need all of the servers to be in the same network so even if some cannot reach others on the LAN side, it's fine.

                    1 Reply Last reply Reply Quote 0
                    • stephenw10S Offline
                      stephenw10 Netgate Administrator
                      last edited by

                      Nice.

                      Did you see any issues with servers needing to accept connections forwarded from both pfSense installs?

                      L 1 Reply Last reply Reply Quote 0
                      • L Offline
                        lewis @stephenw10
                        last edited by

                        @stephenw10

                        Hi, no issues what so ever so far. It just ends up being maybe a bit non standard but it works perfectly well and is quite flexible in that I can add more networks in the future as well.

                        1 Reply Last reply Reply Quote 1
                        • L Offline
                          lewis
                          last edited by

                          Ah it dawns on me there is one thing I should mention so someone else doesn't get caught.

                          ARP cache played a huge part in this and an accidentally left over rule in one of the firewalls as well.

                          The firewalls were basically competing to be the gateway so things would get weird like a vm would boot up with a gw then a while later change to another.

                          Once ARP cleared up, everything was fine.

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.