Replacing old router with a new instance of pfsense + BGP protocol to configure a dual link to the ISP

mauro.tridici

@cool_corona sorry, but I'm still a newbie, I'm at beginning. Could you please explain where is my error and the right solution to my problem?

Is It the first one I proposed (first screenshot) or the second one?

In addition, how can I check that NAT is working as expected ( maybe using the pf sense packet capture)?

Thank you.

Cool_Corona

@mauro-tridici No I an a newbie too in BGP but I dont get the NAT in regards to the public /25 that imho is the one that gets routed from WAN to LAN

mauro.tridici

@cool_corona ok, so let's see what @stephenw10 will say about that

stephenw10

No, the 'do-not-nat' rules should be on WAN1 and WAN2 for the PUBLIC subnet. You do not want to NAT traffic from PUBLIC as it leaves WAN1 or WAN2.

You can confirm that by runnig a pcap on WAN1 or WAN2 and you should see traffic from the PUBLIC subnet there.

I assume that you are using 192.168.99.0/24 just as an example here? The real subnet is actually public?

Steve

mauro.tridici

@stephenw10 thank you Steve, you helped me again :)
Yes 192.168.99.0/24 is just an example and the real subnet is a public subnet.

Setting outbound NAT as in the second screenshot I was able to make it working.
Before it didn't work because I forgot to route the traffic from the ISP router to the public customer subnet (192.168.99.0/24).

After adding, on each ISP upstream gateway, the following routes everything started working as expected:

on primary ISP upstream gateway
ip route 192.168.99.0 255.255.255.0 192.168.1.2

on backup ISP upstream gateway
ip route 192.168.99.0 255.255.255.0 192.168.2.2

This is the final GNS3 schema

Screenshot 2022-11-24 at 10.21.41.png

Cool_Corona

Public is internet.... pc is on LAN.

The /25 IP's are on WAN and not LAN. Unless you run a hotspot or internetcafe.

Otherwise I dont get the setup...

mauro.tridici

In my particular case, pfsense is acting as a "customer border router".
It is connected to the WAN (ISP AS) using em0 and em1 ports with two redundant PTP links.
Watching the schema, 192.168.1.2/30 and 192.168.2.2/30 are the IPs for the PTP links.

ISP is routing the public subnet (192.168.99.0/24) to the pfsense router.
For this reason I need to disable NAT on pfsense.

In the real scenario, the "PC on public subnet" will be replaced by a physical firewall. So, at the end, you will see something like that:

ISP RC1 + ISP RC2 <-> PFSENSE ROUTER <-> FIREWALL <-> LANs

Cool_Corona

@mauro-tridici Cant pfsense act as both router and firewall for the clients?

mauro.tridici

@cool_corona Sure, it can. But in our case, we prefer this kind of deployment.

stephenw10

Yes, I would expect that to work.