Problems wit Dual Wan and policy based routing

Dan · Nov 17, 2005, 11:50 AM

Hi all

I have 1 soekris 4501 + lan1621 (Two ethernet ports)

We've 2 ADSL lines (static ip's both) one working with dhcp and the other with the static. And we want to have
1 Lan (192.168.50.0/24)
1 Wan (DHCP adsl line) (aaa.bbb.ccc.ddd)
1 OPT1 (The other adsl line, static) (xxx.xxx.xxx.xxx)
1 DMZ (OPT2) (192.168.2.0/24)

We just want to route all lan traffic across the wan dsl, and the DMZ traffic across the OPT1 dsl. When it works we will start to play with load balancing, but that will be another history.

I'll will explain what I've done and let's see if someone can find what I'm missing.

First I go to Services - > Load Balancer and add a new pool. That will be the pool for the OPT1 dsl line. (Type gateway, ip of adsl and ip of dsl gateway)
I'll call the pool GW_JAZZ

Then I go to Firewall -> NAT -> Outbound and enable advanced outbound nat.
Here I do :
Interface:Wan Source:192.168.50.0/24
Interface: OPT1 Source:192.168.2.0/24

Then on Firewall -> Nat -> Incoming
I've the next services (smtp,pop,http,imap) going to 192.168.2.2 (My server on DMZ) and the autofirewall rules created.
I've some services for the Wan (smtp,rdp,ftp) going to my internal lan server (sucky exchange, 192.168.50.1) Some day it till stay at dmz or in trash :-)

Then, Firewall -> Rules
On the DMZ (OPT2) I've the next rule.
Proto: any source:any destination:any and gateway:GW_JAZZ
On the OPT1 I've the traffic for the nated services and nothing more.

On the LAN the default rule for traffic going throught default gateway (wan)

On the wan the rules for the nated traffic.

And now, What works and what doesn't?¿

Well Internet traffic from LAn to Wan works perfect. Nated services from WAN to LAN work too.

But OPT1 <–--> OPT2 isn't working.

Someone can see what I'm missing?¿ Or how can I bring more info for the problem.

billm · Nov 19, 2005, 5:52 PM

No need to use gateway pools, just choose the gateways you want to use in your rules. For the LAN rules, leave it at default gateway if you wish to use the default route. For the OPT1 (DMZ) rules, choose the OPT2 (WAN2) gateway IP at the bottom of the rule editor screen. Should work like magic (make sure NAT is setup correctly, I suspect you may need to use adv. outbound nat, but I might be wrong).

–Bill

Dan · Nov 21, 2005, 7:20 PM

Ok thx billm that worked perfectly.

This week I'm going to do a tutorial to setup Multi Wan and how to play with rules to make policy based routing.

hoba · Nov 21, 2005, 8:50 PM

Please DON'T send this tutorial to one of the mailinglists. This causes a lot of bandwidth and most likely won't be accepted anyway due to size limitations. Send it to coreteam@pfsense.com instead. Thank you for creating a tutorial…or is it too early to thank? ;)

Dan · Nov 21, 2005, 11:12 PM

Don't worry about sending it to mailing list, was not my idea ;)

Give me thanks later on this week, I just need some free time.

Dan · Nov 24, 2005, 5:45 PM

Ok I sended the tutorial to the address you gave me.

hoba · Nov 25, 2005, 7:25 AM

Thank you, got it. Just have to get OO2 installed to look at it and convert it to pdf :)

RoboK · Nov 26, 2005, 7:43 PM

@hoba:

Thank you, got it. Just have to get OO2 installed to look at it and convert it to pdf :)

Hi,
when and where will be this tutorial available?
Thanks Dan, great job! ;)
And what about LoadBalancing? :P

zaterio · Nov 29, 2005, 1:31 PM

@Dan:

Ok thx billm that worked perfectly.

This week I'm going to do a tutorial to setup Multi Wan and how to play with rules to make policy based routing.

Mr Dan:
i will be very happy if you can send to me your manual to zaterio@othernet.cl
thanks

zaterio

hoba · Nov 30, 2005, 1:28 AM

Ok, it's up (after mirrors have synced it): http://pfsense.com/index.php?id=36

Sorry that it took that long and thanks for doing the tutorial Dan! :)

Aussie_Bear · Nov 30, 2005, 6:56 PM

Indeed, good work Dan!

I'm testing your guide with two Cable (10Mbit) ISP connections here in Australia.

fxp0 => LAN
fxp1 => WAN
fxp2 => OPT1 (re-designated as WAN2)

WAN => Telstra Cable (due to bpalogin being needed)
WAN2 => Optus Cable

WAN and WAN2 are using DHCP.
(Telstra needs bpalogin to make the connection workable,
but really uses DHCP to get IP address, DNS info, etc).

LAN is using Static IP as I want to manual specify which
PC connects to which ISP.

I guess the only tricky part is that you must be specific
with the firewall rules!

I'm thinking about doing a complete detailed guide for
Aussie newbie users. (It should still apply for anyone with
two or more DHCP WAN connections)

Should I title it : "Consolidating Multiple ISP connections with pfSense" ???