Unable to get trafic over Opt1 in Dual Wan setup
-
Hello,
Like most reporting here I am new to PFSense, used to use Smoothwall. I have migrated to PFsense for dual WAN support.
As stated in the subject I am unable to get traffic going via OPT1 (WAN2). My goal is policy based routing, so no loadbalancing. I have followed the steps described in: setting up policybased routing with multiple WAN-links (PDF), but still no luck.
Here is what my setup looks like now:
PFSense release 1.0 RC3
Interfaces:
-
WAN
-
LAN
-
Wanadoo (OPT1)
-
DMZ (OPT2)
WAN is a bridged DHCP based ADSL connection (always the same external IP).
LAN has IP range 192.168.2.x
Wanadoo (OPT1) is a routed ADSL connection that has a fixed IP 192.168.1.11 and GW 192.168.1.1
DMZ has IP range 192.168.10.xIn Firewall -> NAT -> Outbound -> Enable advanced outbound NAT I have like the PDF states 4 entries:
Interface Source Source Port Destination Destination Port NAT Address NATPort Static Port Description
WAN 192.168.2.0/24 * * * * * NO LAN>WAN
WAN 192.168.10.0/24 * * * * * NO DMZ>WAN
Wanadoo 192.168.2.0/24 * * * * * NO LAN>WANadoo
Wanadoo 192.168.10.0/24 * * * * * NO DMZ>WANadooI want DMZ routed over WAN so I have the following Rule set in Firewall->Rules->DMZ:
Proto Source Port Destination Port Gateway Description
* DMZ net * !LAN net * * Permit DMZ to any BUT LANThis rule work fine since internetting from DMZ is no problem.
For LAN I want trafic of some IP addresses routed over Wanadoo(WAN2 / OPT1). Step one keep it simple and build from there. So my first step was to try and route all LAN trafic over WANadoo (WAN2 / OPT1). So I figured I need the following rule:
Firewall -> Rules -> LANProto Source Port Destination Port Gateway Description
* LAN net * * * 192.168.1.1 LAN -> any over WANadoo gatewayFindings:
- I can still internet from DMZ and portforwards etc all work correct. Gateway used is WAN
- I can internet from LAN
- all trafic from LAN is routed over WAN and NOT WANadoo gateway
- when monitoring trafic at Status -> Traffic graph -> Wanadoo I see ZERO trafic over this interface
- when I do a tracert www.myip.nl I see that hops go over WAN and not WANadoo
Can anyone spot a an error I made in my setup?
p.s. I have read and studied all relating post onj this forum, but have not lokked back to threads that refer to releases older then 1.0
-
-
What's the status for wanadoo at status>interfaces?
Also can you ping the wanadoo gateway directly from the pfsense at diagnostics>ping?
One thing that makes me wonder is why you can still get internetaccess from LAN subnet. Your rules should send it out wanadoo and in case it is down you should not be able to get to the internet from there.
You did apply the rules right?
-
Hi Hoba,
Status -> interfaces -> WANadoo = up
Diagnostics -> ping ->
Host 192.168.1.1
Interface Wanadoo
count 3Ping output:
PING 192.168.1.1 from 192.168.1.11: 56 databytes,
3 packets transmitted, 3 packets received,
Diagnostics -> ping ->
Host 192.168.1.1
Interface LAN
count 3Ping output:
PING 192.168.1.1 from 192.168.2.1: 56 databytes,
3 packets transmitted, 3 packets received,
Yes ping to the WANadoo gateway is not a problem, butif I do:
Diagnostics -> ping ->
Host 145.52.123.4 (some external ip)
Interface Wanadoo
count 3Ping output:
PING 145.52.123.4 from 192.168.1.11: 56 databytes,
3 packets transmitted, 0 packets received, 100% packet loss.
Since this wanadoo connection works in routed mode to make sure this modem is not being funny, I also have a notebook connected as 192.168.1.33, that I am using now to type this reply. So the internet connection over this routed modem works for sure.
quote:
One thing that makes me wonder is why you can still get internetaccess from LAN subnet. Your rules should send it out wanadoo and in case it is down you should not be able to get to the internet from there: / quoteThat is exactly why I am posting here, in my previous post I quotes my rules exactly as they are.
My lan connections have via DHCP a 192.168.2.x ip with gateway 192.168.2.1 so it is realy the firewall related ..I have some additional NAT entries but they all relate to the DMZ for example:
Firewall -> NAT -> Port Forward
If Proto Ext. port range NAT IP Int port range Description
WAN TCP 22 192.168.10.111 22 SSH accessCorresponding rule:
Firewall -> Rules -> WAN
Proto Source Port Destination Port Gateway Description
* Some ext IP * 192.168.10.111 22 * NAT SSH accessand some more for other ports.
I have NO Firewall -> Rules entry for Wanadoo only a single entry in DMZ to block off LAN access:
Proto Source Port Destination Port Gateway Description
* DMZ net * !LAN net * * Permit DMZ to any BUT LANI hoped tp post that I was stupid and made a small mistake and have it sorted, but not yet I seem to be unable to spot the cause..
Hoping to have provided all needed information for hopefully a sugestion
regards,
rowdy
-
Something is wrong Maybe just a typo somewhere…I suggest restaring the configuration from scratch ::)
-
Hi,
It works now !!!
I rechecked all rules NAT etntries etc. Dit edit and save on each one.. it did not yet work.. but then I did a reboot and it started working.
So for some reason the firewall rules did not load correctly or better said; did not change without a system reboot.
Any way I hope my config posted here might work as a reference for some of you out there..
cu
-
Hi,
It works now !!!
I rechecked all rules NAT etntries etc. Dit edit and save on each one.. it did not yet work.. but then I did a reboot and it started working.
So for some reason the firewall rules did not load correctly or better said; did not change without a system reboot.
Any way I hope my config posted here might work as a reference for some of you out there..
cu
Sounds as a bug?
I got the same problems see catch all forum and search for bug report. -
I just installed a multiwan system at a location with portforwards at optwan and policybasedrouting for outgoing traffic. Didn't run into this problem. Please try to reproduce step by step and post the steps how to reproduce this problem.
-
Hi Rob / Hoba
Hoba, it seems we were typing at the same moment.
If I change routing back to default gateway, after hitting apply and save, traffic keeps being routed over the wanadoo OPt1 interface.
Finding:
- After reboot policy based routing of LAN to OPT1 works. DMZ routed over WAN works. -> conclusion my rules and NAT entries are correct.
Reproduction:
1) Firewall -> Rules -> LAN -> edit -> change gateway to default ( from OPT1 to WAN in this case).
2) Hit SAVE
3) Apply changes
4) click Monitor -> Done. The filter rules have been reloaded.
5) open dosbox on LAN connected machine and do tracert www.nu.nl
6) result: hob goes over OPT1 and NOT over WAN.Note: I can not reboot at this moment since remote clients are connected. Can only reboot over night.
Just in case: this is the current version I am running:
Version 1.0-RC3
built on Mon Oct 2 01:11:38 UTC 2006So it seems that if you want to change policy base routing, changes only get active after a reboot. So there might be a bug in this area..
Met vriendelijke groeten,
rowdy -
No bug, connections are stateful. Reset states at diagnostics>states, reset states. Already open states will remain on the wan where the connection was initiated.
-
Hi Hoba,
I was not yet aware of this handle.
However I just did:
1) Firewall -> Rules -> LAN -> edit -> change gateway to default ( from OPT1 to WAN in this case).
2) Hit SAVE
3) Apply changes
4) click Monitor -> Done. The filter rules have been reloaded.
5) Diagnostics -> Reset States -> checkbox marked -> reset.
6) open dosbox on LAN connected machine and do tracert www.nu.nl
7) result: hob goes over OPT1 and NOT over WAN.Anyway I know I can solve the issue by means of a firewall reboot. But if you want me to test some steps or do some reporting on this just ask me..
-
I ran into the same problem running RC3
Played around with it for hours but was not able to get the firewall rules to work, untill after a system reboot. I did the reset states thing too.
Zack
-
Reinstall.