Can'n not access to the Internet

johnnguyen

So, I must add static route as folow:
Interface    Network    Gateway   
LAN    192.168.10.0/24    10.10.10.1   
LAN    192.168.11.0/24    10.10.10.1
LAN    192.168.12.0/24    10.10.10.1

and Firewall rules as folow at LAN as folow:
Proto  Source  Port  Destination  Port  Gateway  Description

• 10.10.10.0/24 * *                       *       *
• 10.10.10.0/24 * 192.168.10.0/24 * *
• 10.10.10.0/24 * !192.168.10.0/24 * *
• 10.10.10.0/24 * 192.168.11.0/24 * *
• 10.10.10.0/24 * !192.168.11.0/24 * *
• LAN net * * * *

After config, from pfsense I can ping to Subnets but from subnets ping to Internet is can not> Something is wrong? pls help me

regards, JN

hoba

@johnnguyen:

Proto  Source  Port  Destination  Port  Gateway  Description

• 10.10.10.0/24 * *                       *       *
• 10.10.10.0/24 * 192.168.10.0/24 * *
• 10.10.10.0/24 * !192.168.10.0/24 * *
• 10.10.10.0/24 * 192.168.11.0/24 * *
• 10.10.10.0/24 * !192.168.11.0/24 * *
• LAN net * * * *

I don't know what you try to do with these rules but they appear totally wrong to me. None of the rules allow access from 192.168.something at LAN. Add a rule that allows anything at LAN first:

---

Also check the static routes option at system>advanced as I told you. It should work then. If you need to narrow down Access from special subnets or clients add rules if needed after this basic setup is working.

johnnguyen

Thanks Hoba,

I changed the rule at LAN to any and from Subnets I cant ping to 192.168.2.10, but I can't access to 192.168.2.1 and to the Internet.

I enable WAN rule any to any already but access can't perform, pls help me this problem.

Thanks, JN

johnnguyen

Hi Hoba, sorry because my network cable was unplug, now subnets can access to the Internet.

I want ask you some questions?

1./ With my system, Can I perform traffic shapper for Subnet?
2./ If I setup the Balancer, to Subnets can access to the Internet, can I perform Advanced NAT and Rules for Subnet transfer over Balancer? and Can I perform traffic shapper on it.

Thanks! JN

johnnguyen

I added new line for WAN 2 ip address: 192.168.2.10 GW: 192.168.2.1

I added 2 WAN to  Load Balancer and Load Balancer's status is Online.

I used this rules for WAN 1 and WAN 2:

Proto  Source  Port  Destination  Port  Gateway  Description

• • • • • • WAN - Any
            Proto  Source  Port  Destination  Port  Gateway  Description
• • • • • • WAN2 - Any

and enable Advanced Outbound NAT as follow:
  Interface  Source  Source Port  Destination  Destination Port  NAT Address  NAT Port  Static Port  Description 
WAN  any * * * * * NO

WAN2  any * * * * * NO

After config: I unpluged WAN 1 and ping to test, but from Subnets I ping to Gateway WAN 2 but to the internet can not.

Pls help me, what is mistake.

Thanks, JN

hoba

@johnnguyen:

Hi Hoba, sorry because my network cable was unplug, now subnets can access to the Internet.

I want ask you some questions?

1./ With my system, Can I perform traffic shapper for Subnet?
2./ If I setup the Balancer, to Subnets can access to the Internet, can I perform Advanced NAT and Rules for Subnet transfer over Balancer? and Can I perform traffic shapper on it.

Thanks! JN

You only can shape between 2 interfaces. Before you added your 2nd WAN this would have been possible but with 3 interfaces it becomes a bit harder as the shaperwizard won't help you here and you have to create custom rules. More than 3 Interface shaping is really tricky and we don't support this atm.

@johnnguyen:

I used this rules for WAN 1 and WAN 2:

Proto  Source  Port  Destination  Port  Gateway  Description

• • • • • • WAN - Any
            Proto  Source  Port  Destination  Port  Gateway  Description
• • • • • • WAN2 - Any

These rules are at LAN I guess, however you didn't set the gateway to use the balancer (it's still default). Change the gateway in the rule to use the balancer.

johnnguyen

Yes, I changed gateway for the rules as follow:

At LAN:
Proto  Source  Port  Destination  Port  Gateway  Description

• • • • • Balancer Any –> Any

At WAN1:
Proto  Source  Port  Destination  Port  Gateway  Description

• • • • • 192.168.1.1 WAN - Any

At WAN 2:
Proto  Source  Port  Destination  Port  Gateway  Description

• • • • • 192.168.2.1 WAn 2 -> Any

From subnets I can tracert to Internet over Balancer, however has one problem when I unplug a WAN line ==> system runing is OK, but I restarting Pfsense the system down, cannot access to the Internet???? after that I plug the WAN line to Pfsense the System running is OK, I don't why?

I know the shape can not perform with 3 Interface, but can I perform with balancer interface?

hoba

You have to use one DNS from each of your wans and add a static route through the appropriate WAN to this dns server. Otherwise you'll lose dns resolution if you unplug the first wan. This is covered somewhere at the forum already. If you need more details search for it  ;)

johnnguyen

Oh, so I must config static route for any to DNS Server?

ex: I have DNS server is 200.200.200.200 ==> config is:
static routes to 200.200.200.200/32 with gateway 10.10.10.2

is it right?

jeroen234

so that is one dns server for 1 gatway
where is the route to the other dns server on the gateway ?

johnnguyen

so, how many DNS servers will be static route to that servers? right?

hoba

@johnnguyen:

Oh, so I must config static route for any to DNS Server?

ex: I have DNS server is 200.200.200.200 ==> config is:
static routes to 200.200.200.200/32 with gateway 10.10.10.2

is it right?

Example:
DNS1 sits at WAN1
DNS2 sits at OPTWAN

You don't need a Route to DNS1 as this is handled by the default route

But you need a static route on Interface OPTWAN to DNS2/32 through upstream gateway on OPTWAN.

johnnguyen

Thanks Hoba

johnnguyen

Hi Hoba, I want ask you:

Example: I have 3 lines for WAN
WAN 1: 192.168.1.10/24 GW: 192.168.1.1
WAN 2: 192.168.2.10/24 GW: 192.168.2.1
WAN 3: 192.168.3.10/24 GW: 192.168.3.1

and subnets:
10.10.10.0/24
10.10.11.0/24
….
10.10.19.0/24

Can I create 3 Balancer as follow?
Balancer 1: WAN 1 and WAN 2
Balancer 2: WAN 2 and WAN 3

and I want setup 10.10.10.0/24 -> 10.10.15.0/24 traffic to balancer 1 and other subnets to Balancer 2, can I perform this task?

thanks, JN

hoba

Sure, just set up the two pools and use each one as gateway in the firewallrule at the desired interface.

johnnguyen

so, for each subnet I just map it's gateway to balancer I want it traffic over?

thanks hoba

johnnguyen

One again I want ask you, because in system advanced is enable "static route filter", I saw this warning "This option only applies if you have defined one or more static routes. If it is enabled, traffic that enters and leaves through the same interface will not be checked by the firewall. This may be desirable in some situations where multiple subnets are connected to the same interface",

I want ask, Can I make traffic shapping for subnets?

johnnguyen

Because when using balancer with many WANs, traffic shapping can not perform, so I have this diagram

subnets ==> router (L3) ==>pfsense (shapping) ==> pfsense (Load Balance) ==> Multiwan

ex: at pfsense (Load Balance) I make Balancer 1, Balancer 2
subnets are 10.10.10.0/24, …..10.10.19.0/24.

Can I make 10.10.10.0/24, ... 10.10.14.0/24 pass over Balancer 1 and other subnets pass over Balancer 2?

If can, pls help me howto make?

Thanks

hoba

@johnnguyen:

Because when using balancer with many WANs, traffic shapping can not perform, so I have this diagram

subnets ==> router (L3) ==>pfsense (shapping) ==> pfsense (Load Balance) ==> Multiwan

ex: at pfsense (Load Balance) I make Balancer 1, Balancer 2
subnets are 10.10.10.0/24, …..10.10.19.0/24.

Can I make 10.10.10.0/24, ... 10.10.14.0/24 pass over Balancer 1 and other subnets pass over Balancer 2?

If can, pls help me howto make?

Thanks

Please see http://forum.pfsense.org/index.php/topic,1656.0.html why that configuration (one shaper between lan and wan balancer) won't work like expected.

johnnguyen

Thanks Hoba, I will try to test.