Help with Multiple WAN setup.

hoba

Only successful monitopr pings determine if a link is up or down. This is pretty strange. Maybe try a reboot. You seem to have changed quite a bit back and forth. Btw, I recommend using other monitors than google or yahoo. You usually should use your gateways or something few hops away from you.

leimrod

Just as a note. I've done a few factory resets so far so there are little or no settings changed.

The problem i'm having is very weird though and I can't think of a possible solution.

I have 2 connections ok:

The first has IP: 192.168.1.222 GW: 192.168.1.254
The second has IP: 190.165.0.10 GW: 190.165.0.254

When I plug either connection into the "WAN" connection in pfSense and set the IP and GW I can get access to the Internet, but if I set up either connection on the Opt1 connection I can't. Is there some setting I need to enable to get access using only the Opt1 connection? I notice in the "status>interfaces" screen that there are no DNS servers listed for the Opt1 connection, is there any way of setting DNS servers for the Opt1 connection.

Also is there anything else I need to configure for failover to work correctly? Or will it work just by setting up failover rules in the loadbalancing section?

hoba

@hoba:

…

http://doc.pfsense.org/index.php/Multi-Wan/Load-Balancing has quite some extensive information about multiwan setups.

It really should work just like this. We are not hiding any options just to cause users headaches ;)

sai

Post your current settings. I just got my dual want to work (DNS is a problem when I switch stuff on, but it starts up soon).

What is you load balancer setting? What are the LAN firewall rules?
Can the firewall ping the 2 gateways?
Did you make any other changes?

leimrod

Ok so it appears to be working now, I did a few tracert and it seems to hop between both gateways. I had neglected to put in the any firewall rules. I wasn't aware that load balancing will only work if you but in firewall rules? Maybe there should be a link in the load balancing section linking to the firewall rules section.

I followed the firewall rules implemented in the picture linked below:

http://doc.pfsense.org/index.php/Image:FirewallRulesLan.jpg

I have a query though, as I haven't set up a DHCP Hostname, what do I set as the Gateway for the 4th rule from the top in the picture lined above?

Also if these firewall rules are in place do I still need to implement the NAT rules found in this guide: http://doc.pfsense.org/index.php/Multi-Wan/Load-Balancing what difference do they make implementing them

hoba

You only need the portforwards if you provide services to the public (like hosting a webserver). It's optional.

I don't understand the first part of your question though. Btw, I recommend using failoverpools instead of single gateways. This way you will be able to switch traffic over to another connection if a link goes down (at least when using policybased routing instead of loadbalancing).

leimrod

Ok I was getting too confused following the DHCP guide so I reset all my settings to factory defaults then followed this guide right to the end: http://pfsense.iserv.nl/tutorials/outgoing_loadbalancing/outgoing_loadbalancing.pdf

Now, load balancing appears to be working. I've tested a few tracert's and for different URLs it points to different gateways. Also testing at http://dynamic.zoneedit.com/checkip.html shows different IPs every few refreshs

I have a few questions. In work I regularly access HTTPs sites. How do I set up pfSense to allow HTTPs access? When I did the tracerts I noticed that if, say google.com, used Opt1 as its gateway, any subsequent tracert for google.com would also use the same gateway. I had to change the URL to see it trace on the second gateway. Is there a reason why pfSense would allocate different gateways to different URL's?

Also hoba, could you elaborate what you meant by "I recommend using failoverpools instead of single gateways" I don't quiet understand how I would implement this?

hoba

Just create pass a firewallrule at LAN for protocol tcp, source any, destination any, port https, gateway <name of="" your="" failoverpool="">. This way all https will only go out one single gateway and stay there.

Failoverpools are just like loadbalancingpools but they won't do doundrobin of every new connection to the next link in the pool. Instead they will always use only the most top in the list available link and failover to the next one in the list if one of the top links fail. You create the failoverpools and use them exactly the same way like the loadbalancing pools. It's just an option when you edit/create a pool.

Already established states will remain at the same gateway as long as they don't time out or are closed. This means tracerouting to a specific IP will keep at the same gateway till the state gets closed or times out.</name>

leimrod

Ok I implemented what you said but it doesn't seem to be working for HTTPs. I can get access to HTTPS only when I bybass pfSense.

I've attached some screenshots below of my firewall rules, NAT setup and loaf balancer rules.

lan_fwrules.jpg_thumb

netopia_fwrules.jpg_thumb

draytek_fwrules.jpg_thumb

nat_rules.jpg_thumb

loadbalancer_rules.jpg_thumb

sai

to get https to work you need a LAN rule:

LAN
source ip: LAN net
source port: any
dest ip: any
dest port: HTTPS
gateway: netfailoverdray

This needs to be the first rule.

Your lan fw rules: only the first one will ever be used as it is the first and will match anything coming out of the LAN net. Second rule will never be matched because of this

You do not need the two failover pools - just one will do. netfailoverdray or drayfailovernet.

Check if your DNS works if one interface dies.

leimrod

@sai:

to get https to work you need a LAN rule:

LAN
source ip: LAN net
source port: any
dest ip: any
dest port: HTTPS
gateway: netfailoverdray

This needs to be the first rule.

Your lan fw rules: only the first one will ever be used as it is the first and will match anything coming out of the LAN net. Second rule will never be matched because of this

You do not need the two failover pools - just one will do. netfailoverdray or drayfailovernet.

Check if your DNS works if one interface dies.

Ok i've attached a screenshot of it set as the first rule, it is set exactly as you outlined. One question does this rule allow access for other HTTPS ports such as 22, 444, 3389 and 8443?

Also, should I delete the first rule in lan_fwrules? The one set as

Proto Source Port Destination Port Gateway
TCP LAN net * * 443 (HTTPS) NetFailoverDray

I still can't get access to the HTTPS site though, it has a port extension of 8443. Also how would I go about testing the port is correctly allowing HTTPS connections?

EDIT: Just wondering, do I need to do any sort of port forwarding in my NAT setup to allow HTTPS connections?

jeroen234

if you need port 8443 then you need to make a rule for that port
https is only port 443
port 22 btw is ssh not https

leimrod

Just as a note, should I be opening all my ports on my router and setting its firewall to off and using only pfSense as the firewall and port forwarder?

When I set up any LAN rule for a port it doesn't seem to be working (i.e. I can't access HTTPS, FTP etc) What would be causing these ports to be blocked?

leimrod

Is there any guides in pfSense on what the most common ports are and how I should go about opening them for external and internal access

hoba

Leimrod, I think you have some basic misunderstanding atm how the firewall of pfSense works. I'll try to sum it up a bit:

Firewallrules will always be applied to incoming traffic at an interface. This means if you allow access from lan to any that connections that have been initiated from lan will create a state that accepts trafic for the reverse connection of this traffic as well. No need to open something up at wan for this. You only need to open up ports and forward ports at WAN if you offer services to the public like hosting a webserver for example.

Now to your https problem: the default port for https is 443 (like noted in the webgui as well when selecting https). As your https destination uses a different port (8443) just duplicate the rule that you already have for https and change the destination port to 8443 to take care of this "special setting" as well.

It looks like you use some gatewayrouters in front of you. The easiest way to set them up and forget about them is to set the pfSense WAN IP and pfSense OPT-WAN IP as DMZ hosts in these routers (might also be called expedited host or similiar). This way they will just forard any traffic to the pfSense and you don't have to touch them anymore if you need to create rules and forwards for incoming traffic.

leimrod

Would it accomplish the same thing if I set up an alias in firewall and set it to ports 22, 443, 444, 3389, 8443? That way as I want to add ports I could just add them to the alias instead of creating a seperate rule for each port?

hoba

This will work fine. Just use a portsalias. That's the mainreason behind the alias system, to reduce the amount of rules and make them more readable and allow easier editing.

leimrod

Would this work for getting access to external FTP servers also? If I just add port 21 into that alias should I get FTP access also?

hoba

ftp is different and special as this protocol simply sucks. It needs an ftphelper through NAT and is not multiwan capable. ftp connections will run on the original WAN always. On top you have to add a rule at firewall>rules, lan tab on top of all your rules: "pass protocol any, source any, destination 127.0.0.1, gateway default" to exclude the traffic through the proxy from balancing.

leimrod

this is really getting frustrating now. I can't see any reason why FTP isn't working. I set up the LAN rule as you said, and i've enabled the FTP helper under "interfaces>WAN>FTP helper"

When you say set the destination to 127.0.0.1, should that be of type "network" and CIDR /24? Also you didn't mention, but where should I be opening the FTP port in this rule, at the source or the destination, or do I not need to?

I also have rules set up in in Firewall>NAT>Port forward and set it to autocreate rules in firewall>Rules>WAN, i've attached screenshots of these.

EDIT: I did a quick check in my "diagnostics>show states" and when I try to make an ftp connection i'm getting these errors

tcp 127.0.0.1:8021 <- 80.79.129.2:21 <- 192.165.0.30:2077 CLOSED:SYN_SENT
tcp 127.0.0.1:8021 <- 80.79.129.2:21 <- 192.165.0.30:2078 CLOSED:SYN_SENT
tcp 127.0.0.1:8021 <- 80.79.129.8:21 <- 192.165.0.30:2079 CLOSED:SYN_SENT

Do you have any idea what could be causing this?

nat_rule_ftp.jpg_thumb

firewall_rule_ftp.jpg_thumb