Unsolved problem - Pfsense gurus help needed

javerleo

Hello pfsense fans!

I need to use all these features at the same time:

• Packet filtering and NAT at internet entry point
• DNS forwarding
• Multiwan links with load balancing and failover
• Content filtering with squid
• Bandwidth shaping and throttling (by ip)

I am aware of this issues:

• Squid package doesn't work with multiwan
• Traffic shaper doesn't work with multiwan

So I would like to use two pfsense machines to make the whole thing work as expected. This is my idea:

ISP1 –-- WAN1 ----
                           |
                           |---- PFSENSE 1 ----- PRIVATE SUBNET 1 ----- PFSENSE 2 ----- PRIVATE SUBNET 2 ----- USERS
                           |     
                           |
ISP2 ---- WAN2 ----

On PFSENSE 1:

• NAT and port forwarding are enabled
• DNS forwarding is enabled
• Packet filtering is enabled
• Load balancing and failover are enabled
• Added a static route to private subnet 2

On PFSENSE 2:

• NAT is disabled because I don't want a double NAT (I selected the option "Advanced outbound NAT" and deleted all the rules)
• DHCP server is enabled for Private subnet 2
• Traffic shaper is enabled (via the wizard)
• Squid package is installed and enabled in transparent mode
• Traffic from subnet 2 to subnet 1 is allowed with the default rule, so I added a rule to allow the traffic in the opposite direction

PROBLEM: Users can't access the internet.

QUESTIONS:

1. Does traffic shaper works without NAT ?

2. Is there something I am missing?

3. Comments and suggestions?

Thanks in advance and excuse my english.

UPDATE

After some forum searching I understand the need to activate "Advanced outbound nat" on PFSENSE 1 and add a mapping for SUBNET 2. So I made the change and applied it. However, the users on subnet 2 still can't reach the Internet.

UPDATE

Based on this post  http://forum.pfsense.org/index.php?topic=10524.0
I added the rules to allow traffic to pass from subnet 2 to pfsense 1 LAN interface, however users on private subnet 2 still cannot access the Internet (traffic between subnet 1 and subnet 2 is normal)

Still stucked ....

cmb

On the inside one you'll want to disable NAT by enabling AON and deleting the auto created rules at the bottom of the screen.

On the outside one, you need a static route pointing private subnet 2 to pfsense2's WAN IP.

Private subnet1 and private subnet 2 must be completely different subnets.

Traffic shaping does work with routing.

Interesting setup to get around some of the limitations that exist in the software! Not a bad idea at all. It's less than ideal to have two firewalls, but it'll work.

ampwifi

In order to use trafic shapping you would have to place the proxy in between the pf1 and the pf2. I would use ubuntu server with latest squid.

SP1 –-- WAN1 ----
                          |                Ubuntu Server
                          |---- PFSENSE 1 ----- PRIVATE SUBNET 1 ----- PFSENSE 2 ----- PRIVATE SUBNET 2 ----- USERS
                          |     
                          |
ISP2 ---- WAN2 ----