Dual pfsense setup NAT issue
-
Hello pfsense fans!
I need to use all these features at the same time:
- Packet filtering and NAT at internet entry point
- DNS forwarding
- Multiwan links with load balancing and failover
- Content filtering with squid
- Bandwidth shaping and throttling (by ip)
I am aware of this issues:
- Squid package doesn't work with multiwan
- Traffic shaper doesn't work with multiwan
So I would like to use two pfsense machines to make the whole thing work as expected. This is my idea:
ISP1 –-- WAN1 ----
|
|---- PFSENSE 1 ----- PRIVATE SUBNET 1 ----- PFSENSE 2 ----- PRIVATE SUBNET 2 ----- USERS
|
|
ISP2 ---- WAN2 ----On PFSENSE 1:
- NAT and port forwarding are enabled
- DNS forwarding is enabled
- Packet filtering is enabled
- Load balancing and failover are enabled
- Added a static route to private subnet 2
On PFSENSE 2:
- NAT is disabled because I don't want a double NAT (I selected the option "Advanced outbound NAT" and deleted all the rules)
- DHCP server is enabled for Private subnet 2
- Traffic shaper is enabled (via the wizard)
- Squid package is installed and enabled in transparent mode
- Traffic from subnet 2 to subnet 1 is allowed with the default rule, so I added a rule to allow the traffic in the opposite direction
PROBLEM: Users can't access the internet.
QUESTIONS:
-
Does traffic shaper works without NAT ?
-
Is there something I am missing?
-
Comments and suggestions?
Thanks in advance and excuse my english.
UPDATE
After some forum searching I understand the need to activate "Advanced outbound nat" on PFSENSE 1 and add a mapping for SUBNET 2. So I made the change and applied it. However, the users on subnet 2 still can't reach the Internet.
UPDATE
Based on this post http://forum.pfsense.org/index.php?topic=10524.0
I added the rules to allow traffic to pass from subnet 2 to pfsense 1 LAN interface, however users on private subnet 2 still cannot access the Internet (traffic between subnet 1 and subnet 2 is normal)Still stucked ....
-
sorry I have no suggestions but I hope you get it working and let us know what the issue was, I'm thinking of setting up such a config, or perhaps waiting until 1.3 final is out which should be able to do everything you need from one pfsense box
-
SOLVED ! BUT ….
I made a mistake on firewall rules, allowing subnet 2 traffic on the wrong interface (I have a third OPT LAN interface on the border pfsense) The showed setup is OK, but I have found another problem (It seems to be a known issue) : Traffic shaper doesn't work when Squid on transparente mode is enabled.
Searching the forum I cannot find a real solution.Any suggestion?