2WAN <-> 2LAN
-
I have two WAN's & two LAN interfaces
1WAN /ppoe
2WAN2 /DHCP
3LAN (192.168.0.254)
4LAN2 (192.168.0.253)Goal is to pfsense act as dual gateway for same LAN subnet
Example: If client enter manually (192.168.0.254) for gateway I want to redirect all to WAN
and if client enter (192.168.0.253) I want to redirect all to WAN2Is there step by step with what to do… i try with manual outbound rules and with firewall redirection for LAN2 to WAN2
I accomplish to have internet on **254 'GW' but not on 253, also.. ping on 253 do not work..
Reading posts I see that there can be problem with DNS, and I must have static route..etcSo... can someone point me to simple step by step how to?
Goran
-
Once you have your WAN connections set up with IP addresses and gateways, all you should have to do is modify the allow all rule on the lan interface and select WAN under the gateway section. Then just create an allow rule on the LAN2 interface and choose WAN2 under the gateway section.
-
I have that done, but problem is that LAN2 do not reply on ping from local subnet, and thus do not act as gateway… interesting that I can acces it from internet because I have port forward for rdp and its work for both WAN and WAN2..
Any suggestion?
-
You can't have two different LAN interfaces using the same address range 192.168.0/24 when using routing, either you change the address of the second LAN net to something else or you bridge the LANs together.
-
Ok, just to clarify that.
There is no possibility to have ONE pfsense box that can act as two gateways for same subnet?
If I bridge two LAN's.. can I do something with virtual IP's?
-
Yes it can, you use firewall rules for policy routing (the gateway option in the rules).
In your case I would bridge the second LAN to the first so all hosts on both LANs can use 192.168.0.x addresses. -
Ok kpa, but because I will do this from remote location and there is possibility to something go wrong I must ask you do you understand my problem.. briefly described in my first post..
One box which will act as two .. simply routing traffic from LAN to WAN and from LAN2 to WAN2.. having TWO local subnet adreses (eg 192.168.0.254 (LAN) and 193.168.0.253 (LAN2)) to respond.
If I bridge LAN and LAN2.. I will have only one IP for local subnet.. so.. is there point to have FOUR NIC's in box..?? I do this just because I think that is is simply route task.. but I misssssssing something. :).. may be its simpler to hane only one LAN with two virtual IP? Any suggestion?
Best Regards
-
Yes, one LAN with a virtual IP would be good, if you bridge the interfaces and they are both connected to the same switch, you will create a switching loop.
-
Thanks to BUL for bringing this thread to my attention.
I am trying to do the same thing. I have some questions about the set-up.
For the virtual IP, it seems like CARP is the best way to go. It is pingable and services can bind to it. Is that right?
What firewall/NAT rules are needed to allow traffic to flow from the VIP to WAN2? Presumably the firewall works on that connection, and NAT rules can be set up as normal. Presumably traffic shaping is only available on WAN.
Are there any other caveats or potential issues? The only one I can think of is that the FTP helper will only work on WAN.
Once it's up and running I intend to write it up. I can't find any examples of people doing this on Google.
-
Unfortunately, It looks like you would have to do firewall rules based on the source address to send the traffic out a certain interface. It doesn't look like there is an option in the GUI to specify in a firewall rule which IP the traffic came in on, just the physical interface.
You could create 2 aliases like WAN1 and WAN2 and then create a firewall rule for each one stating that traffic sourced from alias WAN1 goes out WAN1 and the same for WAN2.
Then add hosts to WAN1 to send them out that direction, and hosts to WAN2 to send them out that direction.
-
Thanks blak111.. but reading your post I see that you miss one thing.
I intend to manually enter specific gateway on workstations… so.. if gateway is ***253 traffic go to WAN2.. if gateway is ***254 go to WAN. No need for workstation list.
Huh.. anyone have working solution for my problem briefly described in first post?
Seems logical that with four NIC's I can easily separate traffic..easier than with three.
:((
-
Yeah, that's the problem. It can't be spread across 2 NICs because it's the same network and pfSense doesn't know which card to send traffic for 192.
If you really need to do it that exact way, you could put a little router with the 192.168.0.253 address on the network and have its WAN connected to the LAN2 of the pfSense on like a 192.168.1.0/24 network. That way pfSense wouldn't see the same network on both interfaces and it would be easy to create those rules based on the source interface.
-
Yeah, that's the problem. It can't be spread across 2 NICs because it's the same network and pfSense doesn't know which card to send traffic for 192.
But… may be that I do not understand something simple... Rules can direct traffic based on origin nic.. so your statement above is not true.. PfSense can send traffic from WAN2 to LAN2 and from LAN to WAN even their subnet is same... (or I am wrong???)
PfSense box work fine from outside, I have two no-ip's activated with two different wan adresses, and can access RDP on server from outside over both WAN's.
(one no-ip is defined on pfsense other on server, and traffic is routing to WAN2)Mine problem is that I can't ping ***253 NIC from local subnet and (because of that?) can't act as gateway.
Anyone solve this? Any suggestion? I cant go on site till Friday, and can't mess with conf from here...
Regards.
-
@BUL:
Yeah, that's the problem. It can't be spread across 2 NICs because it's the same network and pfSense doesn't know which card to send traffic for 192.
But… may be that I do not understand something simple... Rules can direct traffic based on origin nic.. so your statement above is not true.. PfSense can send traffic from WAN2 to LAN2 and from LAN to WAN even their subnet is same... (or I am wrong???)
I think blak111 is saying that it's not possible, and he is probably right.
You can't make a rule that says LAN2->WAN2, only a rule that says client->WAN2. Client has to be the IP address of the machine you want to use WAN2.
I think what we are trying to do is currently impossible with pfSense. I don't think any open source router package supports it. My idea was to run two copies of pfSense on VMware, but it seems to be very complicated and difficult to set up in a reliable, secure way.
-
@BUL:
Yeah, that's the problem. It can't be spread across 2 NICs because it's the same network and pfSense doesn't know which card to send traffic for 192.
But… may be that I do not understand something simple... Rules can direct traffic based on origin nic.. so your statement above is not true.. PfSense can send traffic from WAN2 to LAN2 and from LAN to WAN even their subnet is same... (or I am wrong???)
I think blak111 is saying that it's not possible, and he is probably right.
Aha.. I see your point.. you state that rules are matched by origin subnet not by NIC..
But… in rules definition I see:
"Choose on which interface packets must come in to match this rule.".. meaning that rules are based on physical NIC...Sorry if I sound offending but I am still unsure why PfSense can't (can?) do this?
Packet came on LAN.. rule send it to WAN and vice versa..
Packet came on LAN2.. rule send it to WAN2... -
Rules are matched by interface, but not by IP on interface. That's why the CARP method wont work.
The dual interface method is a problem because it would be the same network on both interfaces and pfSense wouldn't know which interface to send traffic out that is destined for the LAN network. This is a basic networking thing, not just pfSense. The computer needs different networks on different interfaces do determine what traffic goes out what interface based on the routing table.
-
OK, of course that I agree, and because of problem with routing table I add fourth interface. Can we go a little further with explanation because there is still something fishy. During weekend I will go on site where this specific box in installed and will play with it.
Meanwhile… can you tell me why I cant ping ***253 (LAN2) interface from local subnet? I have feeling that problem can be solved with some additional rule... may me some rule between LAN & LAN2?
There is other solution with list of hosts and rules to redirect traffic for those host's to WAN2... I will drop to this solution if weekend playing do not resolve..
-
@BUL:
OK, of course that I agree, and because of problem with routing table I add fourth interface.
That's where you're wrong.
As far as the routing table is concerned you didnt add a 4th interface because you have the same subnet on two interface.Why dont you just change the subnet of one of the interface?
If you want to let your users change the gateway you could as well let them change their subnet. -
If you used two different subnets would machines on either have access to each other? I'm guessing the two LAN interfaces would need to be bridged at least…
-
If you bridge them you effectively make a single broadcast domain with 2 subnets on it.
You still need a router to access from one subnet the other.
–> A bridge is kind of useless.