2WAN <-> 2LAN
-
Thanks blak111.. but reading your post I see that you miss one thing.
I intend to manually enter specific gateway on workstations… so.. if gateway is ***253 traffic go to WAN2.. if gateway is ***254 go to WAN. No need for workstation list.
Huh.. anyone have working solution for my problem briefly described in first post?
Seems logical that with four NIC's I can easily separate traffic..easier than with three.
:((
-
Yeah, that's the problem. It can't be spread across 2 NICs because it's the same network and pfSense doesn't know which card to send traffic for 192.
If you really need to do it that exact way, you could put a little router with the 192.168.0.253 address on the network and have its WAN connected to the LAN2 of the pfSense on like a 192.168.1.0/24 network. That way pfSense wouldn't see the same network on both interfaces and it would be easy to create those rules based on the source interface.
-
Yeah, that's the problem. It can't be spread across 2 NICs because it's the same network and pfSense doesn't know which card to send traffic for 192.
But… may be that I do not understand something simple... Rules can direct traffic based on origin nic.. so your statement above is not true.. PfSense can send traffic from WAN2 to LAN2 and from LAN to WAN even their subnet is same... (or I am wrong???)
PfSense box work fine from outside, I have two no-ip's activated with two different wan adresses, and can access RDP on server from outside over both WAN's.
(one no-ip is defined on pfsense other on server, and traffic is routing to WAN2)Mine problem is that I can't ping ***253 NIC from local subnet and (because of that?) can't act as gateway.
Anyone solve this? Any suggestion? I cant go on site till Friday, and can't mess with conf from here...
Regards.
-
@BUL:
Yeah, that's the problem. It can't be spread across 2 NICs because it's the same network and pfSense doesn't know which card to send traffic for 192.
But… may be that I do not understand something simple... Rules can direct traffic based on origin nic.. so your statement above is not true.. PfSense can send traffic from WAN2 to LAN2 and from LAN to WAN even their subnet is same... (or I am wrong???)
I think blak111 is saying that it's not possible, and he is probably right.
You can't make a rule that says LAN2->WAN2, only a rule that says client->WAN2. Client has to be the IP address of the machine you want to use WAN2.
I think what we are trying to do is currently impossible with pfSense. I don't think any open source router package supports it. My idea was to run two copies of pfSense on VMware, but it seems to be very complicated and difficult to set up in a reliable, secure way.
-
@BUL:
Yeah, that's the problem. It can't be spread across 2 NICs because it's the same network and pfSense doesn't know which card to send traffic for 192.
But… may be that I do not understand something simple... Rules can direct traffic based on origin nic.. so your statement above is not true.. PfSense can send traffic from WAN2 to LAN2 and from LAN to WAN even their subnet is same... (or I am wrong???)
I think blak111 is saying that it's not possible, and he is probably right.
Aha.. I see your point.. you state that rules are matched by origin subnet not by NIC..
But… in rules definition I see:
"Choose on which interface packets must come in to match this rule.".. meaning that rules are based on physical NIC...Sorry if I sound offending but I am still unsure why PfSense can't (can?) do this?
Packet came on LAN.. rule send it to WAN and vice versa..
Packet came on LAN2.. rule send it to WAN2... -
Rules are matched by interface, but not by IP on interface. That's why the CARP method wont work.
The dual interface method is a problem because it would be the same network on both interfaces and pfSense wouldn't know which interface to send traffic out that is destined for the LAN network. This is a basic networking thing, not just pfSense. The computer needs different networks on different interfaces do determine what traffic goes out what interface based on the routing table.
-
OK, of course that I agree, and because of problem with routing table I add fourth interface. Can we go a little further with explanation because there is still something fishy. During weekend I will go on site where this specific box in installed and will play with it.
Meanwhile… can you tell me why I cant ping ***253 (LAN2) interface from local subnet? I have feeling that problem can be solved with some additional rule... may me some rule between LAN & LAN2?
There is other solution with list of hosts and rules to redirect traffic for those host's to WAN2... I will drop to this solution if weekend playing do not resolve..
-
@BUL:
OK, of course that I agree, and because of problem with routing table I add fourth interface.
That's where you're wrong.
As far as the routing table is concerned you didnt add a 4th interface because you have the same subnet on two interface.Why dont you just change the subnet of one of the interface?
If you want to let your users change the gateway you could as well let them change their subnet. -
If you used two different subnets would machines on either have access to each other? I'm guessing the two LAN interfaces would need to be bridged at least…
-
If you bridge them you effectively make a single broadcast domain with 2 subnets on it.
You still need a router to access from one subnet the other.
–> A bridge is kind of useless. -
I already answered this. It is based on interface, but you can't have two interfaces in the same network.
-
It seems like there must be some way it can be set up, because obviously it works if you have two separate routers on the same subnet and simply use the client machine's default gateway to select which one to use (my current set up).
Combining two routers into one would save on hardware and electricity costs. Surely there must be some way to do this, even if it's not possible in the current pfSense GUI.
-
Ok.. I agree with all was said..
It sound very simple… just few simple rules.. but <sigh>I will reply during weekend what I do... one old router with different subnet on PfSense side (connected to LAN2) will solve my problem.I will rephrase problem again just in case that there is some other solution.
"How to use one PfSense box with two (or more) Wan and allow users on same subnet to choose gateway on their own."
Best regards
It seems like there must be some way it can be set up, because obviously it works if you have two separate routers on the same subnet and simply use the client machine's default gateway to select which one to use (my current set up).
I have three gateways here on my work place.. two pfsense boxes (wireless and cable) and one "solo" :-) adsl.</sigh>
-
The problem is in a standard routing table. You have a network that is associated to one exit interface. It works with multiple routers because each one only has one entry. It works with the extra router in the middle because the routing table doesn't have entries for the same network, just one for the original network and another for the NAT network in between.
-
I've been some what reading / following this thread.
So BUL isn't the end goal really that a user can switch between going out of wan or wan2?
If not. I will go away :)
If yes. It can be done by giving each user 2 IP address that they can switch between -
Yep Perry.. seems that this can be done by odd/even IP "rule" as you suggest :-) odd for WAN and even for WAN2 for example.. But that raise other possible problems.
Thanks to all. This really sound simple in start. I will drop after another shot on site and probably try to find some old router for LAN2.
-
So if it just needs to be setup for the user to be able to switch, you could set the PPTP server up so they can connect to that to use the WAN2 and just have standard LAN traffic go out WAN. Just set the firewall rule in the PPTP server to use the WAN2 as the gateway.
If they are using windows, then it would be as simple as clicking a VPN shortcut for less tech inclined users.I know this works because I've done this to allow users access into a network attached to a pfSense machine.
Sorry, I wasn't aware that you were trying to give users the option to switch connections themselves.
-
Heh, this is nice. I will try it on site.
Thanks blak111 :-)
-
The only problem with changing IP addresses on clients is that it tends to cause some temporary confusion on the network, particularly with Windows file shares.
-
that's what the pptp connection would be for. you still wouldn't lose your local IP
