Dual WAN and Multi LAN setup
-
Hi Guys,
One of our client is planning to avail a new E1 connection, the network already have an existing E1 connection using pfSense as firewall and an Untangle behind it in bridge mode. The plan is WAN1 is for LAN1 and LAN2 only while WAN2 is for LAN3 only, the reason being we want to segregate the bandwidth hungry people in LAN3, there's no need to Load Balance because we want the setup to be simple. In case this pushes through it will be my first time to setup one that is why I would like to ask for comments and suggestions.
First thing I would do is of course buy two new NIC's for WAN2 and LAN3 respectively, also LAN3 needs to access the servers (mail and application server) on LAN1, what should be my next step/steps and what rules do I need to create?
TIA
Jan
-
This should be pretty easy to do. Set up all the interfaces as normal, then create pass rules in the firewall for each of the LAN interfaces and choose the gateway (WAN1 or WAN2) that's appropriate. The pass rule you create will override the default gateway and all traffic that matches will go out the specified interface. You can get fancier if you want sending certain types of traffic out to certain gateways if you want.
You could also set up failover so if one of the WANs were to go down, all the LANs would still be online. You'd set up two failover gateway pools in the loadbalancer, one with WAN1's monitor (I like to use a DNS server) first and one with WAN2's first.
-
My only apprehension are the servers that are publicly accessible, currently they are configured via 1:1 NAT, will WAN2 affect this? With regards to failover, if WAN1 goes down, what will happen to the publicly accessible servers? Will they still be accessible via WAN2? If not, what should be done in order for it to be accessible via WAN2?
TIA
-
@jan:
My only apprehension are the servers that are publicly accessible, currently they are configured via 1:1 NAT, will WAN2 affect this? With regards to failover, if WAN1 goes down, what will happen to the publicly accessible servers? Will they still be accessible via WAN2? If not, what should be done in order for it to be accessible via WAN2?
TIA
You could configure an additional 1:1 NAT on WAN2 for the servers, which would make them accessible from either WAN, however the client needs to be 'smart' and figure out to switch to the other address. Doing failover for incoming WAN traffic is basically impossible with different ISPs on each WAN link unless you obtain an ASN and ARIN IP allocation, and obtain BGP-aware connections from your ISPs. This is a pretty high-end setup not available on most non-leased-line connections that requires quite a bit of expertise to do properly (and something more powerful than pfSense (Cisco or Vyatta etc.). If you really need this, setting up a cluster at a reliable datacentre to act as a smart failover proxy for the traffic makes sense, but if you're going to that expense it often makes more sense to just run the services on the hosted machine.
WAN2 won't affect your existing 1:1 NAT configuration though, so if you're fine with the status quo w.r.t. reliability, you shouldn't have to make any changes. pfSense is state-aware, so only new outgoing connections will follow the policy routing rules; return traffic on incoming connections will go out the interface the connection came in on.