Multi Wan - One for incomming and other for everything else
-
Hey all
Its been a long time since I needed to play with the firewall, and I have forgotten most of how to do things so treat me as a newbie.
I have an application that I want to run on my iPhone that needs access to my server. My original WAN connection (satellite) does not support port forwarding so I have added a 3G modem into the mix as a second WAN connection so I can get access.
So my app needs to make a connection to a server in the local network (192.168.0.0/24) on port x & y (two ports).
(WAN)
Internet –--------Sat Modem--------------|
(all other ports) |
| pfsense --------Server (on LAN)
(OPT1) | (Server needs access to 3G modem on SNMP port and management
Internet ----------3G Modem---------------| port and access to internet on ports x & y only. All other data
(ports x & y to server) to use Sat modem)Basic scenario
In-coming connection from internet on ports x & y, gets forwarded from the 3G modem\router to pfsense which is then routed to the server. Server then replies with data requested.
A specific IP address on the Lan is to be routed to the 3G connection instead of the WAN connection all the time (all ports).
What do I need to do to get the firewall to send all traffic that goes out on ports x& y to WAN2 (3G).
I have read a lot on Multi WAN, but its confusing me a little as it has not been exactly the same scenario as what I have. It seems that setting the gateway is the way to go, but I cant get it to work.
I also want to be able to manage (http) and monitor the unit (SNMP) from the local network so I need to add rules somewhere that allows this to happen.
Thanks heaps
Mick
-
Can I gather from the chirping crickets that this is not possible then, or no one knows how.
Is anyone willing to do this is I pay for the help. I would say its relatively simple (based on the concept) for someone who knows the firewall.
Mick
-
A diagram or screen shots always speeds up replies.
It's correct that it is the gateway setting of a rule that controls which wan the traffic is going out on.
LAN IP -> pfSense -> 3G/router -> ISP
To test. traceroute to google.com or browse to http://jackson.io/ip/ from the Lan IPhttp://doc.pfsense.org/index.php/Port_Forward_Troubleshooting
As you write 3g modem/router it's probably common problem nr 8 your having. -
Thanks
Can you re-phrase your last line
Diagram as requested added to original post - "it's probably common problem nr 8 your having. " I don't understand it.I have confirmed it working through the 3G modem when bypassing pfsense and connected directly to the LAN.
How is a traceroute going to help? I can access the internet fine through the sat modem, I just need to push data on port x & y through the 3G modem (which worked when connected to LAN and server was using it as the gateway).
Nonetheless, ran tracert www.google.com and it timed out on all hops so no information given back
I could run traceroute to the firewall (single hop), but anything further timed out (ie to either of the modems). Is there a change to the firewall needed somewhere?
Here is the 3G interface setup. It is set to a static IP of 192.168.0.1 and the NIC in the firewall is 192.168.6.2. Have I got this part right?
Also, the simple rule for HTTP traffic - If I have this, all is good, If I add the gateway (192.168.6.1) it stops. This kinda makes me think there is something wrong in the way I specify the gateway.Mick
-
Sounds like you're talking about a policy-based route. I have done something similar in order to route outbound mail through a specific ISP, rejecting that traffic if the route becomes unavailable:
ALLOW: TCP LAN net * * 25 (SMTP) WAN2 Policy-based route for SMTP
REJECT: TCP LAN net * * 25 (SMTP) * Bounce SMTP if WAN2 DownYou of course need matching PAT (aka 'NAT ⇒ Port Forward' in pfSense lingo) and firewall pinholes if you want this to be accessible from the outside. After that's done, I think it should work as you expect it to.
Another option would be to do the opposite, and 1:1 NAT the server in question directly to your 3G link. Then you'd add policy based routes for high-bandwidth traffic you'd prefer to be routed through your satellite link, e.g. HTTP, FTP, etc. Hope this makes sense…
EDIT: P.S. - If my experience with satellite is still relevant, you may also want to create policy-based routes to push latency-sensitive things like DNS, NTP and SSH/RSH through your 3G as well. Having snappy DNS can drastically speed up your surfing on a high-latency link.
-
Here is the 3G interface setup. It is set to a static IP of 192.168.0.1 and the NIC in the firewall is 192.168.6.2. Have I got this part right?
Also, the simple rule for HTTP traffic - If I have this, all is good, If I add the gateway (192.168.6.1) it stops. This kinda makes me think there is something wrong in the way I specify the gateway.Unless your 3G provider is forcing you onto an RFC1918 network, it doesn't look like the IP / Gateway is correct. Was that provided by your ISP, or are those the settings you want for the inside of the network?
-
No ip provided by the provider, that's just me bumbling my way around. 192.168.6.1 is the internal address of the 3G modem/router.
(Dynamic IP) (192.168.6.0) (192.168.0.0)
internet–----------------3G------[WAN2]–---------pfsense------[LAN]–-----What address do I put in the gateway field?
Your example previously is what I thought was required, but it would appear that due to my mis-understanding in the gateway setup that it does not work because of that.
-
With traceroute you can determent if traffic is going out on the correct wan connection and as you write server, it's unlikely your have a browser on it.
When you troubleshoot it's best to keep things simple and by that letting everything go out on 3gwan from the server.
Sorry that it isn't plug n' pray but did you read the portforward doc? -
No ip provided by the provider, that's just me bumbling my way around. 192.168.6.1 is the internal address of the 3G modem/router.
OK, I'm getting a better picture of what's happening now. First things first, you've gotta get that 3G connection on your pfSense actually working, then work on the PAT and PBR issues. :) If I was in your situation, the first thing I'd do is find out whether or not your 3G router is capable of running as a bridge. Otherwise, you will be dealing with a double-NAT situation which may work, but is rarely optimal.
-
If you can bridge it, you'll be in a position to run your pfSense with a public IP address right on your 3G network and skip dealing with the 3G router's own NAT / Routing / PAT facilities. That'd be ideal. In that case you're putting your ISP's routing and IP information directly onto your opt1 interface, rather than the RFC1918 [private] network info on there now.
-
If you can't bridge it, you'll have to give your pfSense a static IP on your 3G router's private network, then create some PAT (or even better, 1:1 NAT) rules to make your pfSense accessible to the outside world.
-
In a situation where bridging your 3g modem isn't possible, the IP info you had in pfSense still doesn't look right. A 32-bit mask means a scope of a single IP address. That leaves pfSense in a catch-22 situation, since it'd need a route in order to talk to its default route. It's most likely to be a 24-bit netmask, but you'd have to check your 3g router's config to be certain.
-
-
I have not read the port forward doc (not for a long time that I can remember anything much), I do have port forwarding working for just WAN stuff, its just the addition of the extra WAN connection that is causing me grief.
So I have some success - I changed the interface from static to DHCP (after turning on the DHCP server on the 3G modem) and I can now direct http traffic out either modem. Why is it so, why did static fail me? (probably the 32 bit mask I missed)
What mode should Outbound NAT be in Automatic, or Manual (AoN)?
Mick
-
So I have some success - I changed the interface from static to DHCP (after turning on the DHCP server on the 3G modem) and I can now direct http traffic out either modem. Why is it so, why did static fail me?
32-bit netmask makes routing impossible – see my post above. :)
-C
-
its hard to keep up while shaped - your are answering faster than I can upload the replies.
Now that I have some success, I will re-test each connection and look at the bridging option - I cant see anything available yet, so Ithink it will be a double NAT/port forwarding.
All help is really really appreciated
Mick