Multi-WAN on single network card
-
The port forwards may be a little harder to get right, since they really need a reply-to field set for the gateway of the static line. I don't recall if you can set that manually or not.
You use the gateway groups under firewall rules, just add rules for what you want and select the gateway. Check the multi-wan tutorials for more details.
-
You use the gateway groups under firewall rules, just add rules for what you want and select the gateway. Check the multi-wan tutorials for more details.
This is where I get stuck.
The tutorials (that I've found anyway) expect me to set up different rules for my two WAN interfaces, but I only have one physical WAN interface on my pfSense box. This probably just means I need to create my firewall rules slightly differently, but I can't quite work out what to do and all my experiments so far have been wrong!
-
The firewall rules to direct outgoing traffic out specific WANs would be on LAN - just the gateway choice would be relevant.
-
The firewall rules to direct outgoing traffic out specific WANs would be on LAN - just the gateway choice would be relevant.
I'm sorry, I'm sure I'm being thick, but I'm just not clear what you're saying.
I'm looking here:
http://doc.pfsense.org/index.php/Multi_WAN_/_Load_Balancing#Port_Forwarding_and_Applications.. where the port forwarding rules are split between WAN and OPT1WAN2, which I can make sense of, but don't have two WAN's to work with.
-
Ah, well I was referring to outgoing traffic, not incoming.
What you might need to do is setup another virtual IP (CARP, Proxy ARP, or IP alias) on WAN to accept the incoming NAT requests from the second WAN, and have the second WAN router forward traffic to that VIP. Then you can use the VIP choices to distinguish between the WANs in the firewall rules, rather than by interface.
-
What you might need to do is setup another virtual IP (CARP, Proxy ARP, or IP alias) on WAN to accept the incoming NAT requests from the second WAN, and have the second WAN router forward traffic to that VIP. Then you can use the VIP choices to distinguish between the WANs in the firewall rules, rather than by interface.
Thanks, I thought that might be a way to go.
I've done this and have rules set up specifically for incoming connections from my static IP. However they still only work if the static IP connection is my default gateway.
If I change the gateway in my firewall rule to anything other than "default" I lose my connection regardless of what my default gateway is.
-
Yeah I wondered if that might happen, what it really needs is a way to add a "reply-to" tag on the rules for that incoming traffic, but I don't think we have a manual way to do that.
-
Yeah I wondered if that might happen, what it really needs is a way to add a "reply-to" tag on the rules for that incoming traffic, but I don't think we have a manual way to do that.
Is this something that would be on the "to-do" list?
I can work around it for now - pfSense is doing great things for me and I'd like to stick with it, ready to beta test the "reply-to" feature if it's coming!
Otherwise I could look at sticking an extra NIC into the box and doing things the "normal" way.
-
Not sure if that is on the to-do list for 2.0 or not, it isn't a scenario many people have gotten into yet since the functionality is still pretty new.
-
OK, it looks like I need to go down the extra NIC route.
Would there be any problem if both my WAN cards connected to the same network? Eg set WAN1 as 10.0.0.254 and WAN2 as 10.0.1.254, configure my ADSL routers accordingly, but connect WAN1, WAN2, and both routers to the same switch?
The pfSense box is in a different room from the routers so the cabling implications otherwise are a bit of a pain!
-
As long as you hardcode those IPs, it should be OK for them to be in the same subnet as long as their gateways are different.
