MUTLI WAN & NAT ??? [SOLVED - Reply#10]
-
OK! So I have " Fixed " it.. The issue was just as I figured in my last post.. on the Diagnostics: Routing tables page, The Default route was the " WAN PORT" IP.. I changed my default gateway to my OPT1 Interface and now the default route ip shows the OPT1 IP. Now I am able to reach any port I open from both WAN and OPT1 Ip's …. This is clearly a bug in PFSense, There should be a way to change the default route to a gateway group..this would solve the problem I think.. :) Well my issue is solved correct workaround or not... it's a fix for now..
-
When i change the default gateway to OPT1, then everything i opend on WAN1 dont work anymore…
-
Hey Marv, Here is my full config. I even have ICMP setup on this just so you can check from an external source if ur even able to ping the ip. It's all working very well for me now. nslookup on the domain resolves both ip's and load balancing is working great.
a link to the image for full size
http://m37offroading.ca/fullconfig.png -
Thanks for ur Time.
But i doesnt work for me ;/
I have no floating rules…The Rule is linked?? Yours not, what is this?
My Pfsense Version is 2.0.2-Release i386
I just want to have access to 8059 from the outside, over the FritzboxWAN ;(
Without Failover and only Fritzbox connectet it works fine ;( -
If i Set the Fritzbox Wan to default it works, but then every Portforwarding on the Unitymedia WAN is unable to reach :/
-
If I do this it works, with default on WAN…(pic)
I cant forward ports on WAN, i can do verthing, it never works...
Iam freaking out :D
-
Well I see a couple things wrong,
your Gateway group, Set both to Tier 1,
For the Firewall: NAT: Port Forward Page, On the configuration of the port 8059 go the the Filter rule association and make that None, Also NAT Refection , Enabled ( if you want to be able to access it from internal also)
Firewall: Rules, See mine above, See how I have rules in ever NIC and a Floating DNS failover rule, Include all these rules.
Leave your gateways leave as no default as it is in the screenshot.
This should work, I have successfully re-installed 2.0.1 -> upgraded to 2.0.2 and did my rules again and it all works perfect with no trouble. If you need more help PM me your email and we can get you up and working.
The Fix is above thou , that works and tested twice on 2 installs. :)
-
okay, thank you.
I will try this tommorow.
Ist just Failover not LoadBalancing, so Tier 1 and 2 is correct , or? -
No that is not correct, Please marv, follow my screenshots very carefully and match everything the same as your config. It will work ! :)
-
Ty for your Time, but I have to say that you are wrong ;/
Both on Tier1 is LoadBalancing, i got then two IP, when i checked my Ip in the internet.
I installed Pfsene again with CD now (therefore i did this over memstick.img).
Now it works, why ever oO ::)
The only things i did after the newinstall was. Setting the Gateways on Tier 1 &2, named it Failover, Add a (one) Nat-Rule- with assiocated Firewallrule. And add in the "lan to any" rule, the Failover Gateway.Works.
But thank you for help so far
-
OK! So I have " Fixed " it.. The issue was just as I figured in my last post.. on the Diagnostics: Routing tables page, The Default route was the " WAN PORT" IP.. I changed my default gateway to my OPT1 Interface and now the default route ip shows the OPT1 IP. Now I am able to reach any port I open from both WAN and OPT1 Ip's …. This is clearly a bug in PFSense, There should be a way to change the default route to a gateway group..this would solve the problem I think.. :) Well my issue is solved correct workaround or not... it's a fix for now..
Ok I figured out, what is different to my others installations, i swapped the WAN Interface in this Installation.
If the 2WAN is the one with the higher priority in the Gateway Group all is ok, is the first WAN-Interface with higher Prioty nothing works anymore.
Thats truly a bug. -
Marv! I am glad you figured it out… This is very much a bug and I have noticed the same thing... I was not 100% Sure that was what was fixing it the first time I got it working.. Doing that the second time It did not work..then I got my config that I have posted in reply 10 and it works great, with a re-install.. I just tried it AGAIN after you said this because I know for a FACT I had to do the same exact thing.
-
I don't have enough experience with multi-WAN to be able to just spot the issue, but I do know of one potential issue I had seen in the rules someone mentioned. As far as I know, "Pass" on port forwards bypasses the firewall rules, likely including the ones specifying which gateway to use. Firewall rules should be used instead of directly using "Pass" on port forwards if you have any special firewall rules with gateway settings. The same may apply to limiters or traffic shaping. Depending on how your rules are set up, you may need to duplicate some of the settings to the linked rules for your port forwards (I'm not certain of this, though).
-
Indeed, using "pass" on rdr will not give them the proper reply-to behavior to work with multi-wan.
Use a linked rule instead.
And if your WAN is a static IP type, make sure you have the gateway selected on the interface config so that the firewall will treat the interface as a WAN (this happens automatically for DHCP/PPPoE/etc) and put reply-to on the firewall rules.
-
Indeed, using "pass" on rdr will not give them the proper reply-to behavior to work with multi-wan.
Use a linked rule instead.
And if your WAN is a static IP type, make sure you have the gateway selected on the interface config so that the firewall will treat the interface as a WAN (this happens automatically for DHCP/PPPoE/etc) and put reply-to on the firewall rules.
Yeah, did that :)
Fact is, that i got problems with the WAN1 as Default.
Lets say WAN1 is UM(the internetprovider)
Lets say WAN2(opt1) is 1und1.
If UM is default on WAN1 it doesnt work.
If i swap the assignement and UM is on WAN2 everything works well, with exact the same rules. -
That still suggests your rules do not get reply-to for some reason. As above, the usual suspects are:
- Using "pass" on port forwards (rdr pass does not support reply-to, so that can't ever work, not something we can change)
- Not selecting a gateway on the Interface page for both WAN and WAN2 if using a static IP (this will make the firewall fail to fully treat the interface as a WAN, and skip reply-to)
- Checking the box in the advanced options to disable reply-to (Which, as the option implies, removes reply-to from rules)
Post the full contents of config.xml (you can remove keys/passwords) and a copy of /tmp/rules.debug.
If you choose to obscure IP addresses, leave enough to distinguish them (e.g. last octet), and do not remove them entirely.
-
That still suggests your rules do not get reply-to for some reason. As above, the usual suspects are:
- Using "pass" on port forwards (rdr pass does not support reply-to, so that can't ever work, not something we can change)
i used pass and no RDR ( The checkbox is unchecked) - Not selecting a gateway on the Interface page for both WAN and WAN2 if using a static IP (this will make the firewall fail to fully treat the interface as a WAN, and skip reply-to)
I have set a gateway for the static and none for the dhcp (will choose it on his own) - Checking the box in the advanced options to disable reply-to (Which, as the option implies, removes reply-to from rules)
No, xD. With Wan2 as default it works…
Post the full contents of config.xml (you can remove keys/passwords) and a copy of /tmp/rules.debug.
If you choose to obscure IP addresses, leave enough to distinguish them (e.g. last octet), and do not remove them entirely.
I will it post later, not at home right at the moment
- Using "pass" on port forwards (rdr pass does not support reply-to, so that can't ever work, not something we can change)
-
If you used "pass" on the port forward, it will not work with any non-default route WAN, and it can't work with "pass".
Change that to "add associated firewall rule" and then save/apply the port forward. Do that for every port forward you have that uses 'pass'
-
If you used "pass" on the port forward, it will not work with any non-default route WAN, and it can't work with "pass".
Change that to "add associated firewall rule" and then save/apply the port forward. Do that for every port forward you have that uses 'pass'
Sry I was not accurate enough. I used pass in the Firewall rule, not block and not reject.
BTW: add associated firewall rule is the default setting, when you create a NAT rule.
-
I'll still need to see the config.xml and /tmp/rules.debug. A screenshot of that doesn't tell me enough about what it's doing in the background.