Setup Questions
-
Hi everyone,
I have what I feel is a complicated setup, probably because I can't seem to get it to work! I'm trying to accomplish:
Multi-WAN (Three links total)
1:1 NAT on all WANs (Most servers with two 1:1 NAT, some with IPs on all three WANs)
Authoritative DNS on all WANs
Load Balancing
IPSEC and PPTPThis is made even more complicated because it is on a production systems, so I can really only work on it weekends and late nights. Currently we have a Peplink Balance 380 that does all this admirably but I have been getting TONS of packet loss on two of the WAN connections - so I wanted to try and replace the whole router with pfSense. All of the things I am trying to accomplish are important but some are more important that others… like getting inbound connections on NAT to work, for instance.
So far I have accomplished getting traffic to route outbound through the interface IP assigned in Interfaces:WAN* (I renamed the OPT interfaces to WAN2 and WAN3).
I have tried every combination of Virtual IP (PARP, CARP, Other, and IP Alias) and the most I can do is browse the internet on a internal address assigned to 1:1NAT - and even that will still use the interface IP assigned to pfSense. I've read through the Definitive Guide to pfSense, followed as many tutorials as I could find and even tried the pfSense Cookbook, but not to much of that applied to my setup IMO. I beleive that pfSense can do what I want it to, I am just hitting the wall on how to get there.
Can anyone give me some advice, this is my first attempt at configuring pf, so there is a GOOD chance that I made a rookie mistake - or even a series of them trying to get it to work.
I'll attach screenshots of the pertinent settings, at least the ones that I think relate to this. Please tell me if I need different ones.
EDIT: Forgot to mention that I'm using a pass all to all firewall rule while trying to get the NAT portion working.
-
Maybe I should have broken this down into more specific questions:
Can I have multiple 1:1 NAT entries for a single internal client going to different WANs?
Would the setup above be configured the same as a normal 1:1 NAT?
-
I gave up on the 1:1 NAT for now and I am now trying Inbound NAT (Port Forwarding) to try and simplify or at least rule out my possible mistakes. I think that my issue lies with the Virtual IPs that I am trying to add. I can get port forwarding to work as long as it's from the interface IP of pfSense. Anytime I try to do it with a VIP I can't seem to find a combination that works.
-
I still can't find a setting for VIPs that will work for me. The first two WANs are Charter Cable in the US and the third is a telco T1. I can really only test one WAN at a time until I get at least the basic networking going and the internet can access websites, services, etc. Is there some special setting to get it to work with cable internet that has static IPs?
Maybe this should really be in the VirtualIP section instead of the MultiWAN section…
-
Progress! I finally got ProxyARP type VIP to work! The secret was to go eat lunch after applying the settings. After waiting 10+ minutes the continuous ping that I was running from another internet connection started getting responses from the interface IP on pfSense saying that the "Destination host unreachable." I almost spilled my food jumping for joy. Why does it take so long to start working though? Does the GW need to update it's ARP table before the VIP can work? Seems that I was at the mercy of my ISP while trying thousands of combinations (possible overstatement ;) ) to get this to work and the only thing that it needed was time? Now that portforwards are working I'm going to configure some other PARP VIPs so they can properly "age" and then go back to getting 1:1 NAT in play.
Still kind of curious about the question in my second post:
Can I have multiple 1:1 NAT entries for a single internal client going to different WANs?
Would the setup above be configured the same as a normal 1:1 NAT?
Does anyone have this setup and can confirm? My head can't handle another brick wall today!
TIA
-
Can I have multiple 1:1 NAT entries for a single internal client going to different WANs?
Yes.
Would the setup above be configured the same as a normal 1:1 NAT?
Yes.
The VIP not working immediately sounds like an upstream ARP cache issue that sorted itself out given enough time for it to timeout upstream.
-
Chris,
Thanks for the answers! I need to get this project completed in a hurry, I've been working with it for too long. I'm thinking of signing up for the premium support package. Do you think your team would be able to help me to accomplish this inside a 5 hour block? Also, I would need to have this support happen on a weekend or at night, is is possible to arrange for something like that without needing emergency support?
-
Definitely sounds doable within 5 hours. We do pre-arranged cases outside normal business hours all the time outside of emergency support. Just need a little advance notice, a few hours generally ok, a day or two ideally to minimize the chance of schedule conflicts.
-
Fantastic! I'll be paying up in a few minutes then.