MultiWan, multiLan problem

LonelyWolf

Hi all, i'm having problems reaching a single address from lan to lan2 after enabling multiwan for failover in pfsense 2.1

This is the case:

Interfaces all static ip
LAN = 10.71.9.x
LAN2 = 192.168.1.x
WAN = VLAn configured and working, with default gateway
ADSL = standard ADSL, i want use this only if WAN is not working

Gateways:
GW_WAN (default)
AdslGateway -> to the adsl router monitor ip is 8.8.8.8

Groups:
FailOver-> WAN Tier1,AdslGateway Tier 2, Trigger Level Member Down

System -> Advanced -> Miscellaneus: check on Allow default gateway switching

Firewall -> Rules
No floating rules, no WAN rules, no ADSL rules
LAN2: only a rule to pass to LAN

LAN:
Anti-Lockout Rule, as default
A rule to pass traffic to my isp smtp, default gateway
A rule to block everything on port 25, default gateway
"Default allow LAN to any rule", default gateway

If i change "Default allow LAN to any rule" gateway to use the group Failover i can't reach any address in LAN2

If I add a rule:
source LAN (address or subnet)
destination LAN2 (address or subnet)
gateway default

before "Default allow LAN to any rule" (gateway Failover group) i can't reach LAN2

Can anyone help me?
Thanks

johnpoz

And per the multiwan guide - which could prob use some update.. But

https://doc.pfsense.org/index.php/Multi-WAN_2.0
When a firewall rule directs traffic into the gateway, it bypasses the firewall's normal routing table. Policy route negation is just a rule that passes traffic to other local or VPN-connected networks that does not have a gateway set. By not setting a gateway on that rule it will bypass the gateway group and use the firewall's routing table. These rules should be at the top of the ruleset – or at least above any rules using gateways.

Can you post screenshots of your rules - screens make it so much easier to make sure everyone is on the same page of understanding what the rules are saying and what order they are in.

Unless you only have 1 lan, your going to need rules above your rule that points to your multiwan gateways - so that you can use your normal routing table to access other lan networks.

phil just put up this great post, that needs to get put into the docs
http://forum.pfsense.org/index.php/topic,69318.msg384723.html#msg384723

LonelyWolf

Thanks fo your answer, Here some screenshots. (I've already read that guide.)

Status.png: pfsense box connections
LAN.png: LAN firewall rules, i can't reach LAN2
LAN2rules.png:just a rule to pass traffic from LAN2 to LAN (but now its not working!)

LANWorking.png: with these rules i can reach LAN2

Edit:
If i change the LAN last rule ("Default allow LAN to any rule ") destination as not LAN2 address or not LAN2 subnet or not Single Host (static ip on LAN2) i can't reach LAn2 anyway.

LonelyWolf

Maybe i found the solution, i'll do more tests but i can ping a lan2 address with these!

Added 2 floating rules:

action pass, interface lan, source lan subnet, destination lan2 subnet, protocol any
action pass, interface lan2, source lan2 subnet, destination lan subnet, protocol any

johnpoz

You have NO rules in LAN that would allow traffic to LAN2

Your source is "LAN address" that is PFSENSE IP address, not clients on pfsense lan network.  Your last rule that has lan net which is correct sends everything to your gateway.

As already gone over put the correct rules on your interfaces before the GATEWAY rules for your multiwan and your good.  Which is what your doing with the floating rules.

Your LAN2 rules is wrong as well - you have spelled out pfsense LAN address as source, not the lan2 network.

tim.mcmanus

LAN net to LAN2 net
LAN2 net to LAN net

See screenshots of the setup I'm using.  Works like a charm.


LonelyWolf

Thanks to both of you, it was my fault.