2 wans - how to direct traffic to each ?
-
Yeah…on your OPT1.
https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting
-
please can you tell me what to put and where.
-
Ok…back to your original posting.
You have a WAN, LAN and OPT1 interfaces. You said you have 2 WANs. You need to describe your network in detail for me to be able to give you any meaningful help. All your interfaces have private addresses, so I can't really tell, all I can do is guess, and, this morning, I am a crummy guesser.
You need to make sure that block private is turned off on your two WAN interfaces, on their respective interface tab.
You also need to READ. Read how pfSense rules work. Put forth a little effort troubleshooting this yourself. Take a look at the firewall logs. They'll tell you what's happening when your packets don't make it through. -
its pretty much all there in the screenshots.
LAN 192.168.0.x
WAN 10.0.0.x - WORKS
OPT1 192.168.1.x NOT WORKS
There is no option to 'block private network' in OPT1 see the screenshot I already posted.
At this point all I want to achieve is for OPT1 to ping the outside world. I do not see why it doesn't as its settings are no different from WAN and that works.
If you can point me to a doc that explains how to make 2 wans work WITHOUT multi balancing or failover I'll gladly follow it.
-
Set your LAN hosts up in CIDR blocks, say
192.168.0.0/25
and
192.168.0.128/25Write two firewall rules on the LAN interface. Put them at the top of the list.
Write a pass rule that passes any type of traffic from 192.168.0.0/25 to any destination and any port any protocol. Click the Advanced button by Gateway and choose WAN.
Write a second pass rule that passes any type of traffic from 192.168.0.128/25 to any destination and any port any protocol. Click the Advanced button by Gateway and choose OPT1.
Save and apply.
Now, any host with an IP in the range of 192.168.0.2 to 192.168.0.126 will have their traffic go out WAN.
Any host with an IP in the range of 192.168.0.129 to .253 will go out OPT1.If you can't get traffic out OPT1 to the Internet, then you have a problem upstream of pfSense. Maybe a DNS issue, maybe whatever device is your OPT1 gateway is blocking ICMP. I don't know.
-
thanks, thats what I did but it didn't work because of the OPT1 issue.
Issue is definitely with PFsense, I plug a laptop into opt1 router and I can ping internet hosts no problem.
pfsense cant and I don't know why or where to look to find out why as it makes no sense.
As you can see below OPT1 DNS works as its resolving the hostname but no traffic.
-
Can OPT1 ping its gateway? 192.168.1.1
-
yes
-
Do you have an upstream gateway defined for OPT1?
-
thanks I read the multi wan but it inst relevant as I don't want fail over or load-balancing.
…Actually, it IS still relevant. You need to make sure you follow the directions for multi wan, including setting gateways for each, dns for each, and so on.
The only step that isn't necessary since you do not want failover or load balancing is setting up "Gateway Groups".
That way traffic will always use your default gateway, UNLESS specified to use the other gateway in your firewall rules.
I hope this helps,
-Alan
-
@KOM:
Do you have an upstream gateway defined for OPT1?
yes, the router IP and it can be pinged per my earlier screen shot.
I still can't see why pfsense is stopping traffic on OPT1.
Very frustrating.
-
Can you post a screen shot of the fw rules for Lan & OPTx.
Have you tried creating rules for OPTx to block what you dont want OPTx devices to connect to, then as the last rule create a allow everything rule. By this I mean its any to any not an any to WAN net or any to WAN address.
If you want to stop your OPTx devices from connecting to the fw, if you use DHCP pf will create a rule for the DHCP server automatically, but you will need to create a rule to allow access to the DNS (53) but immediately below that you can do a block rule for everything to the OPTx interface ip address to stop devices from connecting to anything else in the fw.
That should get you out on the OPTx interface, even if you add block rules to WAN net and WAN address before the allow everything!
-
here are the rules,
-
I'm not seeing anything are the images hosted outside of pfsense.org?
-
imgur
-
Yeah I saw them from another machine. Anyway this works on pfsense 2.2.2 and I'm not running multiple wans just one connection through a modem in bridge mode so I'm handling the ppoe username & password connection settings in pfsense which is passed out of the wan to the modem router running in bridged mode.
I've done a screen shot of some OPTx rules which work for me see attached. I've drawn a box around the gateway of the first rule, if you want to force traffic through a particular gateway as you have two connections you could try the gateway option which is a button at the bottom of the edit rule page.
You might also note I have two rules to block WAN net and WAN address but these dont work so ignore them.
The rules work from the top to the bottom and everything is a default deny but I prefer having explicit blocks in place just to be sure, on other interfaces I even explicitly allow individual ports for individual machines to really lock everything down and then I can see if anything has found a new way of communicating like passing messages in say netbios or other tricks.
See if the screen shot gives you any ideas for your own set up.
-
thanks for that.
The issue I have is, OPT1 cannot ping any host on the internet. It DOES resolve the name and I can ping if I connect to the router.
Until I can fix this issue nothing else is going to work.
I can't see where pfsense is blocking OPT1 from pinging any internet host.
-
So… your ISP DNS on WAN is the gateway on OPT? I don't think this is particularly sane... How many levels of NAT are you behind?
Also, WTH is the pfSense version used here? Most of this configuration stuff does not exist on 2.1.x, nor on 2.2.x; plus copyright 2004 - 2009. :o ::)