Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Two WANs with different subnets from 2 ISPS; no balancing/fail-over

    Scheduled Pinned Locked Moved Routing and Multi WAN
    3 Posts 3 Posters 733 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P Offline
      pfnoob
      last edited by

      Hello, just a simple question as I am unable to find an answer here or in the docs (maybe someone can offer some links to this?): how can I use the same pfsense (2.2) machine for two ISPs if I got two /29 subnets from each of them? Already setup for one ISP, pfsense being the gateway, no NAT, and it is working fine.

      Is this as easy as (I think it is):
      -adding a second card with 2 NICs;
      -plugging the second ISP in a port, the other to the switch (in a different VLAN) to get my 6 public IPS to a couple of servers;
      -configure this second card with a WAN and a LAN just as in the first case, with different IPs, gateway and DNS;
      -configure roughly the same firewall rules, accordingly, on this second WAN?

      I am asking because I never tried it and want to be sure before I sign up with the other ISP; but I don't need fail-over or balancing (I guess, because I don't think there is an easy way without BGP in my case, please correct if I am wrong) for those servers (DNS, web, SFTP, email, etc). Just need the public IPs from those subnets, separated.

      Also will pfblockerNG and snort work OK, with two WANs for both interfaces and no virtual-nothing?

      Thank you. I love pfsense!

      1 Reply Last reply Reply Quote 0
      • T Offline
        tim.mcmanus
        last edited by

        This isn't tough.

        You could do it ideally with three physical NICs on the pfSense box.  WAN1, WAN2, and LAN.  Both WANs will be gateways.  You will need something to tell traffic to route to one or the other WAN from the LAN side, otherwise all traffic will only use one gateway unless you only expect incoming traffic, in which case incoming from either WAN to a LAN address would mean that the traffic would route back out the incoming WAN.

        1 Reply Last reply Reply Quote 0
        • DerelictD Offline
          Derelict LAYER 8 Netgate
          last edited by

          I don't think you will have ANY joy if you tried to BGP advertise a /29 anyway.

          Sounds like you're talking about routed subnets.  That would be four interfaces.  The two ISP interfaces (/30s ?) and the two /29s.

          As stated, you can do this with one pfSense.  You would need to policy-route out the proper WAN port or you could NAT out either.

          Note that there is nothing stopping you from using NAT for outbound traffic from one provider's IP addresses to the other's in a failover, emergency situation.  You could:

          ISP 1 addresses out ISP 1's WAN - No NAT
          ISP 1 addresses out ISP 2's WAN - NAT

          And vice versa.  Nothing you can do about inbound connections other than change DNS.

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.