Balance Gateways when Gateway and WAN are on different subnets

basupriyapaul

Does your setup work in pFsense CE 2.3.2 release ? If not, just try out the latest 2.4 snapshot, running the latest FreeBSD version 11.
I am running the latest development release and everything is working awesome. I have a Quad-WAN setup, all set to 'Tier 1' priority level. And yes, load balancing works 'perfectly' unlike that in 2.3.2 release, which suffered many hiccups with the same setup.

Link for download : https://snapshots.pfsense.org/amd64/pfSense_master/installer/pfSense-CE-memstick-2.4.0-DEVELOPMENT-amd64-latest.img.gz

nodau

Balancing is working when gateway monitoring is disabled, assuming all gateways are always up and running.

what bothers me is the ping issue from within pfsense when chosing wan2 interface as source address.

maybe this is by design which i dont think and i hope that someone with a similar config as mine can test it.

basupriyapaul

It would be helpful if you could post screenshots of your config. Only then can I surely help you out.

nodau

so, i attached some configs. i want to clearify that when wan and gateway reside on the same subnet everything works fine.

basupriyapaul

Okay, that's alright.

Just make a few changes.

#1 Change monitor IP of :
A.1. WAN1_STATIC to 8.8.8.8
A.2. WAN2_STATIC to 8.8.4.4
Press, Save.

B. Set 'Alert Interval' value of both gateways as 500.

#2 Now, go to 'System' - 'General Setup'
Under 'DNS Server Settings', change 'DNS Server 1' to 8.8.8.8 and choose WAN1_STATIC from the drop down menu, given beside;
and 'DNS Server 2' to 8.8.4.4 and choose WAN2_STATIC from the given list.

Press, Save.

Now, tell me your current status, and yes, post screenshots of the same.

nodau

i already tried your config before. here are screen shots.

basupriyapaul

First, is your second WAN really online ? Have you checked that out, by connecting it to a basic router ?

Second, how is the second WAN been connected to your ISP ? Is it a normal setup such as ISP - Modem - pFsense, or something else ? And yes, is your second WAN on PPPoe or is it having a static IP ?

I am waiting for your reply.

nodau

first of all, all networks connected to the pfsense find their way out through wan2. so, yes, wan2 is online.

if wan2 gets an ip from the /29 subnet where the gateway resides, then ping from wan2 to internet and gateway monitoring is working.

my intention was not to waste 2 ip addresses for the pfsense boxes ha cluster from the /29 subnet.

basupriyapaul

Okay. That sounds great.
Could you provide me a graph on how all your WAN connections are been forwarded, because I am getting confused by this statement of yours, "first of all, all networks connected to the pfsense find their way out through wan2." ?

Uncheck 'Block Private Networks' in WAN2 interface and tell me the result.

I will be glad to help you.

And yes, don't forget to provide me a graph :)

nodau

1. why would i uncheck block private networks? doesnt make sense.

2. all networks just as lan, opt1, opt2, optx can ping the internet leaving on either gateway (wan1 and wan2). so routes must be correct. pfsense itself can ping the internet on all interfaces except wan2. when wan2 gets an ip from the gateways subnet, pfsense can ping the internet on wan2 again.

3. for balancing gateway monitoring must he working or disabled assuming gateways are allways up and running.

if you have a similar config as i do, maybe you could post some screenshots.

basupriyapaul

• Which gateway are you talking about in 'when wan2 gets an ip from the gateways subnet," ?

• I don't have an exact setup like yours, but I do have load balancing with four WANs, and yes, it works perfectly well. As of now, my pfSense server is disassembled and not in a working state. Hence, I cannot post any screenshots of the same. Sorry, man.

• By looking at the WAN IP of WAN2 interface, I felt that it was connected to some device which can provide DHCP (due to local IP, 192.168.100.10). So, I told you to uncheck 'Block private networks' in case that is the situation. Correct me if I'm wrong.

nodau

usually wan interface and gateway are on the same subnet. this is the default config if you run pfsense behind a router. the gateway would get the routers ip and the pfsense wan interface will get a static ip or by dhcp if configured on the router.

sometimes you have a direct internet connection where the gateway gets a public ip from a 29 subnet eg 224-231, where 224 is the network, 225 the gateway, 231 the broadcast. so you will have ip 226-230 for natting. normally you would assign the pfsense wan interface an ip between 226 and 230. which means you then have one ip less for natting. now assume you have a ha cluster. you will lose another ip for the second pfsense box. right now you have only 3 ips left for natting.

in order to get 5 ips again you would do the following. you assign the wan interface an ip from an unused local subnet. when your wan interface gets an ip from that unsused local subnet, routes must be rewritten so the wan interface knows the gateway. in pfsense versions prior to 2.3 this had to be done manually or by script. starting with version 2.3 the routes where correctly set automatically.

you could try the following. change one of your wan interfaces to an unsused local subnet. check the results in the routes table, gateway monitoring and do a diagnostic/ping from that interface from the web gui. if all is still working, i can assume that my config is corrupt. if you get the same results as i do, i assume there is a bug which needs to be further investigated.

basupriyapaul

First of all, I apologize for the delay caused due to some personal circumstances.

Now, regarding the public IPs, why do you even want to have so many public IPs ? Are you hosting some network, or just for a home environment or a casual office network ?
Have you specifically subscribed for the public IPs and are paying for every single IP ?

I do not have a public IP allotment from my ISP. So, trying out your instructions just won't work for me.

Still need anything ? Just give a knock :)

nodau

thats why i'm looking for someone with a similar config.

nodau

i found a weird issue on a fresh 2.3.2 install when configuring a gateway.

The following input errors were detected:

The gateway address x.x.x.225 does not lie within one of the chosen interface's subnets.

i thought that version 2.3 is able to handle different subnets for wan interface and gateway. :-\

heper

System/Routing/Gateways/Edit/Use non-local gateway

nodau

thx. at least settings could be saved now. routes seem to be correct, but no internet access.

Destination Gateway Flags Use Mtu Netif Expire
default         x.x.x.225 UGS 211 1500 vmx0
8.8.4.4         x.x.x.225 UGHS 91 1500 vmx0
8.8.8.8         x.x.x.225 UGHS 593 1500 vmx0
10.0.10.0/29 link#1 U 0 1500 vmx0
10.0.10.5         link#1 UHS 0 16384 lo0
x.x.x.225         00:50:56:b8:b2:c4 UHS 0 1500 vmx0
127.0.0.1         link#6 UH 582 16384 lo0
172.31.0.0/22 link#2 U 477 1500 vmx1
172.31.3.250 link#2 UHS 0 16384 lo0

heper

Please draw a schematic as this isn't making much sense to me

nodau

here you go

with the current config everything is working as expected. if i change wan 2 ip to an unused private ip. gateway monitoring and ping from wan 2 to internet stops working.