Two Pfsense each with Seprate Internet routing each other
-
The transit is the network that is connecting your 2 pfsense together.. This is the network used to get to the other networks/router…
So in your case this is over your fiber connection - correct?
So on pfsense 1 on one of its opt interfaces give it IP address 192.168.1.1/30, on pfsense 2 connect the other end to one of its opt interface and give IP address 192.168.1.2/30 there is no reason to use a /24 or any other larger mask since the only thing on this transit network would be the 2 pfsenses.. Are you planning on having other devices connected to this fiber network? If so then you could use a larger mask. But keep in mind devices on a transit would need host routing to know where to go to get to what network - really the only thing that should ever be on a transit network are routers.. You could have switches sure - but their management IPs should only be accessed from 1 side or the other. Or your going to run into asymmetrical routing unless you create routes on them so they understand which direction to go when they get traffic from a specific network.
Do not put default gateways on these opt interfaces.
But create a gateway.. on each pfsense pointing to the other 192.168.1.x address. Under system routing..
Then under same place create a static route using the gateway you created to point to the network on the other pfsense. Do do the same thing on the other pfsense with route to get to the first pfsense network. On the interface you created for the opt interfaces just create a any any rule on each. You can get fancier with blocking traffic after your sure its working.
Clients on each end should then be able to get to the other networks. Unless you have messed with the default lan rules and changed them from any any or put in blocks? etc..
Once you have that working you could create gateway group and then use this gateway group in your lan rules to tell the clients what gateway to use vs the wan which would be set to default. I would prob put a rule above this rule that sends traffic out your gateway group to allow traffic to the other network.
I can post up some screen shots of this setup - But prob be best to fire up a couple of vms to be able to get exact screenshots and show you how a traceroute would look, etc. If you really need that I could prob find some time ;) Are you using 2.3.4p1 or 2.4rc? So I fire up the correct vms if need be ;)
-
Thx agin,
Yes I am using 2.3.4p1
-
-
Sorry did not see your response.. I will try and fire up 2.3.4p1 today and get your screenshots. But to be honest have already given you all the steps..
-
I appreciate your efforts and help you extended, I am since new i am somewhat like to see what and how.
I again thankful for your efforts and letting me to lurn.
-
If your so new to this - why are you involved in routing traffic between 2 sites with a fiber connection and multiple internet connections? Make zero sense to me.. What is the current configuration of these sites?
-
actually i am new in pfsense and the couple of friends are working together to learn and use each other internet from far as i told you earlier.
my apartment is about 2000ft away from my other friend. we have lurned how to splice OFC cable and it was fun.
now as i was reading about pfsense multi wan and fail-over i need to create two way traffic between us.
my other neighbor already sharing my internet.
I have earlier develop a VPN between me and my another fried who lives in Chicago. I am luring a lot but some time its not that easy as tech like you can do.
when can I expect the screen short?
Thank you again.
-
Sorry did not see your response.. I will try and fire up 2.3.4p1 today and get your screenshots. But to be honest have already given you all the steps..
johnpoz,
Any news?
-
Ah makes more sense now ;)
I am firing up the VMs now - I have pf1.site1.lan up and running on 2.3.4p1, installing pf2.site2.lan and then can start taking screenshots..
So this is how I have duplicated your setup
pf1.site1.lan
em2 wan: 192.168.9/24 (site 1 internet)
em0 lan: 192.168.0.1/24
em1 transit: 192.168.1.1/30pf2.site2.lan
em2 wan: 192.168.2/24 (site 2 internet)
em0 lan: 192.168.10.1
em1 transit: 192.168.1.2/30I want to get the the 2 pfsense up and running and then take vm snapshots, etc. So can roll them back real easy to new.. If you need me to walk through different steps, etc. Sorry taken a bit but got side tracked ;) pf2 is almost done its updating to 2.3.4p1 now.. But I have to go out for my morning walk, and then get ready for work here soon. But now that have them up and running configure your setup from work and take screenshots, etc. So for sure later today have pretty walk through for you…
-
Ok created the firewall rule for transit and now pf1 and pf2 can ping each other over the transit. I would hope you have gotten this far?
-
screen shots.
-
That is as far as I got before I had to go to work.. At work now - need to finish up some morning stuff.. Then will finish it.. So do you have your transit up and working.. Can each pfsense ping the other pfsense via the transit network you set up?
-
Ok - so now I have created the gateways pointing to the other pfsense transit IP..
See attached. Notice I set ipv6 on each wan of pfsense to none. This is only ipv4 setup and figured just remove ipv6 to have it look cleaner.
-
So now I have created the routes on each pf pointing to the network on the other pfsense.
See attached.
So there is a machine on each network 192.168.0.100 (site1) and 192.168.10.100 (site2)
So you can see they can ping the other machine on the other network, and if you do a trace route. They hit their pfsense, go across the transit and hit the other side 192.168.1.1 or .2 depending on the direction your going.
I will now create the gateway group and create the rules to allow if your local internet is down to use the other sides internet..
-
Ok..
So I created gateway groups on each side.
I used packetloss or high latency.. as the failover method.
I then added rule on the lan to allow the other network using default routing.
Then on the default lan rule changed its gateway to use the failover group.
Now when I simulate a failure on the site2 wan it goes out the site1 connection - which you can see from the traceroutes.
Any questions just ask..
-
Sorry did not see your response.. I will try and fire up 2.3.4p1 today and get your screenshots. But to be honest have already given you all the steps..
-
huh?? Dude I have posted all kinds of screenshots showing all the different steps.
-
I am really thankful once again for the efforts you extended for me I will use these instructions and post the after successful implementation.
-
I followed all the instructions and images you have described but sofar am unable to get the internet on pf2.
pfI can access both pfsense but no internet on 192.168.10.0/24 network (the wan is down on pf2 [192.168.10.0/24])
-
I followed all the instructions and images you have described but sofar am unable to get the internet on pf2.
I can access both pfsense (pf1 & pf2) but no internet on 192.168.10.0/24 network (the wan is down on pf2 [192.168.10.0/24])
pf1 wan is up and working fine.
