Dual wan - dual lan - no loadbalance

warpke · Mar 20, 2008, 11:55 AM

i have a dual wan and dual lan setup, i don't need loadbalancing.
i use the 1.2-RELEASE

WAN(pppoe)–-----\ /--- LAN (192.168.1.0/24)
\ /
-- pfsense--
/
WAN2(dhcp)-------/ --- AIR1 (192.168.10.0/24) |
--- AIR2 (192.168.10.0/24) | (bridged)
--- AIR3 (192.168.10.0/24) | (bridged)

each AIR interface has an accespoint connected, there is a DHCP service running (on the pfsense only) in AIR1 subnet
one server in the LAN subnet should use the WAN
i want everything else (LAN and AIR subnets, and a IPSEC) on WAN2

general settings:

DNS servers: 193.109.184.75 (WAN primary DNS)
195.130.130.164 (WAN2 primary DNS)
DNS serverlist overridden is checked off

static route settings: (for ISP DNS servers)

Interface Network Gateway Description
LAN 193.109.184.75/32 WAN gateway primary dns dommel
LAN 195.130.130.164/32 WAN2 gateway primary dns telenet

advanced outbound nat:

Interface Src Port Dest Port NATAddr Port StaticPort
WAN 192.168.1.0/24 * * * * * NO
WAN 192.168.10.0/24 * * * * * NO
WAN2 192.168.1.0/24 * * * * * NO
WAN2 192.168.10.0/24 * * * * * NO

firewall rules:

LAN
Proto Src Port Dest Port Gw Schedule Description
* LAN net * AIR1 net * *
* server ip * * * *
* LAN net * * * WAN2

AIR1 (AIR2 & AIR3 has the same rules)
Proto Src Port Dest Port Gw Schedule Description
* AIR1 net * LAN net * *
* AIR1 net * * * WAN2

i have 2 problems i can't get solved:

-the AIR subnet can't resolve, it can ping server ip but it can't ping pfsense
(if the AIR subnet has the default gateway everything works)
all LAN ip's get routed properly to the WAN2 without problems
the server gets routed to WAN without problems

-IPSEC only works over WAN, but i would like it to work over WAN2

i've been strugling with settings for over a month now, any help is greatly apreciated

GruensFroeschli · Mar 20, 2008, 12:33 PM

I'm not really sure if you shouldnt set the "Interface" of your Static route to "WAN" or "WAN2".
The description is a bit vague but from experience with other routers you usually define on which interface the route goes out.
(Could someone that knows more shed some light on this?)

Also i'm not really sure if that helps but could try and set your AIR rules to:

AIR1 (AIR2 & AIR3 has the same rules)
Proto Src Port Dest Port Gw Schedule Description
* AIR1 net * LAN net * *
* AIR1 net * AIR1 address * *
* AIR1 net * * * WAN2

warpke · Mar 20, 2008, 12:56 PM

yes, thanks!! :D

the AIR subnet gets routed to WAN2 now

now i can focus on the IPSEC problem…

Perry · Mar 20, 2008, 1:37 PM

I have to jump in here and give my thanks to GruensFroeschli too :)
That Interface IP Adresse trick is just nice… though i don't fully understand why it's needed.

GruensFroeschli · Mar 20, 2008, 2:35 PM

These rules:

AIR1 (AIR2 & AIR3 has the same rules)
Proto Src Port Dest Port Gw Schedule Description
* AIR1 net * LAN net * *
* AIR1 net * * * WAN2

Allow Access to the LAN net over the routing table
Allow Access to everything else over WAN2.

The DNS forwarder runs on the AIR-interface address.
There is just no rule that allows access to the AIR-interface.
The second rule allows traffic to everywhere over WAN2, but from WAN2 you cannot reach the AIR-interface :)

AIR1 (AIR2 & AIR3 has the same rules)
Proto Src Port Dest Port Gw Schedule Description
* AIR1 net * LAN net * *
* AIR1 net * AIR1 address * *
* AIR1 net * * * WAN2

Here we have a rule that allows access to the AIR1 interface explicit before allowing the rest to WAN2.

yes, thanks!! :D

the AIR subnet gets routed to WAN2 now

now i can focus on the IPSEC problem…

Sorry totally forgot to answer to that.
I dont use that but from what i read on this forum you need to create a static route that points to your remote WAN-IP on your OPTx (WAN2).
Search the forum for that since there are a few threads on that :)

hoba · Mar 20, 2008, 3:35 PM

@GruensFroeschli:

Sorry totally forgot to answer to that.
I dont use that but from what i read on this forum you need to create a static route that points to your remote WAN-IP on your OPTx (WAN2).
Search the forum for that since there are a few threads on that :)

That's correct, you need a static route to the <remote-tunnel-endpoint-ip>/32 via <gateway-of-wan2>. All services running at the pfSense directly (like ipsec, a proxy, dnsforwarder,…) only follow the routingtable definitions.</gateway-of-wan2></remote-tunnel-endpoint-ip>

warpke · Mar 20, 2008, 5:49 PM

when i set static route to the <remote-tunnel-endpoint-ip>/32 via <gateway-of-wan2>, and change the IPSEC settings on the other side towards my WAN2 ip

i get
No IPsec security policies.
No IPsec security associations.

on the other side of the tunnel IPsec security policies are created

i'll switch it back to wan, i look into it furter tomorrow because i need to go work now…

thanks for the quick help :D

i resumed this IPSEC issue in the proper section:
http://forum.pfsense.org/index.php/topic,8487.0.html</gateway-of-wan2></remote-tunnel-endpoint-ip>

trc120 · Mar 23, 2008, 3:19 PM

I have a similar problem using loadbalancing.

I added the rules as stated:
AIR1 (AIR2 & AIR3 has the same rules)
Proto Src Port Dest Port Gw Schedule Description
* AIR1 net * LAN net * *
* AIR1 net * AIR1 address * *
* AIR1 net * * * WAN2

Execept for the last one I used my lanloadbalance GW.
I can now ping the lan and AIR1 as well as resolve the dns but AIR1 cannot access the internet.

The lan has always worked with balancing and failover.