Unsolved problem - Pfsense gurus help needed
-
Hello pfsense fans!
I need to use all these features at the same time:
- Packet filtering and NAT at internet entry point
- DNS forwarding
- Multiwan links with load balancing and failover
- Content filtering with squid
- Bandwidth shaping and throttling (by ip)
I am aware of this issues:
- Squid package doesn't work with multiwan
- Traffic shaper doesn't work with multiwan
So I would like to use two pfsense machines to make the whole thing work as expected. This is my idea:
ISP1 –-- WAN1 ----
|
|---- PFSENSE 1 ----- PRIVATE SUBNET 1 ----- PFSENSE 2 ----- PRIVATE SUBNET 2 ----- USERS
|
|
ISP2 ---- WAN2 ----On PFSENSE 1:
- NAT and port forwarding are enabled
- DNS forwarding is enabled
- Packet filtering is enabled
- Load balancing and failover are enabled
- Added a static route to private subnet 2
On PFSENSE 2:
- NAT is disabled because I don't want a double NAT (I selected the option "Advanced outbound NAT" and deleted all the rules)
- DHCP server is enabled for Private subnet 2
- Traffic shaper is enabled (via the wizard)
- Squid package is installed and enabled in transparent mode
- Traffic from subnet 2 to subnet 1 is allowed with the default rule, so I added a rule to allow the traffic in the opposite direction
PROBLEM: Users can't access the internet.
QUESTIONS:
-
Does traffic shaper works without NAT ?
-
Is there something I am missing?
-
Comments and suggestions?
Thanks in advance and excuse my english.
UPDATE
After some forum searching I understand the need to activate "Advanced outbound nat" on PFSENSE 1 and add a mapping for SUBNET 2. So I made the change and applied it. However, the users on subnet 2 still can't reach the Internet.
UPDATE
Based on this post http://forum.pfsense.org/index.php?topic=10524.0
I added the rules to allow traffic to pass from subnet 2 to pfsense 1 LAN interface, however users on private subnet 2 still cannot access the Internet (traffic between subnet 1 and subnet 2 is normal)Still stucked ....
-
On the inside one you'll want to disable NAT by enabling AON and deleting the auto created rules at the bottom of the screen.
On the outside one, you need a static route pointing private subnet 2 to pfsense2's WAN IP.
Private subnet1 and private subnet 2 must be completely different subnets.
Traffic shaping does work with routing.
Interesting setup to get around some of the limitations that exist in the software! Not a bad idea at all. It's less than ideal to have two firewalls, but it'll work.
-
In order to use trafic shapping you would have to place the proxy in between the pf1 and the pf2. I would use ubuntu server with latest squid.
SP1 –-- WAN1 ----
| Ubuntu Server
|---- PFSENSE 1 ----- PRIVATE SUBNET 1 ----- PFSENSE 2 ----- PRIVATE SUBNET 2 ----- USERS
|
|
ISP2 ---- WAN2 ----