Unsolved problem - Pfsense gurus help needed

  • Hello pfsense fans!

    I need to use all these features at the same time:

    • Packet filtering and NAT at internet entry point
    • DNS forwarding
    • Multiwan links with load balancing and failover
    • Content filtering with squid
    • Bandwidth shaping and throttling (by ip)

    I am aware of this issues:

    • Squid package doesn't work with multiwan
    • Traffic shaper doesn't work with multiwan

    So I would like to use two pfsense machines to make the whole thing work as expected. This is my idea:

    ISP1 –-- WAN1 ----
                               |---- PFSENSE 1 ----- PRIVATE SUBNET 1 ----- PFSENSE 2 ----- PRIVATE SUBNET 2 ----- USERS
    ISP2 ---- WAN2 ----

    On PFSENSE 1:

    • NAT and port forwarding are enabled
    • DNS forwarding is enabled
    • Packet filtering is enabled
    • Load balancing and failover are enabled
    • Added a static route to private subnet 2

    On PFSENSE 2:

    • NAT is disabled because I don't want a double NAT (I selected the option "Advanced outbound NAT" and deleted all the rules)
    • DHCP server is enabled for Private subnet 2
    • Traffic shaper is enabled (via the wizard)
    • Squid package is installed and enabled in transparent mode
    • Traffic from subnet 2 to subnet 1 is allowed with the default rule, so I added a rule to allow the traffic in the opposite direction

    PROBLEM: Users can't access the internet.


    1. Does traffic shaper works without NAT ?

    2. Is there something I am missing?

    3. Comments and suggestions?

    Thanks in advance and excuse my english.


    After some forum searching I understand the need to activate "Advanced outbound nat" on PFSENSE 1 and add a mapping for SUBNET 2. So I made the change and applied it. However, the users on subnet 2 still can't reach the Internet.


    Based on this post  http://forum.pfsense.org/index.php?topic=10524.0
    I added the rules to allow traffic to pass from subnet 2 to pfsense 1 LAN interface, however users on private subnet 2 still cannot access the Internet (traffic between subnet 1 and subnet 2 is normal)

    Still stucked ....

  • On the inside one you'll want to disable NAT by enabling AON and deleting the auto created rules at the bottom of the screen.

    On the outside one, you need a static route pointing private subnet 2 to pfsense2's WAN IP.

    Private subnet1 and private subnet 2 must be completely different subnets.

    Traffic shaping does work with routing.

    Interesting setup to get around some of the limitations that exist in the software! Not a bad idea at all. It's less than ideal to have two firewalls, but it'll work.

  • In order to use trafic shapping you would have to place the proxy in between the pf1 and the pf2. I would use ubuntu server with latest squid.

    SP1 –-- WAN1 ----
                              |                Ubuntu Server
                              |---- PFSENSE 1 ----- PRIVATE SUBNET 1 ----- PFSENSE 2 ----- PRIVATE SUBNET 2 ----- USERS
    ISP2 ---- WAN2 ----