Dual pfsense setup NAT issue



  • Hello pfsense fans!

    I need to use all these features at the same time:

    • Packet filtering and NAT at internet entry point
    • DNS forwarding
    • Multiwan links with load balancing and failover
    • Content filtering with squid
    • Bandwidth shaping and throttling (by ip)

    I am aware of this issues:

    • Squid package doesn't work with multiwan
    • Traffic shaper doesn't work with multiwan

    So I would like to use two pfsense machines to make the whole thing work as expected. This is my idea:

    ISP1 –-- WAN1 ----
                              |
                              |---- PFSENSE 1 ----- PRIVATE SUBNET 1 ----- PFSENSE 2 ----- PRIVATE SUBNET 2 ----- USERS
                              |     
                              |
    ISP2 ---- WAN2 ----

    On PFSENSE 1:

    • NAT and port forwarding are enabled
    • DNS forwarding is enabled
    • Packet filtering is enabled
    • Load balancing and failover are enabled
    • Added a static route to private subnet 2

    On PFSENSE 2:

    • NAT is disabled because I don't want a double NAT (I selected the option "Advanced outbound NAT" and deleted all the rules)
    • DHCP server is enabled for Private subnet 2
    • Traffic shaper is enabled (via the wizard)
    • Squid package is installed and enabled in transparent mode
    • Traffic from subnet 2 to subnet 1 is allowed with the default rule, so I added a rule to allow the traffic in the opposite direction

    PROBLEM: Users can't access the internet.

    QUESTIONS:

    1. Does traffic shaper works without NAT ?

    2. Is there something I am missing?

    3. Comments and suggestions?

    Thanks in advance and excuse my english.

    UPDATE

    After some forum searching I understand the need to activate "Advanced outbound nat" on PFSENSE 1 and add a mapping for SUBNET 2. So I made the change and applied it. However, the users on subnet 2 still can't reach the Internet.

    UPDATE

    Based on this post  http://forum.pfsense.org/index.php?topic=10524.0
    I added the rules to allow traffic to pass from subnet 2 to pfsense 1 LAN interface, however users on private subnet 2 still cannot access the Internet (traffic between subnet 1 and subnet 2 is normal)

    Still stucked ....



  • sorry I have no suggestions but I hope you get it working and let us know what the issue was, I'm thinking of setting up such a config, or perhaps waiting until 1.3 final is out which should be able to do everything you need from one pfsense box



  • SOLVED ! BUT ….

    I made a mistake on firewall rules, allowing subnet 2 traffic on the wrong interface (I have a third OPT LAN interface on the border pfsense) The showed setup is OK, but I have found another problem (It seems to be a known issue) : Traffic shaper doesn't work when Squid on transparente mode is enabled.
    Searching the forum I cannot find a real solution.

    Any suggestion?


Log in to reply