I don't want to load balance or fall over, I need 2 WANs independent
-
On the first WAN is my DSL connection-it is the one with the lowest latency but the least overall bandwidth it is on a router that has VPN, I want to keep it that way. The 2nd WAN is satellite internet and the latency is terrible(not good for online gaming) but it downloads stuff much faster than the DSL could hope to. I get tops 350Kbps with DSL and 3.2MBps with satillite. I was wanting to bond certain ports to each WAN like have my satellite service handle my FTP (port 21)downloads while my DSL handles all browsing HTTP and HTTPS(I forgot the ports).
I have a pfSense box that I made last year that has 3 NICs but cannot fit anymore. Right now I have the WANs on 2 separate routers which when I had a CAT6 going from 1 to the other on the LAN ports they were almost able to do what I need. I say almost because the 2nd router(satellite) would send the browsing request to my 1st router and put it in front of the VPN(encryption was bypassed).I want the DSL router to be in front of pfSense if it(pfSense) can handle the satellite internet on it's own, I could then use the 2nd router after pfSense for distribution to my home. It has really good wireless coverage and it would be a shame to waste it on just being a dedicated WAN uplink with no wired or wireless clients.
Can pfSense do what I need it to do?
If so how would I go about it? I think that pfSense can do what I need it to do, I set up a VPN service on it a year ago and still remember a little about it. -
Just policy route the traffic you want to a specific WAN gateway instead of a failover/load balance gateway group.
-
Thank you for your reply. How would I go about it? The most I've done in pfSense was to follow a tutorial for setting up a VPN service.
-
Countless examples here for policy routing. Please search first.
https://doc.pfsense.org/index.php/What_is_policy_routing
-
If you 3 NIC's on your Pfsense box then why do you need more?
- DSL
- SAT
- LAN
Set up DSL and SAT in interfaces then inside your firewall rulebase create rules for things like FTP and in one of the advanced dropdown boxes you can select the WAN interface the traffic needs to be routed out of.
As Derelict said, it's literally routing selection within the policy. (same principle but different nomenclature to things like cisco PBR)
-
On watching several videos and reading some more about it I have decided to let pfSense handle both WANs, I was looking for the easy way out keeping a router as my DSL hookup because it is very easy to setup the OpenVPN that way(I feel ashamed). I will take the time to learn and to use pfSense to handle both my VPN and my unencrypted satellite connects then pass them into a wireless router configured as an access point to distribute to my house all the APs in it. One thing I really want to learn about is how to setup a VPN kill switch in pfSense and have it NOT re-route my traffic to satellite if the VPN goes down. Instead have it wait until the VPN is restored.
I have books ordered and have been watching videos but the most nfo I got was searching this forum but I am still unsure how to go about it exactly. I have been reading in particular this post by Derelict:
https://forum.pfsense.org/index.php?topic=84463.msg463226#msg463226
what I am unsure of is how to keep the requests from seeing that the VPN is blocked then just using my other unencrypted WAN instead.
Thanks -
Search NO_WAN_EGRESS in the search box above.
Actually, that appears to only search recent posts. Use search in the menu bar.
You basically tag traffic that should go out the VPN as such and block it if it is going out a WAN interface in-the-clear. Best way, IMHO.
-
Thanks Derelict, please continue to help me I am learning.
I need to know how to setup DNS for one WAN(DSL VPN) but not have it effect the other (satellite non VPN, get the provider's DNS automatically). The videos I have been watching either assume that I have one WAN or am trying to load balance. I have searched this forum but do not seem able to find this information. -
No idea what you're talking about.
DNS queries are done by a client, not a firewall. You will have to be more clear about what you are looking to accomplish.
Are you trying to circumvent snooper's charter?
Trying to avoid DNS geolocation for video streaming?
??
It's a lot easier to give you advice if you are not being cagey about what it is you are trying to do.
-
Yes I stream. But I also don't want geolocation at all because the DSL is my family's connection.
in the videos to set up my VPN it says to enter the DNS on SystemGeneral Setup page but if I do that from there won't that be setting it for both WANs? -
Still not close to enough information.
DNS is generally done by the clients. If a client is configured to use internet DNS servers and all internet traffic is forced out the VPN then all queries will appear to be sourced from the VPN.
There are about 1000 different ways to configure a network. You are going to have to be more specific about what you want to do.
-
I think that you misunderstood. I am not trying to force ALL traffic to use the VPN just browsing and basic services I want routed to the VPN both http and https especially, and my daughters' games and Netflix.
Every thing else must go out on the unencrypted satellite connection.
