Dual WAN, Dual LAN, Discrete Fine Tuning

Takaratiki

My setup is a single machine handling two separate, non-VLAN IP subnets fed into two discrete WAN connections. No connection between the two is desired, NAT is required for all LANx machines, and no LAN machines possess a public IP address. It is routing correctly, so this is not a 4-alarm fire situation. I was simply wondering if there was a more elegant way to accomplish what I'm trying to do. So…

LAN1------\              /-------WAN1
                  [ PfSense ]
    LAN2–----/              -------WAN2

Advanced Outbound NAT looks like this:

int        src                srcport  dest  dest port  NAT addr    NAT port  Static port
WAN1    LAN1subnet        *          *          *            *            *              *
WAN2    LAN2subnet        *          *          *            *            *              *

Firewall on LAN2 was tricky and these rules are what feel awkward about the setup. They mainly reflect what worked to progressively ping out from LAN2 -> The World:

LAN2 Firewall Rules

proto    src      port      dest        port    gateway 
  *    LAN2sub      *      LAN2 Int      *          *
  *    LAN2sub      *      WAN2 Int      *          *
  *    LAN2sub      *          *            *    WAN2 Gateway

The WAN2 Int rule really sticks in my craw. Without it, routing to the correct interface was not functional which makes me believe I blew the interface setup somehow, though the LAN2 int lists the WAN2 int as its default gateway. Any comments or suggestions will be welcome, my firewall experience is restricted to iptables and scarce enough at that. Thank you.

Perry

A quick reply
http://forum.pfsense.org/index.php/topic,12464.msg67635.html#msg67635
And Advanced Outbound NAT ain't needed

Takaratiki

Sorry for the delay. There were issues in my setup (on 1.2.1-RC2) that was leading to configuration snarls. Your recommendations didn't work, however changes were not showing up correctly and NIC's weren't pinging. I reset to factory defaults and am working from the bottom up with your recomendations in mind. I will report on success/failure when it occurs. Thank you for the help.

Takaratiki

Okay, kind of yes-no on the above fix. AON is definitely required to prevent private LAN addresses from leaking out into the world. But the default gateway rule was spot on. Routing rules now look like:

proto    src      port      dest        port    gateway 
  *    LAN2sub      *      LAN2 Int      *          *
–-------------specific rules below-------------------

Much nicer. I'm not sure why the previous config had such issues, though starting fresh seemed to make them go away. Next step is bridging and routing, but that will likely be a matter for another post. Thanks for the help.

Takaratiki

Reporting back from the implementation front, there was a failure. The second network using OPTs for both the LAN and WAN failed to communicate with the outside world. During testing with wireshark everything looked good, NAT was working on the WAN side of things, everything looked 5x5. When I implemented, the network pinged out correctly from LAN (private IP addr space) to WAN (external ip addr) and on to the providers DSL router. And then it died outright. Nothing outside of the providers router could be pinged at all. To recap, this network is set up as such:

• Interfaces: OPTLAN lists OPTWAN as next hop, OPTWAN lists providers router as next hop.
• NAT: AON defines the OPTWAN as the NAT interface for OPTLAN
• Rules: Rule defines OPTLAN access to OPTLAN interface
              Rule defines ICMP to anywhere on OPTLAN
              Rule defines OPTWAN interface to anywhere on OPTWAN
• Pings correctly up to the providers DSL router, but no further.

I have another 2 interface Pfsense box that I have been using as a firewall for the network in question. I put it back on and it routes correctly to the Internet and beyond. The Rule sets are about identical. What in the pizzola did I mess up here?

Takaratiki

Returned to this issue after other projects were addressed.

Based on some suggestions here, I dug a little deeper. DNS requests on the OPTLAN interface die in the ether. I set a static route from the OPTWAN interface to the default DNS server, ala Perry. I could then resolve a DNS address (yay!), HOWEVER, my browsers next step was to access a web page and it received no reply, just as was occurring with DNS before the static route.

Something is seriously screwy with my routing setup on the OPT-network as it does not seem to be able to route past the last interface defined gateway unless a static route is given. I would be glad to have some insight on this if anyone has any.

Perry

Did you add a DNS rule?

On any OPT Lan using a OPT Wan you have to have a rule on top that gives you access to the OPT Lan interface adresse using the default gateway.

http://pfsense.site88.net/multiwan.html

Takaratiki

I did add the DNS rule as shown at site88. It did not allow for resolution of DNS until after the static route was established. I also have a rule at the top of the OPT Lan ruleset explicitly defining the Lan default gateway, but to no avail. What puzzles me is that I can bounce a ping out to the next hop up the line (the provider's router in our building, as defined in the OPT Wan interface), but no further without an explicitly defined static route. This goes for IP addresses or hostnames.