Firewall/MultiWAN with DSL and Cable failover/load balancing
-
Firewall/MultiWAN with DSL and Cable failover/load balancing
Sorry to be tedious and repetitive, but I have exhausted my abilities to understand this setup from info gleaned online. I thank you in advance for any tips or advice.
I have been working primarily with a document on the pfsense wiki MultiWanVersion1.2. I have been using Smoothwall for a while and I've gone through about 3-4 installs and I more or less understand how it works, but I'm a bit confused about this multiWAN setup in pfSense. When this is all done, and if it works, I'll be glad to amend, or add another article for the less technical among us.
The goal: Use my standard DSL connection from Speakeasy/Covad (WAN1) and add Comcast (WAN2) as a failover/load balancing setup. I run a personal website (FTP, Internet Radio, RDC, etc) for me and friends and sometimes for work so I need to access from outside; obviously on my DSL. I am mainly doing this to minimize downtime and hopefully increase some bandwidth heavy operations.
I am still confused about bridged mode/router mode, but as I understand it, in bridged mode I'll use the fixed IP that my IP gave me, and in router mode I'll have an internal address on the inside of the modem (like 192.168.1.1). I think I'll be setting my DSL in Bridged mode (Static settings) and my Cable in Router mode (DHCP settings?). I would expect to see settings for Type = Static or Dynamic.
I would like to maintain the internal DHCP server from the LAN NIC to 192.168.0.1 so I won't have to change all my internal PCs from what I'm using with Smoothwall. I'm using 192.168.1.1 just to go along with the default documentation.
So some questions:
1. Is this right?
DSL = Fixed IP = Bridged mode = Static
Cable = Dynamic IP = Router mode = DHCP2. The article implies that I need to change my modems (DSL - Broadxent 8012-V1, Motorola Surfboard SB5101) to work in router mode, but I'm not convinced I can, or should. What's best?
3. When running the setup wizard, the general parameters page asks for Primary and secondary DNS servers. It says I a should get this from a DNS address list from WAN1 or WAN2 DNS list. Where do I get these lists? I see something in my WAN1 info from the Status > Interfaces list but I don't see that for my WAN2 status. (a bit awkward to have to know this in the initial "setup wizard"). I think that this is to indicate a DNS that is used by the load balancing mechanism to detect an outage.
Because I don't see a comcast DNS server in anything I have, I found a reference online (68.87.66.196). What should I be using?
4. In the same section, there is also a reference to a checkbox 'Allow DNS server list to be overridden by DHCP/PPP on WAN' but I don't have this checkbox in version 1.2.
5. Typically, I think I only need DHCP on my LAN connection for my non-dedicated PCs (I have fixed IPs for my IIS server, etc.). Why DHCP on my WAN2 (perhaps this is answered above)
Here are the settings I think are critical:
WAN1
Static IP configuration:
IP address: 69.17.44.nnn
Gateway: 69.17.44.1WAN2
DHCP IP configuration
Bridge with: none
IP address: ?
Gateway: ?–--
1.2-RELEASE
built on Sun Feb 24 17:04:58 EST 2008Here's what I have from Status > Interfaces [my comments in square brackets]
WAN interface (fxp1) [Static - Broadxent 8012-V1 from Speakeasy]
Status up
MAC address 00:00:00:00:00:6c
IP address 69.17.44.nnn
Subnet mask 255.255.255.0
Gateway 69.17.44.1
ISP DNS servers
68.87.76.178 [detected by pfsense?]
68.87.78.130 [detected by pfsense?]
68.87.69.146 [detected by pfsense?]
64.81.79.2 [what I use on smoothwall; provided by speakeasy]
216.231.41.2 [what I use on smoothwall; provided by speakeasy]
Media 100baseTX <full-duplex>In/out packets 7950/7017 (723 KB/1.39 MB)
In/out errors 0/0
Collisions 0LAN interface (fxp0)
Status up
MAC address 00:00:00:00:00:aa
IP address 192.168.1.1 [currently using 1.1 just to go along with wiki doc, but want 0.1]
Subnet mask 255.255.255.0
Media 100baseTX <full-duplex>In/out packets 9213/7867 (1.35 MB/3.62 MB)
In/out errors 0/0
Collisions 0WAN2 interface (xl0) [Motorola Surfboard SB5101 from Comcast]
[if I set this up as DHCP]
Status up
DHCP up
MAC address 00:00:00:00:00:c9
IP address 67.160.227.1 _Subnet mask 255.255.254.0
Gateway 67.160.226.1 _Media 100baseTX <full-duplex>In/out packets 655332/35434 (41.79 MB/3.32 MB)
In/out errors 0/0
Collisions 0[if I set it up as static]
Status up
MAC address 00:10:5a:e4:9c:c9
IP address 192.168.1.1
Subnet mask 255.255.255.0
Gateway 24.130.240.1
Media 100baseTX <full-duplex>In/out packets 198691/36068 (13.21 MB/6.78 MB)
In/out errors 0/0
Collisions 0–-
found this info on the Internet about DNS for Comcast:
68.87.66.196 Comcast (national) Primary DNS Server.
68.87.64.196 Comcast Secondary DNS Server.</full-duplex></full-duplex>__</full-duplex></full-duplex> -
found this info on the Internet about DNS for Comcast:
68.87.66.196 Comcast (national) Primary DNS Server.
68.87.64.196 Comcast Secondary DNS Server.If they answer to ping you can use them.
-
Thanks Perry,
What I found is that these are indeed pingable from the command window, but when I ping from WAN2 from within the software (), nothing seems to work,
Still trying to understand what settings to use for my home version of Comcast. Right now I've got it running as Static with IP address defined in the OPT1/Wan2 setup as 192.168.2.1/24 and the Gateway as 24,130.243.53, or 68.87.64.204, or what shows up on the Status/Interfaces… Nothing seems to make it look like it's working.
Current big question: What is the preferred setup for Comcast (home service) Static or DHCP and what IP and Gateway should be used?
TIA,
Chris. -
I don't have Comcast but what I do is.
On my wag200 modem I can set an IP to DMZ. In my case i use 192.168.101.100
On wan2 nic I then set it to static 192.168.101.100/24 gateway 192.168.101.1
As monitor ip's under load balancer I use my ISP DNS servers.
To test, use Diagnostics -> Traceroute and enter IP of the ISP DNS and you should see traffic being routed out the correct way.OPT1/Wan2 setup as 192.168.2.1/24 and the Gateway as 24,130.243.53, or 68.87.64.204,
If I should guess 192.168.2.1 is your gateway. If a DHCP range is set on your modem, select an IP outside of it. Maybe 192.168.2.222
As an alternative testing of your comcast modem you could boot from a ubuntu livecd to see if it works.
-
Perry,
Based on your notes I tried the settings that the modem seems to have by default (I see no way to set the IP addresses) 192.168.100.1 (as the gateway) and a value, probably outside its assignment range of 192.168.100.254/24 for the IP. Sadly it did not work.For my Comcast modem SB5101 (home account):
I see that it can be accessed when connected to directly at: 192.168.100.1. I can see some stats in a web interface, but it has no options for changing anything AND I see no indication about what mode it is in.Apparently it seems that the SB5101 is a DHCP server for a short time when it is booting and if it fails to connect. After that it retrieves what I think is a random IP address and it seems, so far, that the gateway value is consistently, 24.130.240.1.
This is what I see in Status > Interfaces menu:
OPT1/WAN2 in DHCP Mode,
Status up
DHCP up
MAC address 00:10:5a:e4:9c:c9
IP address 24.130.243.108 _Subnet mask 255.255.252.0
Gateway 24.130.240.1 _[dns servers are unknown although I've found references online]The next step is to find a way to enter the correct values for the Comcast modem so that it can ping an appropriate DNS server.
Questions for OPT1 setup:
1. Static or DHCP?
2. As there are no other meaningful settings for DHCP, if I select Static what should be the values for (options seem to be):
For IP address:
192.168.100.1/24
192.168.1.1/24
192.168.100.254/24
24.130.243.108/24For Gateway:
24.130.240.1
192.168.100.1For DNS Servers (to go into System > General Setup menu as DNS 2)
dns101.comcast.net
68.87.64.204
68.87.76.228
68.87.66.196None of these so far pingable from OPT1/WAN2.
TIA,
Chris.__ -
You should really try a livecd to make sure your connection works
1. Static or DHCP?
DHCP