Two Pfsense each with Seprate Internet routing each other
-
I have two isp's connected on two pfsense and need to do followings:
PFsense Firewall A
wan: static ip
LAN: 192.168.0.1 DHCP ON
opt1: 192.168.2.1 connected to Firewall BPFSens Firwall B
WAN: Stati ip
LAN: 192.168.10.1 DHCP ON
opt1: 192.168.2.2 Connected to Firewall AI need to talk each other network
and work as fail over and load balancerI have two more Ethernet ports on each firewalls
please guide me how to achieve
-
If you want failover and load balancing across your 2 isp, why are you using 2 different pfsense? Why not just connect the 2 different ISPs to 1 pfsense?
-
The reason behind using two PfSense Boxes are they are far from each other about 2000ft away and need to connect both office to each other.
The media between two office are fiber -
Your fiber could just be a switch.. No reason for it to be pfsense. But sure if you want it to be pfsense. Just connect your 2nd pfsense via transit network to your first one with the internet. This transit network just because 2nd wan for each pfsense. So you end up with something like this. See attached.
So on left create gateway to 192.168.1.2
On right create gateway to 192.168.1.1Do not nat these connections.
Create specific routes on each other to the others lan network.On the transit interfaces allow the others network. And allow it to be natted outbound if used on the other pfsense.
Do whatever you want to do with the failover of your now 2 wans on each pfsense. They can load balance or failover.. You would prob want to make each pfsense local wan a tier 1, and the the one via the transit a tier 2. That way the local networks each use their internet connection in their location, but as failover they could use the internet at the other location. But sure you could load balance if you wanted too.
-
Thx for reply and solution but can you elaborate how to make transit network?
-
what part are you not understanding.. How to create a gateway, how to create a route? How to setup failover, loadbalancing.. This is really basic stuff here.. Do you need a picture?
-
actually when you say transit this part can you show me if you have picture i really appreciate i know very little.
i learned earlier from you how to make vpn stuff.
Kindly show me how to do this too.
Thx
-
The transit is the network that is connecting your 2 pfsense together.. This is the network used to get to the other networks/router…
So in your case this is over your fiber connection - correct?
So on pfsense 1 on one of its opt interfaces give it IP address 192.168.1.1/30, on pfsense 2 connect the other end to one of its opt interface and give IP address 192.168.1.2/30 there is no reason to use a /24 or any other larger mask since the only thing on this transit network would be the 2 pfsenses.. Are you planning on having other devices connected to this fiber network? If so then you could use a larger mask. But keep in mind devices on a transit would need host routing to know where to go to get to what network - really the only thing that should ever be on a transit network are routers.. You could have switches sure - but their management IPs should only be accessed from 1 side or the other. Or your going to run into asymmetrical routing unless you create routes on them so they understand which direction to go when they get traffic from a specific network.
Do not put default gateways on these opt interfaces.
But create a gateway.. on each pfsense pointing to the other 192.168.1.x address. Under system routing..
Then under same place create a static route using the gateway you created to point to the network on the other pfsense. Do do the same thing on the other pfsense with route to get to the first pfsense network. On the interface you created for the opt interfaces just create a any any rule on each. You can get fancier with blocking traffic after your sure its working.
Clients on each end should then be able to get to the other networks. Unless you have messed with the default lan rules and changed them from any any or put in blocks? etc..
Once you have that working you could create gateway group and then use this gateway group in your lan rules to tell the clients what gateway to use vs the wan which would be set to default. I would prob put a rule above this rule that sends traffic out your gateway group to allow traffic to the other network.
I can post up some screen shots of this setup - But prob be best to fire up a couple of vms to be able to get exact screenshots and show you how a traceroute would look, etc. If you really need that I could prob find some time ;) Are you using 2.3.4p1 or 2.4rc? So I fire up the correct vms if need be ;)
-
Thx agin,
Yes I am using 2.3.4p1
-
-
Sorry did not see your response.. I will try and fire up 2.3.4p1 today and get your screenshots. But to be honest have already given you all the steps..
-
I appreciate your efforts and help you extended, I am since new i am somewhat like to see what and how.
I again thankful for your efforts and letting me to lurn.
-
If your so new to this - why are you involved in routing traffic between 2 sites with a fiber connection and multiple internet connections? Make zero sense to me.. What is the current configuration of these sites?
-
actually i am new in pfsense and the couple of friends are working together to learn and use each other internet from far as i told you earlier.
my apartment is about 2000ft away from my other friend. we have lurned how to splice OFC cable and it was fun.
now as i was reading about pfsense multi wan and fail-over i need to create two way traffic between us.
my other neighbor already sharing my internet.
I have earlier develop a VPN between me and my another fried who lives in Chicago. I am luring a lot but some time its not that easy as tech like you can do.
when can I expect the screen short?
Thank you again.
-
Sorry did not see your response.. I will try and fire up 2.3.4p1 today and get your screenshots. But to be honest have already given you all the steps..
johnpoz,
Any news?
-
Ah makes more sense now ;)
I am firing up the VMs now - I have pf1.site1.lan up and running on 2.3.4p1, installing pf2.site2.lan and then can start taking screenshots..
So this is how I have duplicated your setup
pf1.site1.lan
em2 wan: 192.168.9/24 (site 1 internet)
em0 lan: 192.168.0.1/24
em1 transit: 192.168.1.1/30pf2.site2.lan
em2 wan: 192.168.2/24 (site 2 internet)
em0 lan: 192.168.10.1
em1 transit: 192.168.1.2/30I want to get the the 2 pfsense up and running and then take vm snapshots, etc. So can roll them back real easy to new.. If you need me to walk through different steps, etc. Sorry taken a bit but got side tracked ;) pf2 is almost done its updating to 2.3.4p1 now.. But I have to go out for my morning walk, and then get ready for work here soon. But now that have them up and running configure your setup from work and take screenshots, etc. So for sure later today have pretty walk through for you…
-
Ok created the firewall rule for transit and now pf1 and pf2 can ping each other over the transit. I would hope you have gotten this far?
-
screen shots.
-
That is as far as I got before I had to go to work.. At work now - need to finish up some morning stuff.. Then will finish it.. So do you have your transit up and working.. Can each pfsense ping the other pfsense via the transit network you set up?
-
Ok - so now I have created the gateways pointing to the other pfsense transit IP..
See attached. Notice I set ipv6 on each wan of pfsense to none. This is only ipv4 setup and figured just remove ipv6 to have it look cleaner.
-
So now I have created the routes on each pf pointing to the network on the other pfsense.
See attached.
So there is a machine on each network 192.168.0.100 (site1) and 192.168.10.100 (site2)
So you can see they can ping the other machine on the other network, and if you do a trace route. They hit their pfsense, go across the transit and hit the other side 192.168.1.1 or .2 depending on the direction your going.
I will now create the gateway group and create the rules to allow if your local internet is down to use the other sides internet..
-
Ok..
So I created gateway groups on each side.
I used packetloss or high latency.. as the failover method.
I then added rule on the lan to allow the other network using default routing.
Then on the default lan rule changed its gateway to use the failover group.
Now when I simulate a failure on the site2 wan it goes out the site1 connection - which you can see from the traceroutes.
Any questions just ask..
-
Sorry did not see your response.. I will try and fire up 2.3.4p1 today and get your screenshots. But to be honest have already given you all the steps..
-
huh?? Dude I have posted all kinds of screenshots showing all the different steps.
-
I am really thankful once again for the efforts you extended for me I will use these instructions and post the after successful implementation.
-
I followed all the instructions and images you have described but sofar am unable to get the internet on pf2.
pfI can access both pfsense but no internet on 192.168.10.0/24 network (the wan is down on pf2 [192.168.10.0/24])
-
I followed all the instructions and images you have described but sofar am unable to get the internet on pf2.
I can access both pfsense (pf1 & pf2) but no internet on 192.168.10.0/24 network (the wan is down on pf2 [192.168.10.0/24])
pf1 wan is up and working fine.
 -
"(the wan is down on pf2 [192.168.10.0/24])"
well that would be a problem now wouldn't it.. How would it work if the wan is down?? That has nothing to do with the transit or connectivity between the pfsenses, etc.
Why do you have 2 transits?
What sort of wan do you have that it doesn't show an interface assigned to it for speed and duplex, etc.
-
The wan is down since morning on site 2 (pf2) but the site 1 has the internet (pf1) wan is working
-
"(the wan is down on pf2 [192.168.10.0/24])"
well that would be a problem now wouldn't it.. How would it work if the wan is down?? That has nothing to do with the transit or connectivity between the pfsenses, etc.
Why do you have 2 transits?
What sort of wan do you have that it doesn't show an interface assigned to it for speed and duplex, etc.
i made another Transit just to see if i have made something wrong.
-
if one wan on any pf goes down wouldn't it takes over to other pf wan which is up through transit?
-
what should I do?
-
Yeah if you set it up like that.. But yours doesn't seem down - it was pending, and looks like you removed the interface from it or something?
And why do you have 2 transits? How did you configure your failover? You should simulate it being down by blocking ping at pfsense gateway, that is how I did it. Or mark the gateway down. But you should validate that your can talk to each others networks and go out your local wan before trying to test the failover, etc.
-
i have changed the transit now only one transit
-
it is showing up online now
 -
pf1 internet is working fine, still can not figure out what mistake i made?
-
can you explain from where the gateway 192.168.9.253 and 192.168.2.253 comes from
you have used in your snapshot
System > Routing > GatewayThx
-
I tried again but same no luck, completely from scratch.
Both firewall communicate each other but can not access Internet.
I created transit on both firewall
Created LAN on each of them
Gateway, Static route and gateway group failover on each pfsense
Firewall LAN allowed
firewall Transit interface allowed
but unlucky to get the internet
please help me to find the problem?
Thx -
"can you explain from where the gateway 192.168.9.253 and 192.168.2.253 comes from"
As I told you already - those were my wan_dhcp gateways in the downstream pf1 and 2 I setup.. That is just my internet in my setup to mimic yours. Here is a drawing..
"Both firewall communicate each other but can not access Internet."
Who can not access internet, can your 2 networks talk to each other? 192.168.0 and 192.168.10? Did you mess with outbound nat? When you create your downstream route it should automatic create your outbound nat for you.
Your going to have to post your setup if you want me to spot what your doing wrong. How is it showing online when shows NO interface or connection just "NONE" How does your wan have a 0.0ms response time??
