Two WAN ISP's with single inside NAT (sorry if this doubled)



  • Greetings,

    I currently have a home brew Linux router that I have been using for some time now and would like to retire the "old way" of managing it with something a little new. One reason for this is that I now have two separate Internet connections, each with 6 public IP's; marking the packets and building the separate routing tables within Linux just made things way to complicated and I wasn't able to get it to work "the way I wanted ™". I also have it communicating with an internal VPN router via OSPF via zebra.

    After working on various configs over the last week, reading a dozen 'how-to's and perusing the message board, I think I've got so much going into this it's hard to find out where the problem is located. So, with that said, lets cut to the chase.

    The router has 5 network interfaces: WAN1, WAN2, LAN, DMZ, WIFI
    WAN1 has 3 addresses assigned on it (One to the interface, two virtual network)
    WAN2 has 3 addresses assigned on it (One to the interface, two virtual network)
    LAN has 2 addresses assigned on it (One to the interface, one virtual network) [the virtual is for the OSPF VPN, another challenge later]
    DMZ has 1 address assigned on it (One to the interface)
    WIFI has one address assigned on it (One to the interface)

    I separated all the interfaces out to segregate the kind of traffic that's in use in the network. On the Linux router, there are firewall rules that drive policy of who can see what and when. I saw that pfsense has this capability, which is why I'm using it, however I haven't gone as far as migrating that policy.

    As it is configured now, everyone can route to everyone internally just fine, and out to the Internet. However, Internet traffic does not make it to the inside DMZ network at all. If I sniff on the WAN1/WAN2 interfaces, I see the traffic coming in. Sniffing all the internal interfaces doesn't show it leaving, meaning the pfsense box is blocking it. With that said, I added a final firewall rule to allow all traffic and log it so that if there is an exception that is being missed, a rule could be created for it. The firewall log's do not increase with traffic at this point with outside traffic coming in.

    I've created the port-forwarding rules necessary based on the documentation, and confirmed that the appropriate firewall rules are being written as well. The NAT reflection box is unchecked, and Captive Portal is disabled. I'm sure it's something stupid, but I'm unable to figure this one out. Please help me retire my old Linux router :) hehe

    I've attached the config file; all the details are in it.

    Once I can get the Dual WAN to work, then services re-enabled, I can then focus on the quagga/ospf connection.

    Thanks
    config-core.txt



  • ASCII Art

    WAN1–\              /---DMZ
                \          /
                PFSENSE----LAN
                /         
    WAN2--/              ---WIFI


Locked