one real WAN, on two WAN NIC's with different subnet



  • Hi,
    this is my situation: we have a 10 MBit fiber access, this goes on a switch which is doing split it into two copper ports, going as WAN 1 and WAN 2 into pfsense. On each WAN interface is a /29 public subnet.

    If I do now start the "traffic_shaper_wizard_multi_all.xml", in step 1, I have to set the Setup connection speed and scheduler information for interface WAN#1 and WAN#2. So if I enter for each 10 MBit, I think the scheduler is thinking it has 2x 10 MBit, total 20 Mbit to share but this is not right. If I enter for each 5 Mbit, the sum would be right but then on each interface more than 5 Mbit would be possible?

    What option I will have, to set up a right shaping? Thanks for any useful hints.

    ATB, Frank


  • Rebel Alliance Developer Netgate

    The shaper wizard cannot handle this kind of scenario, for the same reason it can't properly handle shaping on VPNs which share bandwidth with the WAN circuit. There is no concept of links sharing the same bandwidth.

    Limiters and queues might work out better since you could assign the same limiters with a shared 10Mbit/s limit to traffic on both WANs, but that would need some care as well, limiters and multi-wan have a history of not getting along well either.

    Why do you need to present the circuit as two separate interfaces? You can have both of the /29 networks on a single WAN using VIPs if you need to. Or better yet, just use one /29 on WAN and have them route the second /29 to the firewall address in the first.



  • Thanks about the background info for the shaper function.

    If I would add VIPs from the 2nd interface to the 1st, I have first of all disable the 2nd interface so that I will have not after commit on both interfaces the same IP's, then I have to check my NAT and LAN rules, having the correct destination addresses / gateway address in use. OK, should be possible to do.

    What do you mean with the 2nd hint:
    "Or better yet, just use one /29 on WAN and have them route the second /29 to the firewall address in the first."?
    Can you explain a little bit detailed please?

    Thanks for your help.
    Frank