Multi-WAN Address Overlapping, part 2


  • Continuing this locked thread:
    https://forum.netgate.com/topic/100231/ip-address-overlapping-error

    In that thread Netgate admins ask "for what valid reason could you possibly want to do this [apparently obviously bad thing to do]?"

    I shall explain why this might be a desirable and valid configuration. I have a free pfsense box that has been around for about a decade at a K-12 public school.

    About two years ago I configured it with two separate public WAN addresses in the same CIDR. It's been working fine up to this point with no problems.

    The reason for the two WAN addresses like this, is that the ISP has been providing cloud based web filtering through a Juniper SRX they own, but the cloud filter limits bandwidth.

    So I requested a second WAN port from the ISP that is unfiltered for things that no student ever uses, such as offsite server backups to AWS, or Polycoms that exclusively do video conferencing and nothing else.

    Juniper SRX:

    • 104.241.208.193/27 - Filtered gateway
    • 104.241.208.194/27 - Unfiltered gateway

    And so on pfSense I set up two independent WAN ports via the text console back in July 2018...

    • 104.241.208.195/27 - Filtered_GW
    • 104.241.208.196/27 - Unfiltered_GW

    It's been working fine for the last two years. The default route points to the filtered gateway.

    I set a custom gateway in the firewall rules for the few unfiltered devices that need to go as fast and low latency as possible.

    ,

    However we have decided to change to iBoss cloud web filtering, and local iBoss appliance web filtering, which I am working on setting up currently.

    Oddly it seems that changing the default gateway to point to the Unfiltered_GW on the System -> Routing page does not do anything.... sites still keep using the Filtered_GW WAN port.

    Rebooting doesn't do anything. Physically unplugging the cable to the filtered WAN port also does not do anything.

    Only after various poking around did I discover that I cannot disable either of the WAN interfaces in webconfigurator.

    Unchecking either of the WAN interfaces and clicking Save pops up a message about them "overlapping" and it won't accept the save to disable either one.

    The only way I could assert control is to set the Filtered_GW address to 127.0.1.1/32 and then it finally accepted the save and suddenly the default gateway changed to the Unfiltered_GW.

    And fortunately it seems I can still revert to a saved configuration with both WAN gateway interfaces enabled and "overlapping", until I am ready to decommission the ISP's filtered WAN gateway and switch fully to the iBoss..

    This appears to be a bug or defect in webconfigurator preventing accepting this valid dual-independent, dual-gateway WAN configuration.