I need some help with PFsesne and dual WAN set-up

  • Hi All.

    Really hope you can help as I am banging my head against a wall. I have two questions first one is an easy one I hope.

    First Question:

    I have a new PPOE type connection (Fiber to the Premises) so Pfsense connects directly to the ONT on the wall. why do I have two IP's? one under Interfaces which is my public IP and one under gateways and does that cause issues with things like dynamic DNS? (tested with duckdns and my public IP gets cached)

    Second Question:

    So I have two WAN connections going into my PFsense box one is setup as a DHCP connection (SKY) and one setup as a PPOE connection (BT). Currently I have the SKY connection set-up as the default gateway as this is the original connection that Pfsense was set-up with. BT was only installed today so apart from confirming its working (Which it is) I am not routing anything through it till I resolve my issues.

    So what I want to do is simple. I want to only have 5 devices using the new BT connection, I don't want to load balance or set-up a fall over as one of the devices is a server I use for media and goes via a VPN.

    So what I thought the simplest option was to do is set-up a firewall rule for each device I want to go through the BT connection and set BT as the default gateway.

    I tried this by setting up a rule for my main gaming PC which has a static IP, I then used 'whats my IP' to check my public IP and it is in fact pointing to BT which is great. I then did a speed test and am getting the speed supplied by BT. I then went on to try and download something on steam and was only getting 2mbs download so checked the PFSesne dashboard and noticed the traffic graph is showing the steam download going through the SKY connection and not BT. I also tested downloading a file in chrome and it is doing the same thing.

    So what could be wrong here?

    what is the correct way to route all traffic for one device to one WAN connection?

    any help is appreciated and please treat me like an idiot as I though this would be easy but its beating me to death.

  • Sorry to add the firewall rule I setup is as follows

    Action Pass
    Interface LAN
    Choose the interface from which packets must come to match this rule.
    Address Family IPv4
    Protocol Any

    Source | Single host or alias | <-- IP on my machine

    Destination ANY

    WAN_BT_PPPOE - XXX.XX.XX.XX - Interface WAN_BT_PPPOE Gateway <-- the IP its shows here is the gateway address not my public IP

  • The gateway ip is located at the other end of your link and is normal.
    So is the rule

    Clear states and retry

  • Ok I think I made some headway

    I randomly went into the routing page and noticed I had set both the defaults gateways from Automatic to the SKY gateway..

    I set that back to automatic and now steam and chrome download at full speed on the BT connection

  • @enigma27 No.
    When you create a rule, you are policy routing, and default gw is ignored.

  • Does the firewall rule I set out above look correct for what I wanted to achieve?

  • @enigma27 Yes. Its fine.
    You need to clear states after such changes to take effect.

  • OK all sorted now. thank you.

  • this is not sorted and I cant work out why this is happening.

    Loaded my Pc up this morning.. firewall rule still running so that this PC goes through the BT gateway.. run a speed test and says im on BT and am getting the full speed...

    But downloading from steam and chrome on this PC and I am still using the sky connection and it taps out and SKYs max speed.

    Any idea why this is??

    I just downloaded something on another machine with the same firewall rule just pointing to its IP address and it downloaded on the BT connection at full speed.

    So why is steam and chrome deciding to ignore my routers firewall policy? i have cleared states.

    was working fine last night

  • @enigma27 post a screenshot of your firewall rules.

  • This is the simple rule i set-up to send traffic of the BT WAN for my main PC that although on whats my ip and speedtest both show my BT connection Steam and chrome are using the SKY connection to download... last night it was working fine


  • See this is strange.. I just restarted my PC and now steam is using the BT connection to download again.

  • Ok this is happening again.

    Just tried to download a game from steam and its using the SKY WAN connection and ignoring the firewall rule above for my PC to use the BT WAN

    But if i check my IP and do a speed test on the same PC it says i'm on the BT connection.

    if i go into states and filter by my PC IP it shows no established connections through the SKY WAN

    so confused

    Restarting steam doesn't seem to make a difference.
    doing an IPCONFIG /Renew on this PC makes no difference.

    Here is a screenshot of my rules... are they in the right order?

    Screenshot 2020-09-15 123026.jpg
    Screenshot 2020-09-15 123108.jpg

  • @enigma27 How about ipv6? I see a lot of traffic going out.
    You can't policy route ipv6 the same way.
    Try disabling ipv6 from your pc interface and see if it works as expected

  • OK so started a download on steam this morning and again it was using the slower sky connection.

    So i paused steam and left it open... I then turned off IPV6 on both WAN connections and the DHCPv6 Server & RA to disabled and restarted the stem download and its back to using the BT connection.

    So if steam uses IPV6 and the firewall rule only works on IPV4 protocol could that be the issue?

    in the firewall rule says the following

    Leave as 'default' to use the system routing table. Or choose a gateway to utilize policy based routing.
    Gateway selection is not valid for "IPV4+IPV6" address family.

    I did have IPV6 set-up for both WAN connections but the system default is the SKY connection. It seems you cant set-up a rule and designate a specific gateway that covers both IPV and IPV6 based on the note above.

  • @enigma27 You can't policy route ipv6 the same way it is done in v4
    Just because it can't be natted.

    Keep ipv6 disabled.

    p.s In theory you could have both ipv6 ranges assigned to your pc and then manipulate routing tables, but this has to be done at the workstation level

  • @netblues said in I need some help with PFsesne and dual WAN set-up:

    @enigma27 You can't policy route ipv6 the same way it is done in v4
    Just because it can't be natted.

    Keep ipv6 disabled.

    will this cause any issues in the future though? or are we still a long way off IPV6 becoming the norm?

    Also just to be clear when i disable IPV6 do I disable the DHCPv6 Server & RA option?

  • @enigma27 You can just disable it at your workstation.

    You won't have any issues until you are either behind cgn or not assigned an ipv4 address

Log in to reply