Adding secondary WAN to existing network without completely changing topology
-
I am extending my network with a second ISP, adding another WAN endpoint. The endpoint can't be physically connected to the same router as there are two houses connected wirelessly inside the same LAN and the new endpoint will go to the second house.
I don't want to split my existing network or change the topology already set up, and was thinking of adding static routes that would cover devices in the second house, making sure the connections exit through the new WAN connection.
Can I set a preferred route for each LAN ip address or a subnet so that all connections use one endpoint and switch to the other in case of failure? I am going through the documentation and its possible to set weights where the traffic is split based on bandwidth, but I would prefer one being used exclusively unless a failure occurs.
Open to suggestions as I haven't done networking in a while.
-
Use VLAN to connect the second WAN to your pfSense.
-
@bob-dig Thanks, but that would mean reaching out to WAN from house one would always have to go through router and the slower wireless bridge to router in house 2 first before bouncing back.
I was thinking of adding a second gateway to Pfsense instead.
-
What are you going to do in house 2 for a router? Some isp device is unlikely to support any sort of routing or vlans or other network that could be used as a transit.
Or multiple gateways etc..
If house 2 is also running pfsense than its simple enough to connect them and use whatever gateway you want connected to either from either house with simple policy routing.
And sure each house could be used as failover for the other houses connection, etc.
-
@johnpoz House 2 has the original router and WAN gateway. I want to add an extra WAN gateway first to house 1 without changing any other devices, working with both gateways and then eventually decide if I will disconnect from the one in house 2.
So ideally looking for a configuration option I can set on my only pfsense router in house 2 so I can route all WAN traffic to house 1 through the connection available there.
An option where connections from house 1 should realize house 1 WAN is closer and use that, or even set all connections from 1 and 2 to use WAN 1 and only use WAN2 as failover.
But can't have both connected to the same router unfortunately.
-
What networks are in play in both houses they both use 192.168.1/24 as their lan?
-
@johnpoz Yes, both houses are in the same lan, connected via a wireless bridge that is slower than the new wan connection.
-
That is problematic sort of setup. In that sort of scenario best option is just just do it at the client level.
I would change one of the networks say have 192.168.1/24 on at one house and 192.168.2/24 at the other house. Then you can setup a gateway in pfsense using the other houses network and it could be set to just nat to that and the other isp router would just see all traffic as any other client.
Do you do a lot of inter house traffic? There are some really high speed wireless bridges these days where gig is not a problem
https://store.ui.com/products/unifi-building-to-building-bridge
$500There are some cheaper options as well. Just having hard time remembering the product name..
Here are some more unifi options
https://store.ui.com/collections/operator-airmax-devices/products/gbeOr the nanobeams
https://store.ui.com/collections/operator-airmax-devices/products/nanobeam-5ac-gen2What are you currently using for your wifi connection? What is your internet speed? What speed would you like to see between the buildings?
-
@johnpoz The speed between the houses is 250 MBit, but the new connection will be 1 GBit.
Won't adding another gateway into pfsense solve this thou? I read that I could add another one, attach it to the lan interface and give it the IP address of the second gateway.
If I understand it correctly, pc in house 1 would ask router in house 2 for the best way out, and be told to send stuff to house 1 wan and would use that route as long as the route stays cached in pc 1.
Or would this setup not work?
-
Your going to run into all kinds of issues trying to put a wan on your LAN network! You just turned it into a wan... You need to use a different network, and then you can create a gatway on pfsense.
-
@johnpoz Can't I set a new default route on router 2 to send WAN traffic to router 1?
The route would send traffick there and would use the secondary route only if the new primary is down.
Router one would have a gateway set up on one of it's interfaces where the other end would be WAN.
-
If you want to run only 1 network as your lan.. Which gateway you use is going to have to be decided by the client.. Even if you setup an asymmetrical mess by setting a gateway in this network. The return traffic would not go back to the other router and you run into stateful problems.
The correct solution if you want pfsense to send traffic to another gateway is for this to be on a different network.. Change your houses networks to be different, and then sure you can have pfsense nat to the other houses network and you don't have asymmetrical issues.
Setting multiple gateways on a client can be problematic as well. While you can set metrics to try gateway 1 vs 2.. Good luck with that.
To do this correctly both routers would need to understand routing and allow for a transit network.. ISP or Soho routers highly unlikely to support such a setup. If you ran pfsense in both houses. And then setup a transit network over your wifi bridge, you could do really anything you wanted with policy routing or failover.
Clients in easier house this way only need to know their own local gateway. And the routers would decide which wan to use - either the one they are connected to directly, or the one via the transit network to the other router.
This would be the proper way to set it up
You would want to use a /29 as the smallest because your wifi bridge devices would have IPs in the transit as well for managment purposes.
-
@johnpoz Thanks, I see what you mean. My original idea was to get another apu unit and set up a second pfsense router, but those things are sold out for several months.
Think I might change the default gateway on router 2 to be the ip of router 1 while keeping 2 as a DHCP and DNS server.
Would change the topology like you recommended, but will possibly end up with removing the original WAN connection and only keeping the new one.
Having 1 as the gateway would speed up the network in the house behind the wireless bridge, as the bridge bandwidth is higher than the old WAN.
Would set up a proper gateway on router 1 where one port would have a WAN address.
And keeping pfsense as the DNS would at least keep ad filtering alive, thou will loose the firewall.
Wish we did not have chip shortages and I could get a second apu.
-
I believe the sg3100 are in stock ;)
-
@johnpoz I thought you might say something like that :P Was really planning to get another device like the one before, seems more cost efficient thou does lack any support.
And the offer in the Netgate store is tempting. Will those devices be using the forked pfsense with the new gui and how are they typically supported with updates?
Does seem a shame that they only have dual cores and 2GB of ram.
-
@marekandreansky said in Adding secondary WAN to existing network without completely changing topology:
Does seem a shame that they only have dual cores and 2GB of ram.
Why - do you need a Ferrari to drive to the corner store, or will that Sonata work?
Do you really need more horse power than needed to pull the plow, or do you need 8 Clydesdales?
This is an appliance this going to really do 1 thing.. Well actually a few things, but It will do it well, it will do it for a long time, and it will use very little power doing it.
The appliance update whenever a new version comes out - with appliance you get pfsense+ just use to be call FE vs CE..
