• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Replacing old router with a new instance of pfsense + BGP protocol to configure a dual link to the ISP

Scheduled Pinned Locked Moved General pfSense Questions
28 Posts 4 Posters 2.4k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • M
    mauro.tridici
    last edited by Nov 23, 2022, 8:41 PM

    @cool_corona ok, so let's see what @stephenw10 will say about that 😊

    1 Reply Last reply Reply Quote 0
    • S
      stephenw10 Netgate Administrator
      last edited by Nov 24, 2022, 1:54 AM

      No, the 'do-not-nat' rules should be on WAN1 and WAN2 for the PUBLIC subnet. You do not want to NAT traffic from PUBLIC as it leaves WAN1 or WAN2.

      You can confirm that by runnig a pcap on WAN1 or WAN2 and you should see traffic from the PUBLIC subnet there.

      I assume that you are using 192.168.99.0/24 just as an example here? The real subnet is actually public?

      Steve

      M 1 Reply Last reply Nov 24, 2022, 9:22 AM Reply Quote 1
      • M
        mauro.tridici @stephenw10
        last edited by mauro.tridici Nov 24, 2022, 9:23 AM Nov 24, 2022, 9:22 AM

        @stephenw10 thank you Steve, you helped me again :)
        Yes 192.168.99.0/24 is just an example and the real subnet is a public subnet.

        Setting outbound NAT as in the second screenshot I was able to make it working.
        Before it didn't work because I forgot to route the traffic from the ISP router to the public customer subnet (192.168.99.0/24).

        After adding, on each ISP upstream gateway, the following routes everything started working as expected:

        on primary ISP upstream gateway
        ip route 192.168.99.0 255.255.255.0 192.168.1.2

        on backup ISP upstream gateway
        ip route 192.168.99.0 255.255.255.0 192.168.2.2

        This is the final GNS3 schema

        Screenshot 2022-11-24 at 10.21.41.png

        1 Reply Last reply Reply Quote 0
        • C
          Cool_Corona
          last edited by Nov 24, 2022, 9:50 AM

          Public is internet.... pc is on LAN.

          The /25 IP's are on WAN and not LAN. Unless you run a hotspot or internetcafe.

          Otherwise I dont get the setup...

          M 1 Reply Last reply Nov 24, 2022, 11:07 AM Reply Quote 0
          • M
            mauro.tridici @Cool_Corona
            last edited by Nov 24, 2022, 11:07 AM

            In my particular case, pfsense is acting as a "customer border router".
            It is connected to the WAN (ISP AS) using em0 and em1 ports with two redundant PTP links.
            Watching the schema, 192.168.1.2/30 and 192.168.2.2/30 are the IPs for the PTP links.

            ISP is routing the public subnet (192.168.99.0/24) to the pfsense router.
            For this reason I need to disable NAT on pfsense.

            In the real scenario, the "PC on public subnet" will be replaced by a physical firewall. So, at the end, you will see something like that:

            ISP RC1 + ISP RC2 <-> PFSENSE ROUTER <-> FIREWALL <-> LANs

            C 1 Reply Last reply Nov 24, 2022, 11:36 AM Reply Quote 0
            • C
              Cool_Corona @mauro.tridici
              last edited by Nov 24, 2022, 11:36 AM

              @mauro-tridici Cant pfsense act as both router and firewall for the clients?

              M 1 Reply Last reply Nov 24, 2022, 11:45 AM Reply Quote 0
              • M
                mauro.tridici @Cool_Corona
                last edited by Nov 24, 2022, 11:45 AM

                @cool_corona Sure, it can. But in our case, we prefer this kind of deployment.

                1 Reply Last reply Reply Quote 1
                • S
                  stephenw10 Netgate Administrator
                  last edited by Nov 25, 2022, 3:19 AM

                  Yes, I would expect that to work.

                  1 Reply Last reply Reply Quote 0
                  • P Patch referenced this topic on Nov 26, 2022, 6:15 AM
                  • P Patch referenced this topic on Nov 26, 2022, 6:15 AM
                  21 out of 28
                  • First post
                    21/28
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                    This community forum collects and processes your personal information.
                    consent.not_received