Multi-WAN with crossover
-
I have a new pfSense setup on an older (i5-6500) small form factor PC with 16GB Ram and a four port bge driver ethernet adapter.
What I want to do is have two WANs, (two different ISPs), and have LAN_1 port go to WAN_1 port for internet. This is setup for the majority of my net, with DHCP (192.168.1.XXX), and pfSense on 192.168.1.1. I want LAN2 connecting to WAN_2 with (at the moment) DHCP set to 192.168.0.XXX.
WAN1 to LAN1 is working fine, I haven't gotten to getting WAN2 connected to LAN2, since I thought that was the easier part, and LAN1 connected to WAN1 without my intervention, so I"m not sure how to go about it. The complication comes in that the LAN_2 is basically a headless computer (running uTorrent) that I want to be able to connect to using UltraVNC, which when they are on the same network works well. I thought I could have the net addresses overlap, but that does not work, so I made them close, thinking perhaps 255.255.254.0 on my desktop would allow communication between the two, but I think I also need a Route, or Bridge or something.
I've been reading pfSense docs for four days and haven't found what I want, and I'm quite confused about whether a Route is what I need or what. If possible I'd like to also have either WAN failover to the other, or at least have WAN1 failover to WAN2, but that is secondary, if it can also be done.
A little guidance about where I should be looking in the manual, both to make one static IP on LAN2 visible to a computer on LAN1 and how to get LAN2 to 'see' WAN2, or if I need to do this all a different way. Any guidance would be a great help!
Thanks!
-
@coreycoop I’d suggest starting in steps. Add LAN2 and connect. Each interface needs a unique subnet. PfSense knows how to route to its own interfaces. You just need firewall rules. Only LAN(1) has allow rules by default, all others have only a default block rule.
LAN1 can therefore connect to the LAN2 server by default. If there’s a firewall on that server it must allow the LAN1 subnet. That server needs the LAN2 IP as its gateway.
Outbound is controlled by outbound NAT rules:https://docs.netgate.com/pfsense/en/latest/nat/outbound.html
Try hybrid, and add a rule for LAN2 using WAN2.
-
I’d suggest starting in steps. Add LAN2 and connect. Each interface needs a unique subnet. PfSense knows how to route to its own interfaces. You just need firewall rules. Only LAN(1) has allow rules by default, all others have only a default block rule.
I have now gotten LAN2 to connect to WAN2.
LAN1 can therefore connect to the LAN2 server by default. If there’s a firewall on that server it must allow the LAN1 subnet.
I have tried every type of firewall rule I can think of to get LAN1 to connect to LAN2, and of course make that bi-directional. I'm trying to get UltraVNC to connect from LAN1 to LAN2, it uses port 5900. I didn't mention before, that I also want to share folders on Windows 10 computer on LAN2 to my computer on LAN1.
That server needs the LAN2 IP as its gateway.
If the LAN2 interface is DHCP 192.168.0.0/23, then it's gateway is 192.168.0.1, but trying to put that gateway in a rule for LAN1 with DHCP 192.168.1.0/23 comes back with an error message.
I thought I could figure it out, but I need a little more specifics on this one.
Thanks!
-
@coreycoop re gateway, not a rule…literally just the network configuration on the PC needs pfSense as it’s gateway. So packets go through pfSense.
Also the PCs will need to allow connections from the other subnet in their own (Windows) firewall.
So on interface LAN1, for UltraVNC, allow from LAN1 Net to that IP on LAN2 port 5900. By default LAN has an allow to any rule so it’s probably already allowed. Return traffic doesn’t need a rule once a state is open.
-
@coreycoop If you are policy routing LAN1 to WAN1 and LAN2 to WAN2 then you need to bypass policy routing for LAN1 to LAN2 and LAN2 to LAN1.
Put a rule on LAN1 above your policy routing rule that passes the desired traffic from LAN1 to LAN2 without a gateway set.
Same for LAN2 to LAN1 on the LAN2 interface.
