Pass rules for WAN2

madbrain

My pfSense box has 3 NICs, and setup pfSense with two different ISPs. One is Comcast, the other Sail Internet. Failover seems to work fine for outgoing connections.

However, incoming packets get blocked for the WAN2 interface.

Here are the rules for the WAN interface :

And for the WAN2 interface :

As you can see, it says "all incoming connections on this interface will be blocked until pass rules are added.".

I was going to duplicate the pass rules for WAN into WAN2, but it turns out there aren't any pass rules for WAN. How am I supposed to setup the pass rule for WAN2 ?

Edit: adding LAN rules too.

viragomann

@madbrain
Out of the box there isn't any pass rule on any interface, except LAN.

The one you have on WAN was added by the OpenVPN setup wizard.
If you want to have the same rule on WAN2 hit the copy button at the right and change the interface to WAN2 and the destination address to "WAN2 address".

madbrain

@viragomann Thanks. That makes sense. I copied the OpenVPN rule and the message goes away. However, the VPN is still not working for WAN2, even after I disabled WAN. I made sure to edit the dynamic DNS config to use the failover group. It updated the DNS entry. But my mobile client cannot connect. I must be missing something.

viragomann

@madbrain said in Pass rules for WAN2:

However, the VPN is still not working for WAN2, even after I disabled WAN. I made sure to edit the dynamic DNS config to use the failover group

This requires a DNS update naturally. So consider the DNS TTL. The client updates his cache not until it has expired. Could be a view minutes.

I think, it would be more reliable for dual WAN if you have to listen the server on both and do dynDNS updates on both WANs independently.

To do so, set the OpenVPN server to listen on localhost.
Then add a port forwarding on both WANs to it:
destination: WAN(2) address
dest. port: 1194
redirect target: 127.0.0.1
redir. port: 1194

The port forwarding should create new rules accordingly on both WANs. Your can remove the ones to the WAN addresses.

Edit:
Have to add the instructions for the client config, when using dual WAN with two different host names.
In the clients config file you simply have to add an additional remote line for the second host name.
When using the client export utility, you can enter this line in the "Additional configuration options". So client export adds it automatically.

madbrain

@viragomann Thanks. You are right. DNS TTL is likely the issue !

Unfortunately, there is no way to flush the DNS cache on Android, other than rebooting. sigh.

I will play with this more tomorrow. Thanks again

viragomann

@madbrain
The TTL can be set in the DNS settings normally.
Check if your DNS provider let you do this. Two minuets is a good value for this.

madbrain

@viragomann I'm trying to implement what you suggested. I'm not seeing how. The rules screen doesn't have "redirect target" and "redirect port". Am I on the wrong screen ?

viragomann

@madbrain
Firewall > NAT > port forwarding

You have to add these rule manually.