Traffic blocked on OPT1



  • I must state beforehand that I'm quite a newbie both to pfSense and networking…

    I'm trying to build a pfSense firewall with 3 NIC:
    2 WANs (fxp0, fxp1)
    1 LAN (rl0)
    I have 2 modem/routers one with static IP and the other with dynamic IP and I'd like to setup a Load Balancing configuration for the PCs in the LAN.

    I use pfSense 1.2.3-RELEASE and I've read the guide here.
    Before setting up Load Balance I checked both the connections and I'm facing the following problem: it seems that traffic on my OPT1 (WAN2) cannot access the web. I can ping the modem connected to OPT1 but I cannot ping or access anthing further. It happens both with the "static" modem and the "dynamic" modem, so I guess it isn't a modem issue; and with any combination of the NICs.

    I just reverted to a "clean" build in order to be sure there isn't any package interfering with the routing.

    Where is my error?



  • How do you test if you cannot get to the outside?



  • @GruensFroeschli:

    How do you test if you cannot get to the outside?

    I used ping and/or traceroute, first from webGui (I realized later that is Multi-wan is not supported from webGUI ping) and then from login shell:
    *(Using the GUI) I ping a numerical address (eg. 8.8.8.8) first setting setting WAN as the used interface and then WAN2
    *(From the shell) I ping while WAN is connected and it responds, I disconnect the cable from WAN modem and try again and I get no response but if I ping the modem IP it responds.
    If I set WAN as OPT1 and vice-versa nothing changes: ping made with WAN connected works, ping while WAN is disconnected can reach only the modem.

    I also set static IP as WAN2 and tried to ping it from WAN (after setting a rule for OPT1 to respond ICMP) and it responded but still it cannot access the outside…



  • pfSense itself cannot make use of the loadbalancer.
    So every test you run from the pfSense itself is useless.

    To test the multiWAN: Set up a balancing pool.
    Create a firewall rule using this balancing pool.
    Test with a client from behind the pfSense.

    Another way would be to create a static route for a specific IP pointing to your secondary WAN, then ping this IP (from the pfSense itself).
    But this isn't multiWAN, just a way to force traffic locally to a different gateway.
    Actually this is what you should do for at least one DNS server, to make sure even if the primary WAN is down you dont loose the ability to resolve names.



  • Can you explain creating the static routes? The document just says to create them, but doesn't give an example.

    My issue is do I make it a route for the LAN or for each individual WAN/OPT1 connection?

    Thanks,
    Shredder



  • "System" –> "Static Routes"
    Click the +
    Select the interface on which traffic should go out for the route
    Enter in "Destination network" the IP you want to always send to WAN2. Select as subnet /32 if you want only a single IP.
    Enter in Gateway the IP of your WAN2 gateway.



  • @GruensFroeschli:

    pfSense itself cannot make use of the loadbalancer.
    So every test you run from the pfSense itself is useless.

    To test the multiWAN: Set up a balancing pool.
    Create a firewall rule using this balancing pool.
    Test with a client from behind the pfSense.

    Another way would be to create a static route for a specific IP pointing to your secondary WAN, then ping this IP (from the pfSense itself).
    But this isn't multiWAN, just a way to force traffic locally to a different gateway.
    Actually this is what you should do for at least one DNS server, to make sure even if the primary WAN is down you dont loose the ability to resolve names.

    Thanks for the answer :D

    As my final goal is to set up a balancing pool I set it up, created the LAN rules following the guide, and tested: it's works! :D
    Now I need to set up an OpenVPN connection on the fixed IP, there is any known problem? I checked the forum and only found old threads…



  • There Are no problems with openvpn that i am aware of.



  • Thanks! :D

    Everything worked fine! :D
    I think this topic can be marked as solved :)

    But before I have just a somewhat related question: I tryed to connect to my pfSense with an manual IP and DNS (the same set on pfSense) and I had many problems accessing the www (very slow page load, many time-outs, an so on..) while the connection through the same ADSL line (using a different firewall) is ok. If I enable DHCP on pfSense and let it assign IP and DNS to my PC the connection runs fine.
    Where can lie the problem?



  • @GruensFroeschli:

    "System" –> "Static Routes"
    Click the +
    Select the interface on which traffic should go out for the route
    Enter in "Destination network" the IP you want to always send to WAN2. Select as subnet /32 if you want only a single IP.
    Enter in Gateway the IP of your WAN2 gateway.

    So if I want to set the route so it goes out my WAN connection, I pick WAN from the drop down and then put in the WAN gateway? Doesn't that seem redundant? That is where I am getting confused.



  • The default route is to the WAN.
    You only need to add a static route if you want to traffic to go somewhere else than the default WAN.

    So no you dont need to add a static route for your WAN pointing to your default WAN.



  • OK. So for my case, I would select OPT1 for the gateway, put in the IP address of the DNS server/32, and then put in the gateway of the OPT1 connection.

    To test that this is working, my best bet would be to SSH into the firewall and do traceroutes to the IP of the DNS server. It should always go out my OPT1 interface, correct?

    Thanks,
    Shredder



  • Yes.


Log in to reply