Dual wan using isps static ips



  • Hello,

    We are having a bit of an issue with the fail-over/load balancing portion of pfsense. We can get our first wan1 to work fine with initial setup, but when we try adding in wan2, disconnecting the wan1, pfsense does not seem to allow traffic through to wan2. We have pretty much gone over the http://doc.pfsense.org/index.php/Multi-WAN_Version_1.2.x step-by-step/word-for-word but we still cannot get it working correctly. We have also gone through and searched the forums quite a bit, but to no avail, so if our question seems redundant, we apologize and hope you can direct us to the corresponding thread which explains the answer.

    Ideally, we would just like to use our static IP’s from our ISPs instead of having to use a router from each modem into pfsense as the tutorial implies (although we are not sure how to set that up either). This of course would help reduce the change of hardware failure on our side.

    -From ISP 1, we have the address 99.155.xxx.yyy which is connected to a Netgear VPN router. The router is setup to have the address of 192.168.0.2 and pfsense a static ip of 192.168.0.250 (which is our DMZ ip). ISP DNS server is 68.94.156.1 and is pingable.

    -From ISP 2, we have the address of 69.4.xxx.yyy which is connected to a standard Dlink router. The router is setup to have the address of 192.168.1.1 and pfsense a static ip of 192.168.1.250 (which is our DMZ ip). ISP DNS server is 64.33.128.10 and is pingable.

    -For our lan, we have pfsense running dhcp with an ip of 192.168.10.1 and a laptop pulling a dynamic ip from pfsense (currently 192.168.10.245).

    Our method of testing for failover is to disconnect our ISP 1 cable and imitate it being offline. We see the status go from green to yellow to red in the status section for the loadbalancer, but it shows red for both wans. Our guess is that something is not configured correctly. We a little unsure on how to setup a static route so that the lan can access the entire internet through wan2 just as it would when wan1 is working correctly.

    Once we get this working properly, we do need to setup something to be sure our email server and send/receive email fine through ISP1 (assuming another static route with some rules?) as we don’t think it would capable of working through both ISPs (please let us know if this isn’t true).

    We appreciate any help that people can provide us or ideas that we can try. We want to get our proof-of-concept machine working so that we can use it as our production firewall/router replacing our Cisco ASA.

    Thank you.



  • @quantum:

    Our method of testing for failover is to disconnect our ISP 1 cable and imitate it being offline. We see the status go from green to yellow to red in the status section for the loadbalancer, but it shows red for both wans.

    If both WANs go red in the LB, the IPs your using for the monitoring are both reached though ISP1.

    You need to have a static route to the monitor IP via its own WAN.



  • Thanks for the info. We are not sure how to configure the static route(s). Would you or anyone else, happen to have an example static route or give an idea what we need to enter in based on our info above? Once we see how it looks/works we should be able to figure it out. It's just the whole getting started issue here.

    In the topic: http://forum.pfsense.org/index.php/topic,21329.msg109544.html#msg109544 , GruensFroeschli posted some simple setup instructions for static routes, but unfortunately it is still confusing to us for some reason.

    @GruensFroeschli:

    "System" –> "Static Routes"
    Click the +
    Select the interface on which traffic should go out for the route
    Enter in "Destination network" the IP you want to always send to WAN2. Select as subnet /32 if you want only a single IP.
    Enter in Gateway the IP of your WAN2 gateway.

    Select the interface on which traffic should go out for the route

    We assume in our case it would be our wan2?

    Enter in "Destination network" the IP you want to always send to WAN2

    Would this be our dns server for wan2?

    Select as subnet /32 if you want only a single IP.

    We assume /32 here since it is only one dns server that it is going to?

    Enter in Gateway the IP of your WAN2 gateway.

    Would this be 192.168.1.1 or 192.168.1.250 or 69.4.xxx.yyy?

    We do appreciate any help on this.



  • Select the interface on which traffic should go out for the route

    We assume in our case it would be our wan2?

    Yes

    Enter in "Destination network" the IP you want to always send to WAN2

    Would this be our dns server for wan2?

    Yes

    Select as subnet /32 if you want only a single IP.

    We assume /32 here since it is only one dns server that it is going to?

    Not exaclty. In CIDR notation you express always subnets. A subnet of a single IP is /32.
    If you had 4 DNS server next to each other (x.5, x.6, x.7, x.8 ) you could express them as a single CIDR subnet x.5/30 –> x.5 to x.8
    However if these 4 DNS servers were spread (x.5, x.10, x.15, x.20) you would need 4 separate expressions: x.5/32, x.10/32, x.15/32, x.20/32.

    Enter in Gateway the IP of your WAN2 gateway.

    Would this be 192.168.1.1 or 192.168.1.250 or 69.4.xxx.yyy?

    -From ISP 2, we have the address of 69.4.xxx.yyy which is connected to a standard Dlink router. The router is setup to have the address of 192.168.1.1 and pfsense a static ip of 192.168.1.250 (which is our DMZ ip). ISP DNS server is 64.33.128.10 and is pingable.

    Since the pfSense has as IP 192.168.1.250/24 (i assume it's /24), the immediate gateway for it is 192.168.1.1.
    –> The next router directly connected to the pfSense.


Log in to reply