Dual WAN/Dual LAN - Firewall rules ignored when one WAN drops.
I have a Dual WAN setup with two LANS connected. I do not care about load balancing and non is setup, I use one WAN specifically for VOIP and the second for everything else. I also really do not care if there is any auto failover, although this seems to happen anyway even though the firewall rules specifically do not allow traffic to go to the "other" WAN from a specfic LAN.
Some background setup info:
LAN - re0
LAN_VOIP - VLAN1 (on re0)
WAN - VLAN2 (on re0, DSL, PPPoe client running on the firewall)
WAN2 - VLAN3 (on re0, cable)
re0 is a gigabit interface
I use a Dell smart switch to handle the VLANs
LAN -> firewall rule -> LAN_VOIP
LAN -> firewall rule -> WAN
LAN_VOIP -> firewall rule -> LAN
LAN_VOIP -> firewall rule -> WAN2
LAN_VOIP should NEVER go out WAN2
LAN should NEVER go out WAN
- When booting pfsense, the WAN interface comes up a little slower then the second WAN, this sometimes, but not always, causes LAN_VOIP to get routed through WAN2 ignoring the firewall rules. When the WAN interface does come up the routing remains sticky to WAN2 and it is next to impossible to get it to go to WAN and to follow the firewall rules.
- If the DSL line drops, then the LAN_VOIP is routed to WAN2 and the firewall rules get ignored. When the DSL line comes back pfsense never re-routes the LAN_VOIP traffic back to the proper interface WAN, ignoring the rules.
The only way I have found to recover from this is to disable the WAN2 interface, reboot pfsense, let WAN come up alone, let the VOIP server connect through the WAN as it is supposed to, then bring up WAN2. I would think if the WAN recovers and if pfsense did any re-routing that when the WAN recovers it should go back to routing and following the firewall rules, correct?
I also did not specifically create rules to block one LAN going to the "other" WAN, did not seem necessary.
Any suggestions or help appreciated.
Can you post a screenshot of your firewall rules to show how you setup the policy based routing?
Perry last edited by
I've notice that you use the parent of the vlans as lan which isn't recommend, add another nic to the box for lan or let lan also be a vlan. vlan1 is often the fail back vlan on the switch and should be avoided.
A general setup with vlans
pfSense <–- tagget ---> Switch <---- untagget ---> Clients
| **parent nic ** | **vlan tag/id ** | **pfSense nic ** | **description name ** |
| re0 | 10 | vlan0 | LAN |
| re0 | 44 | vlan1 | WAN |
| re0 | 57 | vlan2 | WAN2 |
| re0 | 64 | vlan3 | LAN_VOIP |
Thanks for the replies.
Here are the LAN rules attached.
Yes I am using the default VLAN 1 ID for the LAN (re0). It simply made a little less work to set it up this way since I did not have to mess around more with the switch config. Also, my understanding was that it was only a problem to use VLAN ID 1 when specifically defined as a VLAN. As long as I left the default alone and simply used it "as is" there would not be an issue. Or is there some other issues with it? The other VLAN IDs are 10, 20, & 30.
BTW, the box is a little MSI Atom based unit, the only option for another nic is USB, tried it, and USB nics pretty much suck. Much better than the power hungry P4 heater I used once before. And since this is what VLANs were made to do, one gigabit nic should be all that is needed when the most you can push through it is the sun of the up/downb speeds of the 2 WANs.
Under the allow rule under LAN2 voip, the gateway for traffic that matches the bottom rule is using "*" as its gateway. That indicates that the traffic should follow whatever is in the pfSense routing table. That might explain why the order that the interfaces come up in affects the routing.
Try creating a failover group with just the WAN connection and use that as the gateway for that second rule on LAN2_VOIP.
Services > Load Balancer > Pools
Make sure you set the type to Gateway.
If that works, you could then go back and add the WAN2 connection so it will pick up the traffic when WAN fails.
Sorry for the delay in getting back to this and thanks for the response.
OK I setup a failover gateway with only the WAN gateway in the pool. Not having used this feature previously, I have a couple questions you might be kind enough to answer.
- The order of the gateways in the "pool" for the failover rule is the order of use, then failover? Correct?
- When I set the rules to allow traffic from LAN<->LAN_VOIP I would still use the "default" gateway? Correct? I have it setup this way now and only traffic destined for the interent uses the new failover gateway for LAN_VOIP.
Another note, since I got a replacement Motorola modem from ATT, my DSL line has been rock solid, no more drops.
Another, another, note, OK, while this new "gateway" seems to work with routing LAN_VOIP out the WAN interface all the time, I now have issues with either, a) voip calls dropping after ~75 seconds, or b) one way audio (no incoming audio).
I have two port forwards set in NAT for the WAN interface 1) to forward a range of UDP ports and 2) port 5060 to go to my voip server (IP) on LAN_VOIP, I also have rules set to allow them in on the WAN interface with the new "gateway", but the incoming audio packets are not making it.
To summarize: When using the default gateway and port forwards, no problem audio works, no dropped calls. When using the new "gateway" to force policy routing, dropped calls and one way audio.
Thanks again for the help.
You shouldn't use the failover pools for your rules on the WAN and WAN2 interface, just leave the gateway as default on those.
You are right for your 1 and 2 question.
OK, understood on the rules for WAN interfaces, use default.
Any explanation (or theory) then on why (at least it seems to me) the port forwards do not work then when using the failover pool gateway for LAN_VOIP->WAN and using the default gateway for WAN2->LAN_VOIP? When configured like that, VOIP calls are dropped after a minute.
I am a little stumped on why the calls are dropping.