Multi Wan question

bob76535 · Jan 25, 2010, 7:54 PM

I have been reading posts here and reading the document here http://doc.pfsense.org/index.php/Multi-WAN_Version_1.2.x and I would like to set up a pfsense box for my office. I have two 6M/1M DSL connections coming in here (both from the same ISP - they are the only one available here). They are both pppoe and both have a static IP. I no longer need the second static IP so I was looking at using the loadbalancing/failover capabilities of pfsense. In the document I referenced above it shows two DMZs set up between the modems and the pfsense box with servers placed in the DMZ. Do I have to place my servers in the DMZ or can I just have them on the LAN behind the NAT with ports forwarded? I have a server with websites, mysql, FTP, and a few other things that need to be forwarded plus another box with a DNS server and some other items that need the forwarding.

I understand that I will have to use a router between the second modem and pfsense to handle pppoe. Am I going to have any issues with the failover since I am using the same ISP for both connections? Is there anything that needs to be set differently.

if it makes any difference here is the hardware I am using:

Dell Precision 670 workstation (Dual 2.8G Xeons, 4G ram, 6G ide drive)
The onboard gigabit NIC is the LAN
I added a pair of 3com server class PCI NIC cards for the WAN connections.
I have pfsense 1.2.3 installed and I have the machine on the bench with both WAN connections plugged into the local network.
Seems like it works OK. I am still messing with the failover settings.

Thanks

Bob

bob76535 · Jan 25, 2010, 9:55 PM

Just some more to add.

I think I got it all working on the test bench.

I had to use the static IP address of each modem for the failover (instead of a dns server) since they are both from the same ISP. If I kill either modem causing the IP to go offline, the failover occurs and it goes to the other connection (according to the status page).

I have NOT added the DMZ yet. I have added rules on each interface to represent the 2 servers behind the NAT. I made a rule for each port on my first server which uses the static IP of the WAN connection and a made a rule for each port of the other server which uses the static of the second WAN (opt1). I realize the port forwarding will not failover if one of the connections goes down. I just need the servers to get the traffic sent to them behind the NAT via normal port forwarding from each interface.

Am I doing this right? I hope someone can shed some light on this for me before I try it live later.

Thanks

Bob

bob76535 · Jan 26, 2010, 2:46 PM

Here are my rules if that makes any difference. The WAN connection is the one that ends in 114.157 and the OPT1 connection ends in 117.23.

bob76535 · Jan 26, 2010, 3:00 PM

Forgot to post the NAT. Also, I moved the second server to the wan connection to simplify things.

lotacus · Jan 26, 2010, 6:25 PM

http://openpdf.com/ebook/pfsense-rules-pdf.html

should have some stuff of your interest. There is one PDF that talks about load balancing the WAN, but within that PDF it talks about setting that load balancing up as fail-over too.

If properly done everything on your first modem should fail-over to the second, even your ports and rules. Perhaps, you may want to do CARP and have a second PFSense installation for it to work properly.

bob76535 · Jan 26, 2010, 7:44 PM

The PDF you referenced says exactly the same thing as the link in my first post.

Unfortunately, I may have to scrap this project and just buy a Draytek box as it looks like pfsense just isn't going to work. I tried to hook the second wan to the bridged modem/router setup and as soon as the new connection with a different gateway was introduced, the internet stopped working on both connections. I tried adding the DMZ's as the reference material says and that didn't work. I have less than 24 hours to get this up and running. Anyone out there care to tell me what I am doing wrong here?

Thanks

Bob

bob76535 · Jan 26, 2010, 8:09 PM

I have discovered that I can't ping anything fromthe webgui on the second wan interface. I connected a machine directly to the router ont hat interface and it works fine and will ping out. For some reason pfsense is not allowing any traffic to flow on the second wan.

Any ideas?

bob76535 · Jan 26, 2010, 8:27 PM

I changed my DNS servers to both use the public ones as suggested. I went back through the loadbalancing and failover services and changed out my static ips for the dns servers. Now everything seems to be working again. I will update this tomorrow after I connect the primary WAN directly to our modem (shouldn't make a difference).

Thanks

Bob