Need help with simple dual WAN



  • Hi guys, I'm new on pfsense, so please, be patient :D
    My network consists of an internal interface (LAN), external adsl interface (WAN1) and another wan interface for another router (WAN2); let me explain better:

    • my internal network (ip 10.0.0.200/8) is my interface for my whole LAN, my dhcp will distribute 10.0.0.x ip address;
    • my main WAN (ip 192.168.10.200/24) is my default gateway for acessing the whole internet services (websites, downloads, etc…) and it is pluged into a adsl modem;
    • my 2nd WAN (ip 200.x.x.x/24) is a interface that connects into another gw that has a VPN; every time users need to reach a specific host (eg 200.x.x.10) they are routed to WAN2, and use WAN1 for all the other internet access.

    -- all internet traffic from lan ->wan1 (adsl)
    lan ---------
                      |--- specific host from lan -> wan2 (data line)

    The fact is that I'm new to pfsense; downloaded and installed it; configured interfaces as shown:
    xl0 = LAN = 10.0.0.200
    ed0 = WAN1 = 192.168.10.200 gw 192.168.10.1
    xl1 = WAN2 = 200.X.X.X gw 200.x.wan1.gw

    Went into Firewall > Outbound:
    WAN1    10.0.0.0/8  *  *  *  *
    WAN1    192.168.10.0/24  *  *  *  *
    WAN2    10.0.0.0/8  *  *  *  *
    WAN2    192.168.10.0/24  *  *  *  *

    and then Firewall -> Rules:
    LAN
    green  *  LAN net  *  *  *  192.168.10.1
    WAN1
    green  TCP  *            *  *  *  192.168.10.1
    WAN2
    green  TCP  200.x.x.10  *  *  *  200.x.wan1.gw

    I need to use default gw (wan1, adsl) for all internet traffic and wan2 gw for some specific traffic; after that, I pluged the lan cables but couldnt make it work;

    actually I use a linux with kernel 2.2 and 3 nics for this job; but I need a newer kernel and faster PC so this is why I'm trying pfsense; my pfsense box configuration is DURON 800, 256RAM, HD 80G, 3NICS (2 3com and 1 RTL8039); this is the route command that does the trick with the specific host in my linux box:
    route add -host 200.x.specific.host gw 200.x.x.x

    so, my questions:
    a) is it my configuration correct? what need I do to fixing it??
    b) how can I install and configure squid proxy server to be used on my LAN for internet traffic?? can I configure it graphcally as the whole pfsense?
    c) what is Bandwidth Management (Traffic Shaping) for wach interface? how can it help me to save network band? when I configure my LAN interface with 10kilobits/s, that means that all my LAN clients will get downloads at 10kb/s?? even if he downloads 10 files at the same time, he will share the 10kb with the 10 files??
    d) my LAN and WAN1 interfaces uses NAT but can I use a dns server that has a non-mascarated address (as 200.x.x.22)?? Or ir must be a mascarated address as 192.168.10.1??
    c) pfsense downloads and installs automatically all the packages listed in packages section??

    thanks a lot for the help and excuse-me for the long text, congratulations for PFSense!



  • @srs:

    and then Firewall -> Rules:
    LAN
    green  *  LAN net  *  *  *  192.168.10.1
    WAN1
    green  TCP  *            *  *  *  192.168.10.1
    WAN2
    green  TCP  200.x.x.10  *  *  *  200.x.wan1.gw

    Your firewallrules order is wrong. First match wins so if you send everything already out wan1 it won't get down to the rule of the single client to go out wan2. move that rule up. also the sourceip of that rule looks wrong. isn'T that a lan client too?

    You also should use the default gateway rather than specifying wan1 gateway (wan1 gateway is the default gateway).

    You can install packages at system>packages if you are running a full install. It will integrate into the gui.

    Trafficshaping introduces different service classes to different kinds of traffic. You set your overall up and downstream and traffic will be prioritized. However it currently only works between 2 interfaces.

    Don't understand the NAT DNS question  ???



  • thanks a lot hoba!

    I will re-order the firewall rules, and I've been thinking about begin my configuration only with two nics: LAN and WAN; after that is working I can assign another nic to WAN2 and configure the route the way I need; what do you think? it seems easyer isnt?

    green  TCP      200.x.x.10      *      *      *      200.x.wan1.gw

    That firewall rule is wrong, it should be:
    green  TCP      200.x.x.10      *      *      *      200.x.wan2.gw

    This is the place where I think I should say that if someone want to go to host 200.x.x.10 then should use wan2 gw, going throught the VPN and not throught the INTERNET. Is that right?

    Proxy should be installed after everything is configured??

    thanks again



  • No, you are using the the destination IP as source IP in your example. move it to destination and use source any or lan subnet.

    And yes, start simple and add things step by step. Easy to find the point where something is wrong this way.



  • Ok, I fixed the order of source and destination in the rule, but I have an important question about this:

    all my rules being applyed on my lan has to be in the LAN part of firewall rules??

    if this is right, so, Firewall, Rules, LAN should be like this:
    LAN
    green  *  LAN net  *  200.x.x.10  *  200.x.wan2.gw
    green  *  LAN net  *        *      *  192.168.10.1

    Here I'm saying that any client trying to reach 200.x.x.10 will use wan2 gw and that any client trying to reach the rest of the internet will use 192.168.10.1, or wan1 gw ok? do I need more rules in WAN1 and WAN2 or does this are enought?

    do I need this firewall rules:
    WAN1
    green  TCP  *  *  *  *  192.168.10.1

    WAN2
    green TCP  0.0.0.0  *  200.x.x.10  *  200.x.wan2.gw

    and about the nat rules, am I wrong or from my actual rules shown bellow:

    Interface  Source        Dest  Dest Port  NAT Addr  NAT Port
    WAN1    10.0.0.0/8          *      * *  *
    WAN1    192.168.10.0/24    *      *      *        *
    WAN2    10.0.0.0/8          *      *  *  *
    WAN2    192.168.10.0/24    *      *                *        *

    the only necessary rules are this:

    Interface  Source    Dest  Dest Port  NAT Addr  NAT Port
    WAN1    10.0.0.0/8      *      * *  *

    WAN2    10.0.0.0/8      *      *  *  *

    Because only my internal network (LAN) needs nat rules isn't; the other rules shown above doesnt make sense because they're applyed to the WAN network (192.168.10.0) from whithin I doesnt have clients ok? is that thinking right? :D

    thanks again!

    thanks a lot, I think it will work really soon :D



  • All firewall rules are validating incoming traffic at an interface. As the traffic to the Host at WAN2 isincoming from your LAN interface the rule for that has to be at the LAN interface too.

    If you don't need NAT at WAN2 just delete the unneeded rules at your outbound NAT screen.

    It looks to me that your WAN2 is not really a WAN but a routed subnet to a special host as you want to shutdown NAT and also only need one host to be reachable through that interface. If that is right you should consider making your WAN2 just a normal OPT-Interface and add static routes at system>static routes for the destination-IP/32 through the gateway at that interface.

    As you mention "green" I guess you are a former IP-COP user. pfSense is much more flexible when it comes to NAT and firewallrules. Just because an interface is not a WAN (or red) doesn't mean you can't block traffic from there.

    Maybe you are making things a bit too complicated where everything could be easier  ;)



  • @hoba:

    All firewall rules are validating incoming traffic at an interface. As the traffic to the Host at WAN2 isincoming from your LAN interface the rule for that has to be at the LAN interface too.

    If you don't need NAT at WAN2 just delete the unneeded rules at your outbound NAT screen.

    This is the confusing part to me; I'm not a network specialist, but I think I need that NAT rule.

    It looks to me that your WAN2 is not really a WAN but a routed subnet to a special host as you want to shutdown NAT and also only need one host to be reachable through that interface. If that is right you should consider making your WAN2 just a normal OPT-Interface and add static routes at system>static routes for the destination-IP/32 through the gateway at that interface.

    My wan2 is a frame-relay line slower than my adsl link, but has a direct route to my destiny point 200.x.x.10, so even slower than my adsl, is faster reach that point from that frame-relay (wan2) than from adsl (wan1); this is why I use this route instead of using adsl to access that point; In the truth I'm routing my wan2 traffic into another router; but I think a static route would work for me, because my actual router uses a static router to do this job for me!

    As you mention "green" I guess you are a former IP-COP user. pfSense is much more flexible when it comes to NAT and firewallrules. Just because an interface is not a WAN (or red) doesn't mean you can't block traffic from there.

    Maybe you are making things a bit too complicated where everything could be easier  ;)

    I really came from ip-cop :D, but when I told green I meant the little green arrow that stays in the beginning of the firewall rules; this was only an indicative that the rule was enabled :D

    And you're right, unfortunatelly my poor knowledge in networking is making this install harder that it really is; I think this is what I'm gonna do now: install only two nics, LAN and WAN and when everything is working, then I can try to ad the 3rd nic and make a static route to it!

    but as I said before, this is really not difficult, what makes it harder is really ME  ;D

    thanks a lot for your patience and excuse-me for the bad english :D



  • it seems it worked now!  ;D ;D

    the only question is that I'm trying to install squid proxy server, and when I try I get this:

    Downloading package configuration file… done.
    Saving updated package information... done.
    Downloading squid and its dependencies... done.
    Checking for successful package installation... failed!

    Installation aborted.

    why??

    thanks a lot :D



  • Update to 1.0-RC3a



  • @sullrich:

    Update to 1.0-RC3a

    you mean 1.0-RC3 ?? I couldn't find 1.0-RC3a!
    I'll do the update! thanks a lot!!!

    srs





  • Updated and now installing squid! :D

    Congratulations again for the excellent firewall and for making a tool that is updatable, without needing to reinstall again!

    Does it has any package like mrtg to pfsense in order that I have deeper interface graphics?

    thanks!



  • Did you already have a look at status>rrd graphs? It's included in core, no package needed for that.



  • @hoba:

    Did you already have a look at status>rrd graphs? It's included in core, no package needed for that.

    I think I dont; If I remember I've seen the Traffic Graphics, that one that are updated live; I'll check this!

    Another simple question; I'm using squid and would like to know how can I use word black list for urls??

    Thanks again and I must say that every new feature discovered shows me that I make the right choice for the firewall… contratulations for the tool.

    srs


Log in to reply