Need help with simple dual WAN
-
No, you are using the the destination IP as source IP in your example. move it to destination and use source any or lan subnet.
And yes, start simple and add things step by step. Easy to find the point where something is wrong this way.
-
Ok, I fixed the order of source and destination in the rule, but I have an important question about this:
all my rules being applyed on my lan has to be in the LAN part of firewall rules??
if this is right, so, Firewall, Rules, LAN should be like this:
LAN
green * LAN net * 200.x.x.10 * 200.x.wan2.gw
green * LAN net * * * 192.168.10.1Here I'm saying that any client trying to reach 200.x.x.10 will use wan2 gw and that any client trying to reach the rest of the internet will use 192.168.10.1, or wan1 gw ok? do I need more rules in WAN1 and WAN2 or does this are enought?
do I need this firewall rules:
WAN1
green TCP * * * * 192.168.10.1WAN2
green TCP 0.0.0.0 * 200.x.x.10 * 200.x.wan2.gwand about the nat rules, am I wrong or from my actual rules shown bellow:
Interface Source Dest Dest Port NAT Addr NAT Port
WAN1 10.0.0.0/8 * * * *
WAN1 192.168.10.0/24 * * * *
WAN2 10.0.0.0/8 * * * *
WAN2 192.168.10.0/24 * * * *the only necessary rules are this:
Interface Source Dest Dest Port NAT Addr NAT Port
WAN1 10.0.0.0/8 * * * *WAN2 10.0.0.0/8 * * * *
Because only my internal network (LAN) needs nat rules isn't; the other rules shown above doesnt make sense because they're applyed to the WAN network (192.168.10.0) from whithin I doesnt have clients ok? is that thinking right? :D
thanks again!
thanks a lot, I think it will work really soon :D
-
All firewall rules are validating incoming traffic at an interface. As the traffic to the Host at WAN2 isincoming from your LAN interface the rule for that has to be at the LAN interface too.
If you don't need NAT at WAN2 just delete the unneeded rules at your outbound NAT screen.
It looks to me that your WAN2 is not really a WAN but a routed subnet to a special host as you want to shutdown NAT and also only need one host to be reachable through that interface. If that is right you should consider making your WAN2 just a normal OPT-Interface and add static routes at system>static routes for the destination-IP/32 through the gateway at that interface.
As you mention "green" I guess you are a former IP-COP user. pfSense is much more flexible when it comes to NAT and firewallrules. Just because an interface is not a WAN (or red) doesn't mean you can't block traffic from there.
Maybe you are making things a bit too complicated where everything could be easier ;)
-
All firewall rules are validating incoming traffic at an interface. As the traffic to the Host at WAN2 isincoming from your LAN interface the rule for that has to be at the LAN interface too.
If you don't need NAT at WAN2 just delete the unneeded rules at your outbound NAT screen.
This is the confusing part to me; I'm not a network specialist, but I think I need that NAT rule.
It looks to me that your WAN2 is not really a WAN but a routed subnet to a special host as you want to shutdown NAT and also only need one host to be reachable through that interface. If that is right you should consider making your WAN2 just a normal OPT-Interface and add static routes at system>static routes for the destination-IP/32 through the gateway at that interface.
My wan2 is a frame-relay line slower than my adsl link, but has a direct route to my destiny point 200.x.x.10, so even slower than my adsl, is faster reach that point from that frame-relay (wan2) than from adsl (wan1); this is why I use this route instead of using adsl to access that point; In the truth I'm routing my wan2 traffic into another router; but I think a static route would work for me, because my actual router uses a static router to do this job for me!
As you mention "green" I guess you are a former IP-COP user. pfSense is much more flexible when it comes to NAT and firewallrules. Just because an interface is not a WAN (or red) doesn't mean you can't block traffic from there.
Maybe you are making things a bit too complicated where everything could be easier ;)
I really came from ip-cop :D, but when I told green I meant the little green arrow that stays in the beginning of the firewall rules; this was only an indicative that the rule was enabled :D
And you're right, unfortunatelly my poor knowledge in networking is making this install harder that it really is; I think this is what I'm gonna do now: install only two nics, LAN and WAN and when everything is working, then I can try to ad the 3rd nic and make a static route to it!
but as I said before, this is really not difficult, what makes it harder is really ME ;D
thanks a lot for your patience and excuse-me for the bad english :D
-
it seems it worked now! ;D ;D
the only question is that I'm trying to install squid proxy server, and when I try I get this:
Downloading package configuration file… done.
Saving updated package information... done.
Downloading squid and its dependencies... done.
Checking for successful package installation... failed!Installation aborted.
why??
thanks a lot :D
-
Update to 1.0-RC3a
-
Update to 1.0-RC3a
you mean 1.0-RC3 ?? I couldn't find 1.0-RC3a!
I'll do the update! thanks a lot!!!srs
-
fist update to rc3 http://pfsense.iserv.nl/updates/pfSense-Full-Update-1.0-RC3.tgz
then update to rc3a http://pfsense.iserv.nl/updates/pfSense-1.0-rc3a-Full-Embedded.tgz
then to rc3b http://pfsense.iserv.nl/updates/pfSense-1.0-RC3b-Full-Embedded.tgz -
Updated and now installing squid! :D
Congratulations again for the excellent firewall and for making a tool that is updatable, without needing to reinstall again!
Does it has any package like mrtg to pfsense in order that I have deeper interface graphics?
thanks!
-
Did you already have a look at status>rrd graphs? It's included in core, no package needed for that.
-
Did you already have a look at status>rrd graphs? It's included in core, no package needed for that.
I think I dont; If I remember I've seen the Traffic Graphics, that one that are updated live; I'll check this!
Another simple question; I'm using squid and would like to know how can I use word black list for urls??
Thanks again and I must say that every new feature discovered shows me that I make the right choice for the firewall… contratulations for the tool.
srs