Unable to get trafic over Opt1 in Dual Wan setup



  • Hello,

    Like most reporting here I am new to PFSense, used to use Smoothwall. I have migrated to PFsense for dual WAN support.

    As stated in the subject I am unable to get traffic going via OPT1 (WAN2). My goal is policy based routing, so no loadbalancing. I have followed the steps described in: setting up policybased routing with multiple WAN-links (PDF), but still no luck.

    Here is what my setup looks like now:

    PFSense release 1.0 RC3

    Interfaces:

    • WAN

    • LAN

    • Wanadoo (OPT1)

    • DMZ (OPT2)

    WAN is a bridged DHCP based ADSL connection (always the same external IP).
    LAN has IP range 192.168.2.x
    Wanadoo (OPT1) is a routed ADSL connection that has a fixed IP 192.168.1.11 and GW 192.168.1.1
    DMZ has IP range 192.168.10.x

    In Firewall -> NAT -> Outbound -> Enable advanced outbound NAT I have like the PDF states 4 entries:

    Interface  Source            Source Port   Destination   Destination Port  NAT Address  NATPort  Static Port  Description
    WAN        192.168.2.0/24         *                *                    *                 *               *             NO             LAN>WAN            
    WAN        192.168.10.0/24       *                *                    *                 *               *             NO             DMZ>WAN            
    Wanadoo  192.168.2.0/24         *                *                    *                 *               *             NO             LAN>WANadoo            
    Wanadoo  192.168.10.0/24       *                *                    *                 *               *             NO             DMZ>WANadoo

    I want DMZ routed over WAN so I have the following Rule set in Firewall->Rules->DMZ:
    Proto    Source    Port   Destination    Port  Gateway Description
      *      DMZ net     *        !LAN net      *         *      Permit DMZ to any BUT LAN

    This rule work fine since internetting from DMZ is no problem.

    For LAN I want trafic of some IP addresses routed over Wanadoo(WAN2 / OPT1). Step one keep it simple and build from there. So my first step was to try and route all LAN trafic over WANadoo (WAN2 / OPT1). So I figured I need the following rule:
    Firewall -> Rules -> LAN

    Proto    Source    Port   Destination    Port  Gateway          Description
      *      LAN net     *            *             *   192.168.1.1      LAN -> any over WANadoo gateway

    Findings:

    1. I can still internet from DMZ and portforwards etc all work correct. Gateway used is WAN
    2. I can internet from LAN
    3. all trafic from LAN is routed over WAN and NOT WANadoo gateway
    4. when monitoring trafic at Status -> Traffic graph -> Wanadoo I see ZERO trafic over this interface
    5. when I do a tracert www.myip.nl I see that hops go over WAN and not WANadoo

    Can anyone spot a an error I made in my setup?

    p.s. I have read and studied all relating post onj this forum, but have not lokked back to threads that refer to releases older then 1.0



  • What's the status for wanadoo at status>interfaces?

    Also can you ping the wanadoo gateway directly from the pfsense at diagnostics>ping?

    One thing that makes me wonder is why you can still get internetaccess from LAN subnet. Your rules should send it out wanadoo and in case it is down you should not be able to get to the internet from there.

    You did apply the rules right?



  • Hi Hoba,

    Status -> interfaces -> WANadoo = up

    Diagnostics -> ping ->

    Host          192.168.1.1
    Interface    Wanadoo
    count        3

    Ping output:

    PING 192.168.1.1 from 192.168.1.11: 56 databytes,

    3 packets transmitted, 3 packets received,

    Diagnostics -> ping ->

    Host          192.168.1.1
    Interface    LAN
    count        3

    Ping output:

    PING 192.168.1.1 from 192.168.2.1: 56 databytes,

    3 packets transmitted, 3 packets received,

    Yes ping to the WANadoo gateway is not a problem, butif I do:

    Diagnostics -> ping ->

    Host          145.52.123.4 (some external ip)
    Interface    Wanadoo
    count        3

    Ping output:

    PING 145.52.123.4 from 192.168.1.11: 56 databytes,

    3 packets transmitted, 0 packets received, 100% packet loss.

    Since this wanadoo connection works in routed mode to make sure this modem is not being funny, I also have a notebook connected as 192.168.1.33, that I am using now to type this reply. So the internet connection over this routed modem works for sure.

    quote:
    One thing that makes me wonder is why you can still get internetaccess from LAN subnet. Your rules should send it out wanadoo and in case it is down you should not be able to get to the internet from there: / quote

    That is exactly why I am posting here, in my previous post I quotes my rules exactly as they are.
    My lan connections have via DHCP a 192.168.2.x ip with gateway 192.168.2.1 so it is realy the firewall related ..

    I have some additional NAT entries but they all relate to the DMZ for example:

    Firewall -> NAT -> Port Forward

    If      Proto    Ext. port range      NAT IP              Int port range    Description
    WAN  TCP            22              192.168.10.111          22            SSH access

    Corresponding rule:

    Firewall -> Rules -> WAN

    Proto    Source        Port  Destination          Port  Gateway      Description
      *      Some ext IP    *    192.168.10.111      22        *        NAT SSH access

    and some more for other ports.

    I have NO Firewall -> Rules entry for Wanadoo only a single entry in DMZ to block off LAN access:
    Proto    Source    Port  Destination    Port  Gateway Description
      *      DMZ net    *        !LAN net      *        *      Permit DMZ to any BUT LAN

    I hoped tp post that I was stupid and made a small mistake and have it sorted, but not yet I seem to be unable to spot the cause..

    Hoping to have provided all needed information for hopefully a sugestion

    regards,

    rowdy



  • Something is wrong Maybe just a typo somewhere…I suggest restaring the configuration from scratch  ::)



  • Hi,

    It works now !!!

    I rechecked all rules NAT etntries etc. Dit edit and save on each one.. it did not yet work.. but then I did a reboot and it started working.

    So for some reason the firewall rules did not load correctly or better said; did not change without a system reboot.

    Any way I hope my config posted here might work as a reference for some of you out there..

    cu



  • @rtuin:

    Hi,

    It works now !!!

    I rechecked all rules NAT etntries etc. Dit edit and save on each one.. it did not yet work.. but then I did a reboot and it started working.

    So for some reason the firewall rules did not load correctly or better said; did not change without a system reboot.

    Any way I hope my config posted here might work as a reference for some of you out there..

    cu

    Sounds as a bug?
    I got the same problems see catch all forum and search for bug report.



  • I just installed a multiwan system at a location with portforwards at optwan and policybasedrouting for outgoing traffic. Didn't run into this problem. Please try to reproduce step by step and post the steps how to reproduce this problem.



  • Hi Rob / Hoba

    Hoba, it seems we were typing at the same moment.

    If I change routing back to default gateway, after hitting apply and save, traffic keeps being routed over the wanadoo OPt1 interface.

    Finding:

    • After reboot policy based routing of LAN to OPT1 works. DMZ routed over WAN works. -> conclusion my rules and NAT entries are correct.

    Reproduction:

    1)  Firewall -> Rules -> LAN -> edit -> change gateway to default ( from OPT1 to WAN in this case).
    2)  Hit SAVE
    3)  Apply changes
    4)  click Monitor -> Done. The filter rules have been reloaded.
    5)  open dosbox on LAN connected machine and do tracert www.nu.nl
    6)  result: hob goes over OPT1 and NOT over WAN.

    Note: I can not reboot at this moment since remote clients are connected. Can only reboot over night.

    Just in case: this is the current version I am running:

    Version 1.0-RC3
    built on Mon Oct 2 01:11:38 UTC 2006

    So it seems that if you want to change policy base routing, changes only get active after a reboot. So there might be a bug in this area..

    Met vriendelijke groeten,
    rowdy



  • No bug, connections are stateful. Reset states at diagnostics>states, reset states. Already open states will remain on the wan where the connection was initiated.



  • Hi Hoba,

    I was not yet aware of this handle.

    However I just did:

    1)  Firewall -> Rules -> LAN -> edit -> change gateway to default ( from OPT1 to WAN in this case).
    2)  Hit SAVE
    3)  Apply changes
    4)  click Monitor -> Done. The filter rules have been reloaded.
    5)  Diagnostics -> Reset States -> checkbox marked -> reset.
    6)  open dosbox on LAN connected machine and do tracert www.nu.nl
    7)  result: hob goes over OPT1 and NOT over WAN.

    Anyway I know I can solve the issue by means of a firewall reboot. But if you want me to test some steps or do some reporting on this just ask me..



  • I ran into the same problem running RC3

    Played around with it for hours but was not able to get the firewall rules to work, untill after a system reboot.  I did the reset states thing too.

    Zack



  • Reinstall.


Log in to reply