Multi WAN with gateways on separate subnets with VIP

  • I have a box with the WAN interface connected to a switch with 3 DSL modems.
    Those modems are in different subnets which I cannot change.

    This should work with adding a virtual IP alias for each subnet on the WAN interface and then under routing add the gateways to each modem.
    However the input validation of the gateway IP does not seem to take the VIP subnets into account, only the main IP/netmask of the WAN interface.

    I can work around it by changing the main WAN ip into each of the subnet and adding its gateway and change it back afterwards, but it seems to me the gateway validation should also take the VIP subnets on the interface into account?

  • I've never used VIPs, but my understanding is that their usefulness is less than that of an actual IP. What you're trying to do is probably better accomplished by separate physical interfaces for your 3 WAN, or 3 vlans and a switch with vlan support.

    If you don't have the equipment to accomplish either of the above, try using ifconfig to create aliases for you 2nd and 3rd WAN IP addresses (For this you will have to go to the shell).

  • In 2.0 you can add those alias just fine via the webinterface. And with the workaround I described above I am able to add all gateways, create a gateway group of them.
    Although it works this way, it would be nice if the add gateway page also took the IP alias subnets on the interface into account for validation.

  • @mark28:

    In 2.0 you can add those alias just fine via the webinterface.

    I don't know what you mean unless you're talking about firewall_aliases.php, which is something entirely different.

  • Firewall -> Virtual IP -> add IP Alias on WAN

    Results in:

    ifconfig rl0

    rl0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
            options=8 <vlan_mtu>ether 00:02:44:b1:e6:67
            inet6 fe80::202:44ff:feb1:e667%rl0 prefixlen 64 scopeid 0x1
            inet netmask 0xffffff00 broadcast
            inet netmask 0xffffff00 broadcast
            nd6 options=3 <performnud,accept_rtadv>media: Ethernet autoselect (100baseTX <full-duplex>)
            status: active

    But gateways are only validated against the first/main ip on the iface, but should be validated against either.</full-duplex></performnud,accept_rtadv></vlan_mtu></up,broadcast,running,simplex,multicast>

  • As far as I know, pfSense doesn't currently have anything in the web gui for supporting additional subnets that are assigned to an interface through the VIP configuration.  I suppose cases that only involve validation could be supported.  Anything else will probably not be supported in 2.0, though could possibly be supported in a later version.  Something related to this has been brought up in the issue tracker, though for multiple subnets on a LAN interface rather than on WAN and the other subnets being through routes to another gateway rather than directly assigned to the router.

  • Another area where it isn't supported is NAT. pf will always nat to 1 IP, by default the main IP of the interface. You can update the rule to the one in the added virtual subnet, but it does not happen automatically.
    So for fail over purposes this is not usefull at the moment, let alone loadbalancing.

    This requires quite a bit of work I guess, if at all possible, I'm not an expert on pf. It might work with tagging packets with pf and based on the tag choose the route and nat rules later on. No idea if this is possible in some round-robin way.

    For now I'll just go with VLAN's. Thanks for the input.

Log in to reply