Multi Wan and Inbound/WAN firewall rules



  • Hi guys, hope someone knows a way around this.  I currently have 2 ISPs, and a /28 and a/24 assigned to me from each ISP.  Both ISPs will advertise the Class Cs on their BGP AS, so if one of my link fails the other ISP will be able to route incoming traffic to me.

    ISPA        ISPB                    ISPA        ISPB
      |            |                        |            |
      |            |                        |            |
        PFSENSE1–-----CARP--------PFSENSE2
      |            |                        |            |
      |            |                        |            |
    ISPA        ISPB                    ISPA        ISPB
    /24          /24                      /24        /24

    -2 PFSense FWs in HA/CARP for both WAN and LAN+OPTs.  Each FW has 2 WAN interfaces, WAN (ISPA) and WAN2 (ISPB)
    -No Natting
    -WAN side is the public /28s
    -Lan and OPTs (vlanned interfaces) are the public /24 (actually sliced down to smaller /27s and 28s)

    Multi-WAN load balancing setup with WAN and WAN2 in the Pool

    Here is my problem.  All inbound rules for the ISPA /24 are applied on the WAN interface, and all inbound rules for the ISPB /24 are applied on the WAN2 interface.
    If lets say ISPA fails, the routes will converge to ISPB and I will receive all incoming traffic on WAN2.  All my firewall rules for ISPA are still applied to the WAN interface and I assume will not work.  This is what is keeping me from bringing the ISPB advertising online right now because I know I will have intermittent issues.

    What is the best way around this?  Can PFsense somehow group both WAN and WAN2 into one Zone so I can just select the zone instead of WAN or WAN2?  I dont think bridging will accomplish this?  Or do I just need to double up on every single rule and have one applied to the WAN interface and the other to WAN2

    Buying two routers and slapping them in front of the 2 PF FWs would fix this as I would just use one WAN interface, but that would require a lot of restructuring and potential downtime.

    And as I'm writing this I guess I could disable the VIP on the WAN interface and have FW2 be active for ISPB and just sinch the internal public subnets... Holy crap!!!  If someone could comment I would really appreciate it

    I hope my diagram and comments make sense.

    Thank you
    Anthony



  • I've just had a quick think about this:

    I assume that you have two cables (one each from your two ISPS) plugged into your pf.  Each cable at any time could present either or both of your subnet allocations but your subnets will only appear down one or the other cable and not both.

    Put two switch ports in front of each pf interface and connect your ISPs into each one. Eg for opt1:

    ISP1–-+
              |----opt1----pf
    ISP2---+

    opt1 has a single /28 on it and it will arrive from either ISP1 or ISP2 but not both so no issue.

    Basically make your interfaces address specific and not ISP specific.

    Do the same for all the other interfaces.  802.1Q time otherwise you'll need a lot of switches!

    Cheers
    Jon


  • Rebel Alliance Developer Netgate

    @anthony0975:

    What is the best way around this?  Can PFsense somehow group both WAN and WAN2 into one Zone so I can just select the zone instead of WAN or WAN2?  I dont think bridging will accomplish this?  Or do I just need to double up on every single rule and have one applied to the WAN interface and the other to WAN2

    On 1.2.3 you'd have to double up the rules.

    On 2.0 you can setup an interface group and manage them together.


Log in to reply