General Question pfsense MULTI WAN Rules and ERROR in Routes ?!



  • Hello,

    i have a pfsense box 2.0 beta 5 with three ethernet ports.
    wan: 192.168.10.9 default gateway: 192.168.10.4
    lan: 192.168.10.10
    opt1: 192.168.10.8 gateway: 192.168.10.5

    i want that one client from local lan can access the optional interface gateway! only this client

    gernerally i think i need a firewall rule on top that client can access gateway or?

    and i important question i have:

    default 192.168.10.4 UGS 0 731 1500 bce0
    127.0.0.1        link#5 UH 0 494191 16384 lo0
    192.168.10.0/24 link#3 U 0 5856 1500 bce0
    192.168.10.8 link#2 UHS 0 0 16384 lo0
    192.168.10.9 link#3 UHS 0 0 16384 lo0
    192.168.10.10 link#4 UHS 0 0 16384 lo0

    link#3 is wan 😉

    why is my local net 192.168.10.0/24 under interface wan?
    this is lan!
    how can i edit this interface entry in routing table?
    i can only access my gui when i have connected wan and lan in the same switch to my pc?

    can someone help me?



  • when i only connect lan with me pc - i cant connect 😞
    firewall rules are ok!
    default gateway is on wan
    what have i to configure that i connect over wan ?
    and why i cant connect to gui (192.168.10.10) when wan is only connected to router and lan only to network switch?

    what this please



  • From WAN side ALL ports are blocked by default. You have to create a firewall rule on WAN side which allows to pass to WAN-Address with port 80 (http) or port 443 (https).

    The rule for the client to go over your OPT interface should look like this:

    pass
    source IP: IP of the client
    Port: any
    destination: any
    Port: any
    Gateway (OPT) (For this, you have to scroll down and click the “Gateway” button.

    This rule should be on the top of the rules.



  • yes this good! ONE STEP BACK!!!
    i make it simple….something missed by my configuration 😉

    clients are connected to lan interface
    on wan is connected the router

    FIREWALL RULES ARE OK!!!
    i have any any any rule for testing 😉
    (i want use the default gateway)

    and why cant clients access internet?


    have i to create the wan interface as a gateway to lan? (static routes) ???

    i dont know why i cant access internet, when a pc is allone connect to lan and the router on wan interface - there must something fail 😞
    i have only internet when wan is additionally connected to the lan switch :???
    help me please



  • For me its hard to understand what your configuration looks like.

    Can you make a picture with paint with your switches, routers and IP-addresses / subnets



  • ok one moment please….




  • http://img52.imageshack.us/i/daveh.jpg/

    default gateway and dns of network client is pfsense
    gw 192.168.10.10
    dns 192.168.10.10

    with this, i can not connect to my pfsense and have no internet.

    when i connect the wan interface ADDITIONALLY to the network side, i can connect to pfsense and internet!
    i have test it, i can disconnect the lan cable and have access and internet 😄 …when wan addiotionally connected to the switch 😉

    i want no bridging! i want to access wan / internet from network client

    the default gateway on wan is the router 192.168.10.4
    and the gateway is online!
    my firewall rules are allow all for testing
    i use pfsense 2.0 beta 5

    my routing table:
    default 192.168.10.4 UGS 0 8514 1500 bce0
    127.0.0.1        link#5 UH 0 21372 16384 lo0
    192.168.10.0/24 link#3 U 0 15067 1500 bce0
    192.168.10.9 link#3 UHS 0 1552 16384 lo0
    192.168.10.10 link#4 UHS 0 1214 16384 lo0

    my interfaces:
    WAN interface (bce0)
    Status up
    MAC address 00:26:b9:75:5c:bb
    IP address 192.168.10.9  
    Subnet mask 255.255.255.0
    Gateway COLT 192.168.10.4
    ISP DNS servers 192.168.10.4

    LAN interface (bce1)
    Status up
    MAC address 00:26:b9:75:5c:bc
    IP address 192.168.10.10  
    Subnet mask 255.255.255.0

    my prot forwarding for squid proxy
    If Proto Src. addr Src. ports Dest. addr Dest. ports    NAT IP NAT Ports Description

    LAN TCP             *     80 (HTTP)       *     3333 192.168.10.10 *

    THANKS FOR HELPING!



  • a traceroute output from netowrk client, with addiotional cable connection from wan to lan switch

    C:\Documents and Settings\OnkelDave>tracert www.google.de

    Tracing route to www.l.google.com [74.125.43.103]
    over a maximum of 30 hops:

    1    <1 ms    <1 ms    <1 ms  192.168.10.9
     2    <1 ms    <1 ms    <1 ms  192.168.10.4
     3     1 ms     1 ms     1 ms  …
     4     4 ms     3 ms     3 ms  …
     5    13 ms    12 ms    12 ms  …
     6    21 ms    20 ms    28 ms  …
     7    25 ms    25 ms    25 ms  …
     8    30 ms    29 ms    29 ms  …
     9    28 ms    28 ms    28 ms  …
    10    33 ms    35 ms    35 ms  …
    11    29 ms    29 ms    29 ms  bw-in-f103.1e100.net [74.125.43.103]

    he goes directly from wan to internet!

    i think by correct config he have from……to
    lan -> wan -> internet gateway

    f.e.
     1    <1 ms    <1 ms    <1 ms  192.168.10.10
     2    <1 ms    <1 ms    <1 ms  192.168.10.9
     3    <1 ms    <1 ms    <1 ms  192.168.10.4



  • Ähm,

    pfsense is a routing plattform. A router connects two or more DIFFERENT networks. Your network on WAN and LAN are both the same. They are both 192.168.10.0/24

    On the WAN side you could use 192.168.10.0/24 and on the LAN side use 192.168.20.0/24.
    On the WAN side NAT must be enabled or you have to enter a static route for 192.168.20.0/24 on the router which is DIRECTLY connected to the internet. I mean this router which has the IP 192.168.10.4.



  • hi  ;D

    take a look here on my network:

    maybe it helps  😉



  • yeah thanks!



  • this really good! its godlike 😉
    thanks for this example….
    my mistake was the same subnet for lan and wan…thats stupido

    i want to distance from bridging and ta-ta-ta its perfect -> THANKS phpzilla and THANKS Nachtfalke!!!

    to do list:
    other subnets for lan and wan
    one route: from lan to gateway router on wan
    firewall rules all access
    thats all!

    one question left:

    before i had bridged interfaces (wan / lan)
    and this was like a tranparent firewall i think…i had to only set rules on lan tab for access or denied things on wan and lan!
    yet? can you explain me how is it managed in routed pfsense modell

    f.e.
    have i to set wan rules only in wan and in lan i need only : source lan subet access to any ?

    thanks for help



  • its seems like that wan rules tab is ignort……?

    when i set in wan firewall rules block any any any any any
    and i set lan rules pass icmp for all

    i can ping www.google.de

    only when i block it in lan tab, i cant ping google.

    therefore i have to only set the lan rules tab ?

    is it right?

    thanks



  • You have to set the rule in the right direction:

    If the direction is from LAN to WAN, for example a Client should not connect to or ping google, then you must enter a LAN rule.

    If you want, that someone from the internet/WAN should be ablte to connect to your LAN (Webserver, E-Mail-Server) then you must enter a WAN rule.

    Remember: NO rules means everything is BLOCKED.
    In general you do not want that someone from the WAN/internet should be able to connect to you LAN, therefor there should be no rules on WAN tab.



  • at first thanks nachtfalke

    hmmm,

    have one more question.

    when i added a second gateway……

    can i set a second static route with same network but other gateway?
    this strange…one way, two gateways :??

    i have only one lan but two isp gateways…all user should use the first gateway and one user the second gateway.

    thanks for help



  • Yes, you can. For every rule you could specify a gateway.

    If you have more than one WAN, you should read more about “Load Balancing”, “Multi WAN” and “Failover”. I think this could be interesting for you.

    REMEMBER:
    The firewall rule take effect from top to down. The first rule which matches will be used.



  • @onkeldave83:

    at first thanks nachtfalke
    i have only one lan but two isp gateways……all user should use the first gateway and one user the second gateway.

    that’s policy based routing, you can make a firewall rule for this and select the appropriate gateway to use when a packet comes in from the one user.



  • f.e.

    routing

    192.168.10.0/24   192.168.20.4    WAN
    192.168.10.0/24   192.168.30.4    WAN2

    and then in firewall LAN tab (top entries are dominating) one entry for this one user, how should use gateway two (wan2), with gateway entry to wan2

    is it right?

    AND…

    load balancing…thats intressting yes right!
    is it for two internetconnections…like trunking?

    thanks a lot for your professional infos !!!



  • For example, if you would like, that Host A with 192.168.10.25/24 should be routet over WAN2 it could look like this:

    pass 192.168.10.25 * * * WAN2        This is for Host A over WAN2
    pass 192.168.10.0  * * * WAN1        This is for all Hosts from 192.168.10.0/24

    Load Balancing could be used for 2 or more interfaces. Its not really like trunking, its more like Bonding.
    Seach the forum for Failover, Load Balancing and Multi-WAN. Check the pfsense docs, too.



  • ok thanks nachtfalke!
    i will try this!

    i found good tutorials for load balancing and failover….

    but there is a difference in it!
    some make it with a bridge between the wan connections and some not.
    what is the better way ?

    thanks for help



  • Sorry. DOn’t know when to use this in bridge mode.
    I use it without bridge and I think this is the normal way to use Load Balancing. Perhaps there are special scenarios which need another configuration.



  • with bridge interfaces, we are on osi layer 2 or?



  • Yes, bridging is Layer 2


Locked
 

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy