Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    General Question pfsense MULTI WAN Rules and ERROR in Routes ?!

    Scheduled Pinned Locked Moved Routing and Multi WAN
    23 Posts 4 Posters 8.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • O
      onkeldave83
      last edited by

      Hello,

      i have a pfsense box 2.0 beta 5 with three ethernet ports.
      wan: 192.168.10.9 default gateway: 192.168.10.4
      lan: 192.168.10.10
      opt1: 192.168.10.8 gateway: 192.168.10.5

      i want that one client from local lan can access the optional interface gateway! only this client

      gernerally i think i need a firewall rule on top that client can access gateway or?

      and i important question i have:

      default 192.168.10.4 UGS 0 731 1500 bce0
      127.0.0.1        link#5 UH 0 494191 16384 lo0
      192.168.10.0/24 link#3 U 0 5856 1500 bce0
      192.168.10.8 link#2 UHS 0 0 16384 lo0
      192.168.10.9 link#3 UHS 0 0 16384 lo0
      192.168.10.10 link#4 UHS 0 0 16384 lo0

      link#3 is wan ;)

      why is my local net 192.168.10.0/24 under interface wan?
      this is lan!
      how can i edit this interface entry in routing table?
      i can only access my gui when i have connected wan and lan in the same switch to my pc?

      can someone help me?

      1 Reply Last reply Reply Quote 0
      • O
        onkeldave83
        last edited by

        when i only connect lan with me pc - i cant connect :(
        firewall rules are ok!
        default gateway is on wan
        what have i to configure that i connect over wan ?
        and why i cant connect to gui (192.168.10.10) when wan is only connected to router and lan only to network switch?

        what this please

        1 Reply Last reply Reply Quote 0
        • N
          Nachtfalke
          last edited by

          From WAN side ALL ports are blocked by default. You have to create a firewall rule on WAN side which allows to pass to WAN-Address with port 80 (http) or port 443 (https).

          The rule for the client to go over your OPT interface should look like this:

          pass
          source IP: IP of the client
          Port: any
          destination: any
          Port: any
          Gateway (OPT) (For this, you have to scroll down and click the "Gateway" button.

          This rule should be on the top of the rules.

          1 Reply Last reply Reply Quote 0
          • O
            onkeldave83
            last edited by

            yes this good! ONE STEP BACK!!!
            i make it simple….something missed by my configuration ;)

            clients are connected to lan interface
            on wan is connected the router

            FIREWALL RULES ARE OK!!!!!!!
            i have any any any rule for testing ;)
            (i want use the default gateway)

            and why cant clients access internet?


            have i to create the wan interface as a gateway to lan? (static routes) ????

            i dont know why i cant access internet, when a pc is allone connect to lan and the router on wan interface - there must something fail :(
            i have only internet when wan is additionally connected to the lan switch :???
            help me please

            1 Reply Last reply Reply Quote 0
            • N
              Nachtfalke
              last edited by

              For me its hard to understand what your configuration looks like.

              Can you make a picture with paint with your switches, routers and IP-addresses / subnets

              1 Reply Last reply Reply Quote 0
              • O
                onkeldave83
                last edited by

                ok one moment please….

                1 Reply Last reply Reply Quote 0
                • O
                  onkeldave83
                  last edited by


                  http://img52.imageshack.us/i/daveh.jpg/

                  default gateway and dns of network client is pfsense
                  gw 192.168.10.10
                  dns 192.168.10.10

                  with this, i can not connect to my pfsense and have no internet.

                  when i connect the wan interface ADDITIONALLY to the network side, i can connect to pfsense and internet!
                  i have test it, i can disconnect the lan cable and have access and internet :D …when wan addiotionally connected to the switch ;)

                  i want no bridging! i want to access wan / internet from network client

                  the default gateway on wan is the router 192.168.10.4
                  and the gateway is online!
                  my firewall rules are allow all for testing
                  i use pfsense 2.0 beta 5

                  my routing table:
                  default 192.168.10.4 UGS 0 8514 1500 bce0
                  127.0.0.1        link#5 UH 0 21372 16384 lo0
                  192.168.10.0/24 link#3 U 0 15067 1500 bce0
                  192.168.10.9 link#3 UHS 0 1552 16384 lo0
                  192.168.10.10 link#4 UHS 0 1214 16384 lo0

                  my interfaces:
                  WAN interface (bce0)
                  Status up
                  MAC address 00:26:b9:75:5c:bb
                  IP address 192.168.10.9  
                  Subnet mask 255.255.255.0
                  Gateway COLT 192.168.10.4
                  ISP DNS servers 192.168.10.4

                  LAN interface (bce1)
                  Status up
                  MAC address 00:26:b9:75:5c:bc
                  IP address 192.168.10.10  
                  Subnet mask 255.255.255.0

                  my prot forwarding for squid proxy
                  If Proto Src. addr Src. ports Dest. addr Dest. ports    NAT IP NAT Ports Description

                  LAN TCP             *     80 (HTTP)       *     3333 192.168.10.10 *

                  THANKS FOR HELPING!

                  1 Reply Last reply Reply Quote 0
                  • O
                    onkeldave83
                    last edited by

                    a traceroute output from netowrk client, with addiotional cable connection from wan to lan switch

                    C:\Documents and Settings\OnkelDave>tracert www.google.de

                    Tracing route to www.l.google.com [74.125.43.103]
                    over a maximum of 30 hops:

                    1    <1 ms    <1 ms    <1 ms  192.168.10.9
                     2    <1 ms    <1 ms    <1 ms  192.168.10.4
                     3     1 ms     1 ms     1 ms  …
                     4     4 ms     3 ms     3 ms  ...
                     5    13 ms    12 ms    12 ms  ...
                     6    21 ms    20 ms    28 ms  ...
                     7    25 ms    25 ms    25 ms  ...
                     8    30 ms    29 ms    29 ms  ...
                     9    28 ms    28 ms    28 ms  ...
                    10    33 ms    35 ms    35 ms  ...
                    11    29 ms    29 ms    29 ms  bw-in-f103.1e100.net [74.125.43.103]

                    he goes directly from wan to internet!

                    i think by correct config he have from…...to
                    lan -> wan -> internet gateway

                    f.e.
                     1    <1 ms    <1 ms    <1 ms  192.168.10.10
                     2    <1 ms    <1 ms    <1 ms  192.168.10.9
                     3    <1 ms    <1 ms    <1 ms  192.168.10.4
                    ....

                    1 Reply Last reply Reply Quote 0
                    • N
                      Nachtfalke
                      last edited by

                      Ähm,

                      pfsense is a routing plattform. A router connects two or more DIFFERENT networks. Your network on WAN and LAN are both the same. They are both 192.168.10.0/24

                      On the WAN side you could use 192.168.10.0/24 and on the LAN side use 192.168.20.0/24.
                      On the WAN side NAT must be enabled or you have to enter a static route for 192.168.20.0/24 on the router which is DIRECTLY connected to the internet. I mean this router which has the IP 192.168.10.4.

                      1 Reply Last reply Reply Quote 0
                      • P
                        phpzilla
                        last edited by

                        hi  ;D

                        take a look here on my network:

                        maybe it helps  ;)

                        1 Reply Last reply Reply Quote 0
                        • O
                          onkeldave83
                          last edited by

                          yeah thanks!

                          1 Reply Last reply Reply Quote 0
                          • O
                            onkeldave83
                            last edited by

                            this really good! its godlike ;)
                            thanks for this example….
                            my mistake was the same subnet for lan and wan....thats stupido

                            i want to distance from bridging and ta-ta-ta its perfect -> THANKS phpzilla and THANKS Nachtfalke!!!

                            to do list:
                            other subnets for lan and wan
                            one route: from lan to gateway router on wan
                            firewall rules all access
                            thats all!

                            one question left:

                            before i had bridged interfaces (wan / lan)
                            and this was like a tranparent firewall i think.....i had to only set rules on lan tab for access or denied things on wan and lan!
                            yet? can you explain me how is it managed in routed pfsense modell

                            f.e.
                            have i to set wan rules only in wan and in lan i need only : source lan subet access to any ?

                            thanks for help

                            1 Reply Last reply Reply Quote 0
                            • O
                              onkeldave83
                              last edited by

                              its seems like that wan rules tab is ignort…..?

                              when i set in wan firewall rules block any any any any any
                              and i set lan rules pass icmp for all

                              i can ping www.google.de

                              only when i block it in lan tab, i cant ping google.

                              therefore i have to only set the lan rules tab ?

                              is it right?

                              thanks

                              1 Reply Last reply Reply Quote 0
                              • N
                                Nachtfalke
                                last edited by

                                You have to set the rule in the right direction:

                                If the direction is from LAN to WAN, for example a Client should not connect to or ping google, then you must enter a LAN rule.

                                If you want, that someone from the internet/WAN should be ablte to connect to your LAN (Webserver, E-Mail-Server) then you must enter a WAN rule.

                                Remember: NO rules means everything is BLOCKED.
                                In general you do not want that someone from the WAN/internet should be able to connect to you LAN, therefor there should be no rules on WAN tab.

                                1 Reply Last reply Reply Quote 0
                                • O
                                  onkeldave83
                                  last edited by

                                  at first thanks nachtfalke

                                  hmmm,

                                  have one more question.

                                  when i added a second gateway…..

                                  can i set a second static route with same network but other gateway?
                                  this strange....one way, two gateways :??

                                  i have only one lan but two isp gateways.....all user should use the first gateway and one user the second gateway.

                                  thanks for help

                                  1 Reply Last reply Reply Quote 0
                                  • N
                                    Nachtfalke
                                    last edited by

                                    Yes, you can. For every rule you could specify a gateway.

                                    If you have more than one WAN, you should read more about "Load Balancing", "Multi WAN" and "Failover". I think this could be interesting for you.

                                    REMEMBER:
                                    The firewall rule take effect from top to down. The first rule which matches will be used.

                                    1 Reply Last reply Reply Quote 0
                                    • S
                                      SeventhSon
                                      last edited by

                                      @onkeldave83:

                                      at first thanks nachtfalke
                                      i have only one lan but two isp gateways…..all user should use the first gateway and one user the second gateway.

                                      that's policy based routing, you can make a firewall rule for this and select the appropriate gateway to use when a packet comes in from the one user.

                                      1 Reply Last reply Reply Quote 0
                                      • O
                                        onkeldave83
                                        last edited by

                                        f.e.

                                        routing

                                        192.168.10.0/24   192.168.20.4    WAN
                                        192.168.10.0/24   192.168.30.4    WAN2

                                        and then in firewall LAN tab (top entries are dominating) one entry for this one user, how should use gateway two (wan2), with gateway entry to wan2

                                        is it right?

                                        AND…

                                        load balancing...thats intressting yes right!
                                        is it for two internetconnections....like trunking?

                                        thanks a lot for your professional infos !!!!

                                        1 Reply Last reply Reply Quote 0
                                        • N
                                          Nachtfalke
                                          last edited by

                                          For example, if you would like, that Host A with 192.168.10.25/24 should be routet over WAN2 it could look like this:

                                          pass 192.168.10.25 * * * WAN2        This is for Host A over WAN2
                                          pass 192.168.10.0  * * * WAN1        This is for all Hosts from 192.168.10.0/24

                                          Load Balancing could be used for 2 or more interfaces. Its not really like trunking, its more like Bonding.
                                          Seach the forum for Failover, Load Balancing and Multi-WAN. Check the pfsense docs, too.

                                          1 Reply Last reply Reply Quote 0
                                          • O
                                            onkeldave83
                                            last edited by

                                            ok thanks nachtfalke!
                                            i will try this!

                                            i found good tutorials for load balancing and failover….

                                            but there is a difference in it!
                                            some make it with a bridge between the wan connections and some not.
                                            what is the better way ?

                                            thanks for help

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.