General Question pfsense MULTI WAN Rules and ERROR in Routes ?!

onkeldave83

Hello,

i have a pfsense box 2.0 beta 5 with three ethernet ports.
wan: 192.168.10.9 default gateway: 192.168.10.4
lan: 192.168.10.10
opt1: 192.168.10.8 gateway: 192.168.10.5

i want that one client from local lan can access the optional interface gateway! only this client

gernerally i think i need a firewall rule on top that client can access gateway or?

and i important question i have:

default 192.168.10.4 UGS 0 731 1500 bce0
127.0.0.1        link#5 UH 0 494191 16384 lo0
192.168.10.0/24 link#3 U 0 5856 1500 bce0
192.168.10.8 link#2 UHS 0 0 16384 lo0
192.168.10.9 link#3 UHS 0 0 16384 lo0
192.168.10.10 link#4 UHS 0 0 16384 lo0

link#3 is wan

why is my local net 192.168.10.0/24 under interface wan?
this is lan!
how can i edit this interface entry in routing table?
i can only access my gui when i have connected wan and lan in the same switch to my pc?

can someone help me?

onkeldave83

when i only connect lan with me pc - i cant connect
firewall rules are ok!
default gateway is on wan
what have i to configure that i connect over wan ?
and why i cant connect to gui (192.168.10.10) when wan is only connected to router and lan only to network switch?

what this please

Nachtfalke

From WAN side ALL ports are blocked by default. You have to create a firewall rule on WAN side which allows to pass to WAN-Address with port 80 (http) or port 443 (https).

The rule for the client to go over your OPT interface should look like this:

pass
source IP: IP of the client
Port: any
destination: any
Port: any
Gateway (OPT) (For this, you have to scroll down and click the “Gateway” button.

This rule should be on the top of the rules.

onkeldave83

yes this good! ONE STEP BACK!!!
i make it simple….something missed by my configuration

clients are connected to lan interface
on wan is connected the router

FIREWALL RULES ARE OK!!!
i have any any any rule for testing
(i want use the default gateway)

and why cant clients access internet?

---

have i to create the wan interface as a gateway to lan? (static routes) ???

i dont know why i cant access internet, when a pc is allone connect to lan and the router on wan interface - there must something fail
i have only internet when wan is additionally connected to the lan switch :???
help me please

Nachtfalke

For me its hard to understand what your configuration looks like.

Can you make a picture with paint with your switches, routers and IP-addresses / subnets

onkeldave83

ok one moment please….

onkeldave83

http://img52.imageshack.us/i/daveh.jpg/

default gateway and dns of network client is pfsense
gw 192.168.10.10
dns 192.168.10.10

with this, i can not connect to my pfsense and have no internet.

when i connect the wan interface ADDITIONALLY to the network side, i can connect to pfsense and internet!
i have test it, i can disconnect the lan cable and have access and internet …when wan addiotionally connected to the switch

i want no bridging! i want to access wan / internet from network client

the default gateway on wan is the router 192.168.10.4
and the gateway is online!
my firewall rules are allow all for testing
i use pfsense 2.0 beta 5

my routing table:
default 192.168.10.4 UGS 0 8514 1500 bce0
127.0.0.1        link#5 UH 0 21372 16384 lo0
192.168.10.0/24 link#3 U 0 15067 1500 bce0
192.168.10.9 link#3 UHS 0 1552 16384 lo0
192.168.10.10 link#4 UHS 0 1214 16384 lo0

my interfaces:
WAN interface (bce0)
Status up
MAC address 00:26:b9:75:5c:bb
IP address 192.168.10.9  
Subnet mask 255.255.255.0
Gateway COLT 192.168.10.4
ISP DNS servers 192.168.10.4

LAN interface (bce1)
Status up
MAC address 00:26:b9:75:5c:bc
IP address 192.168.10.10  
Subnet mask 255.255.255.0

my prot forwarding for squid proxy
If Proto Src. addr Src. ports Dest. addr Dest. ports    NAT IP NAT Ports Description

LAN TCP             *     80 (HTTP)       *     3333 192.168.10.10 *

THANKS FOR HELPING!

onkeldave83

a traceroute output from netowrk client, with addiotional cable connection from wan to lan switch

C:\Documents and Settings\OnkelDave>tracert www.google.de

Tracing route to www.l.google.com [74.125.43.103]
over a maximum of 30 hops:

1    <1 ms    <1 ms    <1 ms  192.168.10.9
 2    <1 ms    <1 ms    <1 ms  192.168.10.4
 3     1 ms     1 ms     1 ms  …
 4     4 ms     3 ms     3 ms  …
 5    13 ms    12 ms    12 ms  …
 6    21 ms    20 ms    28 ms  …
 7    25 ms    25 ms    25 ms  …
 8    30 ms    29 ms    29 ms  …
 9    28 ms    28 ms    28 ms  …
10    33 ms    35 ms    35 ms  …
11    29 ms    29 ms    29 ms  bw-in-f103.1e100.net [74.125.43.103]

he goes directly from wan to internet!

i think by correct config he have from……to
lan -> wan -> internet gateway

f.e.
 1    <1 ms    <1 ms    <1 ms  192.168.10.10
 2    <1 ms    <1 ms    <1 ms  192.168.10.9
 3    <1 ms    <1 ms    <1 ms  192.168.10.4
…

Nachtfalke

Ähm,

pfsense is a routing plattform. A router connects two or more DIFFERENT networks. Your network on WAN and LAN are both the same. They are both 192.168.10.0/24

On the WAN side you could use 192.168.10.0/24 and on the LAN side use 192.168.20.0/24.
On the WAN side NAT must be enabled or you have to enter a static route for 192.168.20.0/24 on the router which is DIRECTLY connected to the internet. I mean this router which has the IP 192.168.10.4.

phpzilla

hi  ;D

take a look here on my network:

maybe it helps  

onkeldave83

yeah thanks!

onkeldave83

this really good! its godlike
thanks for this example….
my mistake was the same subnet for lan and wan…thats stupido

i want to distance from bridging and ta-ta-ta its perfect -> THANKS phpzilla and THANKS Nachtfalke!!!

to do list:
other subnets for lan and wan
one route: from lan to gateway router on wan
firewall rules all access
thats all!

one question left:

before i had bridged interfaces (wan / lan)
and this was like a tranparent firewall i think…i had to only set rules on lan tab for access or denied things on wan and lan!
yet? can you explain me how is it managed in routed pfsense modell

f.e.
have i to set wan rules only in wan and in lan i need only : source lan subet access to any ?

thanks for help

onkeldave83

its seems like that wan rules tab is ignort……?

when i set in wan firewall rules block any any any any any
and i set lan rules pass icmp for all

i can ping www.google.de

only when i block it in lan tab, i cant ping google.

therefore i have to only set the lan rules tab ?

is it right?

thanks

Nachtfalke

You have to set the rule in the right direction:

If the direction is from LAN to WAN, for example a Client should not connect to or ping google, then you must enter a LAN rule.

If you want, that someone from the internet/WAN should be ablte to connect to your LAN (Webserver, E-Mail-Server) then you must enter a WAN rule.

Remember: NO rules means everything is BLOCKED.
In general you do not want that someone from the WAN/internet should be able to connect to you LAN, therefor there should be no rules on WAN tab.

onkeldave83

at first thanks nachtfalke

hmmm,

have one more question.

when i added a second gateway……

can i set a second static route with same network but other gateway?
this strange…one way, two gateways :??

i have only one lan but two isp gateways…all user should use the first gateway and one user the second gateway.

thanks for help

Nachtfalke

Yes, you can. For every rule you could specify a gateway.

If you have more than one WAN, you should read more about “Load Balancing”, “Multi WAN” and “Failover”. I think this could be interesting for you.

REMEMBER:
The firewall rule take effect from top to down. The first rule which matches will be used.

SeventhSon

@onkeldave83:

at first thanks nachtfalke
i have only one lan but two isp gateways……all user should use the first gateway and one user the second gateway.

that’s policy based routing, you can make a firewall rule for this and select the appropriate gateway to use when a packet comes in from the one user.

onkeldave83

f.e.

routing

192.168.10.0/24   192.168.20.4    WAN
192.168.10.0/24   192.168.30.4    WAN2

and then in firewall LAN tab (top entries are dominating) one entry for this one user, how should use gateway two (wan2), with gateway entry to wan2

is it right?

AND…

load balancing…thats intressting yes right!
is it for two internetconnections…like trunking?

thanks a lot for your professional infos !!!

Nachtfalke

For example, if you would like, that Host A with 192.168.10.25/24 should be routet over WAN2 it could look like this:

pass 192.168.10.25 * * * WAN2        This is for Host A over WAN2
pass 192.168.10.0  * * * WAN1        This is for all Hosts from 192.168.10.0/24

Load Balancing could be used for 2 or more interfaces. Its not really like trunking, its more like Bonding.
Seach the forum for Failover, Load Balancing and Multi-WAN. Check the pfsense docs, too.

onkeldave83

ok thanks nachtfalke!
i will try this!

i found good tutorials for load balancing and failover….

but there is a difference in it!
some make it with a bridge between the wan connections and some not.
what is the better way ?

thanks for help

Nachtfalke

Sorry. DOn’t know when to use this in bridge mode.
I use it without bridge and I think this is the normal way to use Load Balancing. Perhaps there are special scenarios which need another configuration.

onkeldave83

with bridge interfaces, we are on osi layer 2 or?

Nachtfalke

Yes, bridging is Layer 2