Would like to use Multi WAN failover but not Firewall



  • Hello everyone,  this is my first post.  I'm new to pfsense.  We are in a professional environment here.  We have problems with our ISP's going down several times a year. We want to get a 2nd ISP and do link failover.  We though about Baracuda's link balancer but then I came across this product which seem like it should work for us.

    We want to keep our existing Cisco ASA firewall.  We'd put pfsense in front of the firewall.  Where i'm quite confused is the IP addressing configuration.  Our Cisco ASA has a public IP defined on it.  What I can't figure out is the addressing on pfsense.  If the ASA has the public IP, what would the pfsense box use for it's ip on the LAN and WAN side?

    Thanks for any help and advice.



  • You will have to configure the pfSense to use the public IP you currently have on the ASA.
    Use whatever private subnet you want to use between the pfSense and the Cisco.



  • Hello and thanks for help me out.  I understand what you're saying.  So then between pfsense and the ASA, I would use something like 192.168.x.x network.
    Correct?



  • Yes.
    The RFC1918 subnets are:
    192.168.x.x/16
    172.16.x.x/12
    10.x.x.x/8

    Make sure you don't have any overlapping ranges with your existing setup.



  • Hello and thanks again.

    Since I disabled packet filtering(firewall), it also by design, disables NAT.  I will assign our public IP on once side of pfsense and a RFC subnet on the other side, such as 192.168.x.x.  Since NAT isn't available then,  do I need to bridge between the WAN & LAN port.

    I just set this up in a test environment with a spare public IP we have.  Assigned it to the WAN port.  Gave the LAN port of pfsense a 192.168.1.10 address.  Assigned the laptop a 192.168.1.15 address.  Also put in the appropriate dns of our ISP.  I cannot browse the internet though from the laptop.    From the pfsense console diagnostics,  I can ping yahoo.com

    Thanks.



  • I don't think what you want is possible by disabling firewall/NAT.
    With a bridge you would have on your LAN side the public subnet from the WAN.

    When you want failover you also need firewall rules, since the firewall rules determine to which gateway (or in your case failover-pool) the frames are sent.

    –> You need to enable the firewall/NAT part again.

    Follow the guides on loadbalancing/failover on the wiki.
    http://doc.pfsense.com/index.php/MultiWanVersion1.2


Log in to reply