Multi-Provider with T1 and Business Cable

  • Ok, so this is what I'm trying to accomplish.  I have a T1 and a Cable connection.  I want to configure a PFSense 2.0 box to route all traffic for our servers through the T1, but have the cable connection handle regular traffic for users, unless the cable connection goes down.  Then I want it to failover to the T1.  The T1 has a special router that I can't replace that hands out addresses over DHCP (This can't be changed.  I wish it could, but it can't) and the cable connection also is DHCP, but a static address that is dynamically assigned to anything plugged into the LAN interface on the modem.  Can PFSense 2.0-RC3 accomplish this?


    OK, so I've changed my topology plan.  I finally convinced my ISP to let me do public facing IP's on the T1.  The Cable is still DHCP.  I've attached a new proposed network topology.  I need to know how to accomplish the server DMZ portion of it and allow for filtering through a transparent firewall mode without NAT'ing that part of the network.  Thanks.

  • yes.


  • lol, I probably should have asked how, so here I go…....How?

  • I  can't help with loadbalancing cause of i've no such environment but usually you can define what gateway you use by using routes or manual outbound nat

  • in pfsense 2.0 you can create gateway groups (system–>routing)
    a gateway group can be configured for failover by using different "Tiers". Setting gw1 at tier1 and gw2 at tier2 for example
    then you can use the firewall rules to assign certain traffic to a gateway group.

    you could even send http traffic over WAN1 while sending ftp only out by WAN2

  • So, if you want information for the servers to pass over the T1's, how would I accomplish making sure all of their traffic moves over the T1's and everything else over the Charter Cable connection?  I think I've got everything else configured and ready to try.

  • Make a rule which makes sure that trafic from certain sources go out via certain gateway

  • [EDIT]
    Ok, so I changed the original post, because we made a few network changes and I need to do things slightly differently.  Basically, I need a DMZ that has port filtering, but doesn't have NAT
    ing, so transparent filtering on the servers NIC from the T1 and the Cable connection to the workstations with fail-over to the T1 if the cable connection goes down.  How would I accomplish this?

  • If you have another interface and subnet to servers then you can do it easily with manual outbound nat. there you can control which ip-address it uses at outside world

  • I want the ability to assign the IP's directly to the servers, but still have filtering.  I don't want to NAT the servers.  Just port filtering.

  • Manual outbound nat has check box "Do Not NAT" click on it..

  • Can this be done per interface?  Where is the checkbox for it?

  • Have you got pfsense up and running? The outbound NAT page lets you specify how all your internal hosts are presented to the public web. Typical NAT is the default, but you can change this to your heart's content.  Using multiple gateway groups as described above, with rules directing the traffic from/to specific servers via the specific gateway groups will accomplish everything you've described.

  • tacfit, thanks for your response.  Does this require that I have the servers NAT'ed in the first place, because I'm trying to pass through traffic directly with public addresses assigned to the interfaces on the servers.

  • You don't have to have nat on servers, but if you do it would be easier to access those servers in same subnet. create a virtual pfsense machine to see what it's capable of or try to read documentation. then you see that this product can do almost everything except brew coffee or shave my beard

Log in to reply