Hello anyone could this scenario be possible in NAT outbound translation



  • Setup is

    ISP1–---- | 
      ISP2------ | Pfsense Firewall 1---------->Pfsense Firewall 2----------->LAN
      ISP3------

    I want some of my LAN workstation to go to ISP1 as default gateway
    then some of it goes to ISP2 and ISP 3,having this setup is it possible actually the Firewall 2 has a special purpose so thats why I cant get the thing out from the diagram,I need ideas here thanks.



  • If that is done by pfsense1 why not?
    But do you want to open up what you want to achieve?



  • @Metu69salemi:

    If that is done by pfsense1 why not?
    But do you want to open up what you want to achieve?

    Yeah I want that Pfsense firewall 1 will be able to see the addresses on the LAN side because from that data, I will be able to segregate Such LAN ips to ISP1 and some to ISP2 & ISP3.



  • If firewall #2 is not natting you can see original ip-addresses in pfsense#1 and so on you can decide isp's



  • @Metu69salemi:

    If firewall #2 is not natting you can see original ip-addresses in pfsense#1 and so on you can decide isp's

    And if firewall #2 is not using squid so that pfsense#1 can see the clients ip addresses and not only the proxy ip address.



  • @Nachtfalke:

    @Metu69salemi:

    If firewall #2 is not natting you can see original ip-addresses in pfsense#1 and so on you can decide isp's

    And if firewall #2 is not using squid so that pfsense#1 can see the clients ip addresses and not only the proxy ip address.

    Thanks for completing sentences ;)



  • Suppose if it has squid, will that be a big problem? is there a workaround,if there is squid residing in firewall # 2



  • Yes, it would be a problem because all client which are using the proxy alway have the same IP than the proxy. so it wouldn't be possible for pfsense#1 to decide which client initiated the connection - it is always the proxy.



  • @Nachtfalke:

    Yes, it would be a problem because all client which are using the proxy alway have the same IP than the proxy. so it wouldn't be possible for pfsense#1 to decide which client initiated the connection - it is always the proxy.

    Is there no work around with this? even outbound NAT and 1:1? or if you have any ideas.



  • just bypassing squid for source ip addresses.

    This is what I know abou this. I do not know any way to see the real client ips after they passed a proxy.

    Perhaps it would be possible to explain us more in detail what you want to realize with pfsense#1 and pfsense#2 and why there should be two pfsense boxes or why squid should run on box #2 and not on box#1



  • @Nachtfalke:

    just bypassing squid for source ip addresses.

    This is what I know abou this. I do not know any way to see the real client ips after they passed a proxy.

    Perhaps it would be possible to explain us more in detail what you want to realize with pfsense#1 and pfsense#2 and why there should be two pfsense boxes or why squid should run on box #2 and not on box#1

    The reason for having 2 pfsense boxes and segregating its because
    a.) I am using 1.2.3 snapshot.
    b.) When I try to load balance a Multi -Wan and Running together with squid package on the same box this gives me an Issue on the load balancer side.
    Thats the reason why I segregate the boxes so that each boxes will be running its specific function as load balancer and as a squid proxy.



  • Then take a look at this thread/tutorial:

    http://forum.pfsense.org/index.php/topic,37083.0.html



  • Will this work for 3 ISP's as to be load balanced, in his example he has only 2 ISP links.



  • LoadBalancing in general is working with more than two links. If i remember correct a user in this forum is LoadBalancing up to 8 lines.

    Because I am not using LoadBalancing and squid on one machine I do not know if it will work with more than two lines but I think it would be possible.


Locked