Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [Solved] multiple wan and multiple lan, i want each lan to use different wan

    Scheduled Pinned Locked Moved Routing and Multi WAN
    16 Posts 4 Posters 7.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      lolinternet
      last edited by

      See the solution here

      Hello Forum

      I browsed around for a couple of days trying to gather all the information, but I still can't get it to work, assistance is greatly appreciated.

      I am having trouble getting LAN2 to route through WAN2.
      LAN2 is able to ping the IPs on WAN2: 192.168.30.1 and 192.168.30.128, and that is as far as it goes. I know for sure that there is internet access to on the WAN2 subnet.

      Here is what I am trying to do, I want each LAN connection to use their own WAN. I am not doing failovers here. I just want each lan network interface to  have their own routes.

      And here are the live settings:






      Please let me know how I can get this to work or if you need more information.

      Thank you.

      1 Reply Last reply Reply Quote 0
      • P
        podilarius
        last edited by

        Well you are almost there.I would use advanced outbound NAT and have at least 2 entries.

        10.0.0.1/24 - WAN1
        10.0.1.1/24 - WAN2

        Then your firewall default allow rule for LAN uses gateway WAN and LAN2 default rule uses WAN2 as its gateway.

        1 Reply Last reply Reply Quote 0
        • L
          lolinternet
          last edited by

          Hi podilarius, I tried what you said….still not having much luck

          The routing table is hard to read with all those different link # aliases

          1 Reply Last reply Reply Quote 0
          • P
            podilarius
            last edited by

            don't forget to set the gateway option in each of your firewall rules (for LAN and LAN2).

            1 Reply Last reply Reply Quote 0
            • L
              lolinternet
              last edited by

              Hello podilarius, thanks for the input.

              I did as you said, created firewall rules with a gateway entry….still not much luck.

              This machine is connected to LAN2, even before adding those firewall rules, the results were the same. I can ping the gateway, I can get an external ip from local DNS, but I cannot reach out to the internet, its like the route never gets created

              lolinternet@ubuntu:~$ ifconfig
              eth0      Link encap:Ethernet  HWaddr 00:0c:29:d4:76:e6  
                       inet addr:10.0.1.3  Bcast:10.0.1.255  Mask:255.255.255.0
                       inet6 addr: fe80::20c:29ff:fed4:76e6/64 Scope:Link
                       UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
                       RX packets:67 errors:0 dropped:0 overruns:0 frame:0
                       TX packets:392 errors:0 dropped:0 overruns:0 carrier:0
                       collisions:0 txqueuelen:1000
                       RX bytes:7118 (7.1 KB)  TX bytes:39336 (39.3 KB)
                       Interrupt:19 Base address:0x2000

              lo        Link encap:Local Loopback  
                       inet addr:127.0.0.1  Mask:255.0.0.0
                       inet6 addr: ::1/128 Scope:Host
                       UP LOOPBACK RUNNING  MTU:16436  Metric:1
                       RX packets:0 errors:0 dropped:0 overruns:0 frame:0
                       TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
                       collisions:0 txqueuelen:0
                       RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

              lolinternet@ubuntu:~$ route
              Kernel IP routing table
              Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
              default         10.0.1.1        0.0.0.0         UG    0      0        0 eth0
              10.0.1.0        *               255.255.255.0   U     1      0        0 eth0
              link-local      *               255.255.0.0     U     1000   0        0 eth0
              lolinternet@ubuntu:~$ ping 192.168.30.1
              PING 192.168.30.1 (192.168.30.1) 56(84) bytes of data.
              64 bytes from 192.168.30.1: icmp_req=1 ttl=127 time=0.580 ms
              64 bytes from 192.168.30.1: icmp_req=2 ttl=127 time=0.452 ms
              64 bytes from 192.168.30.1: icmp_req=3 ttl=127 time=0.399 ms
              ^V64 bytes from 192.168.30.1: icmp_req=4 ttl=127 time=0.366 ms
              ^C^
              –- 192.168.30.1 ping statistics ---
              4 packets transmitted, 4 received, 0% packet loss, time 3000ms
              rtt min/avg/max/mdev = 0.366/0.449/0.580/0.082 ms
              lolinternet@ubuntu:~$ ping google.ca
              PING google.ca (74.125.226.19) 56(84) bytes of data.
              ^C
              --- google.ca ping statistics ---
              8 packets transmitted, 0 received, 100% packet loss, time 7000ms

              lolinternet@ubuntu:~$

              Here are the configs for WAN2 and LAN2

              WAN2:

              LAN2:

              Routing table:I read some freeBSD docs that basically said that the Link# refers to the ethernet port #, but I still can't figure out how to read the routing table to describe how to read a route. In the routing table the Netif always matches the Link #, sometimes the link # will have a localhost lo0 Netif…..........

              1 Reply Last reply Reply Quote 0
              • pttP
                ptt Rebel Alliance
                last edited by

                1º In "Gateways" remove LAN2GW

                2º In  Firewall Rules remove the WAN2 Rule

                3º Modify the LAN Rule "Default allow LAN to any rule" and set the GW that you want to use for LAN

                Now you must be able to browse the net

                1 Reply Last reply Reply Quote 0
                • L
                  lolinternet
                  last edited by

                  @ptt:

                  1º In "Gateways" remove LAN2GW

                  2º In  Firewall Rules remove the WAN2 Rule

                  3º Modify the LAN Rule "Default allow LAN to any rule" and set the GW that you want to use for LAN

                  Now you must be able to browse the net

                  1º

                  2º

                  3º

                  results are still not successful

                  lolinternet@ubuntu:~$ ifconfig
                  eth0      Link encap:Ethernet  HWaddr 00:0c:29:d4:76:e6  
                           inet addr:10.0.1.3  Bcast:10.0.1.255  Mask:255.255.255.0
                           inet6 addr: fe80::20c:29ff:fed4:76e6/64 Scope:Link
                           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
                           RX packets:30 errors:0 dropped:0 overruns:0 frame:0
                           TX packets:524 errors:0 dropped:0 overruns:0 carrier:0
                           collisions:0 txqueuelen:1000
                           RX bytes:3349 (3.3 KB)  TX bytes:54628 (54.6 KB)
                           Interrupt:19 Base address:0x2000

                  lo        Link encap:Local Loopback  
                           inet addr:127.0.0.1  Mask:255.0.0.0
                           inet6 addr: ::1/128 Scope:Host
                           UP LOOPBACK RUNNING  MTU:16436  Metric:1
                           RX packets:0 errors:0 dropped:0 overruns:0 frame:0
                           TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
                           collisions:0 txqueuelen:0
                           RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

                  lolinternet@ubuntu:~$ route
                  Kernel IP routing table
                  Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
                  default         10.0.1.1        0.0.0.0         UG    0      0        0 eth0
                  10.0.1.0        *               255.255.255.0   U     1      0        0 eth0
                  link-local      *               255.255.0.0     U     1000   0        0 eth0
                  lolinternet@ubuntu:~$ ping 192.168.30.1
                  PING 192.168.30.1 (192.168.30.1) 56(84) bytes of data.
                  64 bytes from 192.168.30.1: icmp_req=1 ttl=127 time=0.629 ms
                  64 bytes from 192.168.30.1: icmp_req=2 ttl=127 time=0.447 ms
                  64 bytes from 192.168.30.1: icmp_req=3 ttl=127 time=0.386 ms
                  64 bytes from 192.168.30.1: icmp_req=4 ttl=127 time=0.482 ms
                  ^C
                  –- 192.168.30.1 ping statistics ---
                  4 packets transmitted, 4 received, 0% packet loss, time 3001ms
                  rtt min/avg/max/mdev = 0.386/0.486/0.629/0.089 ms
                  lolinternet@ubuntu:~$ ping google.ca
                  PING google.ca (74.125.226.18) 56(84) bytes of data.
                  ^C
                  --- google.ca ping statistics ---
                  6 packets transmitted, 0 received, 100% packet loss, time 5041ms

                  lolinternet@ubuntu:~$

                  1 Reply Last reply Reply Quote 0
                  • pttP
                    ptt Rebel Alliance
                    last edited by

                    Ping Form your pfSense WAN2  ( Diagnostics –> Ping )

                    Diag_Ping.PNG
                    Diag_Ping.PNG_thumb

                    1 Reply Last reply Reply Quote 0
                    • L
                      lolinternet
                      last edited by

                      I get no reply when pinging from the WAN2 interface.

                      I know for sure that the network WAN2 is connected to is fine because when i plug any computer to it, i get an address from dhcp and it can get on the net.

                      I've configured WAN2 to configure itself by DHCP

                      1 Reply Last reply Reply Quote 0
                      • P
                        podilarius
                        last edited by

                        Try hard setting all the WAN IP addresses.

                        1 Reply Last reply Reply Quote 0
                        • L
                          lolinternet
                          last edited by

                          BIG THANK YOU TO PODILARIUS & PTT.

                          I got it to work on real hardware as opposed to VMs and it works.

                          I am going to write a little how to  maybe this can help people.

                          1 Reply Last reply Reply Quote 0
                          • A
                            arstacey
                            last edited by

                            lolinternet - Have you written a how to on this yet?  I am doing a very similar thing.  I have ATT business DSL and Comcast internet.  I have 2 WAN  and 3 LAN's.  Lan 1 and 2 are running through WAN1 which is my ATT DSL service.  They are working fine.  I cannot get Lan 3 to route through Wan 2.  I can ping from Wan 2's interface fine.  I am obviously missing a step somewhere.  I have my outbound nat set up correctly, the gateway is added in my firewall rule for Lan 3, but i get no ping results if I ping from the Lan 3 address.

                            1 Reply Last reply Reply Quote 0
                            • L
                              lolinternet
                              last edited by

                              Working on it…

                              1 Reply Last reply Reply Quote 0
                              • L
                                lolinternet
                                last edited by

                                DOCUMENTATION

                                This is a simple howto. The firewall is not at all locked down, this is to get things up and running.

                                To give you an idea, here is the dashboard. All my WAN interface reside in private address space.

                                1) NIC CONFIGURATION

                                Assign your ports:

                                Go to Interfaces->WAN
                                Notice that I unchecked "Block private networks" as my wan is connected to a private address subnet. I set the ip to static. Also because I am using a static IP, I had to set the gateway manually

                                Let's configure the second WAN interface, in my case WAN_BCE0

                                The LAN interfaces , note that I renamed my interface through the Description which is under General configuration. Static IP has been set so that DHCP server may run on this interface

                                2) DHCP SERVER Go to Services->DHCP server. DHCP server should be disabled on all WAN interfaces but must be enabled on LAN interfaces




                                **3) VERIFY ROUTING

                                Go to System->Routing only WAN interfaces should be there, if you see anything other than WAN interfaces in there, remove them. Most of the time this fills in correctly, if anything is missing add it in**.

                                **4) FIREWALL: Rules

                                Go to Firewall->Rules

                                The WAN is the default gateway, this is the default setting, no modification made**

                                **By default LAN_IGB0_BDOMAIN4 will be using WAN as its gateway, I didnt do any firewall configuration there

                                I did not need to enter any firewall rules for WAN_BCE0

                                However, for LAN_IGB1_BDOMAIN3 to get internet access through WAN_BCE0, firewall rules needed to be added and the Gateway was set

                                And the final product in the firewall rules summary:

                                1. TESTING
                                  Plug a computer at each LAN nic port and do some traceroutes and pings, refer to beginning of thread to see troubleshooting tips.**

                                ![FireShot Screen Capture #001 - 'pfSense_sector001 - Status_ Dashboard' - 10_0_0_1.png](/public/imported_attachments/1/FireShot Screen Capture #001 - 'pfSense_sector001 - Status_ Dashboard' - 10_0_0_1.png)
                                ![FireShot Screen Capture #001 - 'pfSense_sector001 - Status_ Dashboard' - 10_0_0_1.png_thumb](/public/imported_attachments/1/FireShot Screen Capture #001 - 'pfSense_sector001 - Status_ Dashboard' - 10_0_0_1.png_thumb)

                                1 Reply Last reply Reply Quote 0
                                • P
                                  podilarius
                                  last edited by

                                  Nice,
                                  Can you also post your outbound NAT rules if they are advanced?

                                  1 Reply Last reply Reply Quote 0
                                  • L
                                    lolinternet
                                    last edited by

                                    No Firewall: NAT rules were created or generated

                                    1 Reply Last reply Reply Quote 0
                                    • First post
                                      Last post
                                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.