[Solved] multiple wan and multiple lan, i want each lan to use different wan



  • See the solution here

    Hello Forum

    I browsed around for a couple of days trying to gather all the information, but I still can't get it to work, assistance is greatly appreciated.

    I am having trouble getting LAN2 to route through WAN2.
    LAN2 is able to ping the IPs on WAN2: 192.168.30.1 and 192.168.30.128, and that is as far as it goes. I know for sure that there is internet access to on the WAN2 subnet.

    Here is what I am trying to do, I want each LAN connection to use their own WAN. I am not doing failovers here. I just want each lan network interface to  have their own routes.

    And here are the live settings:






    Please let me know how I can get this to work or if you need more information.

    Thank you.



  • Well you are almost there.I would use advanced outbound NAT and have at least 2 entries.

    10.0.0.1/24 - WAN1
    10.0.1.1/24 - WAN2

    Then your firewall default allow rule for LAN uses gateway WAN and LAN2 default rule uses WAN2 as its gateway.



  • Hi podilarius, I tried what you said….still not having much luck

    The routing table is hard to read with all those different link # aliases



  • don't forget to set the gateway option in each of your firewall rules (for LAN and LAN2).



  • Hello podilarius, thanks for the input.

    I did as you said, created firewall rules with a gateway entry….still not much luck.

    This machine is connected to LAN2, even before adding those firewall rules, the results were the same. I can ping the gateway, I can get an external ip from local DNS, but I cannot reach out to the internet, its like the route never gets created

    lolinternet@ubuntu:~$ ifconfig
    eth0      Link encap:Ethernet  HWaddr 00:0c:29:d4:76:e6  
             inet addr:10.0.1.3  Bcast:10.0.1.255  Mask:255.255.255.0
             inet6 addr: fe80::20c:29ff:fed4:76e6/64 Scope:Link
             UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
             RX packets:67 errors:0 dropped:0 overruns:0 frame:0
             TX packets:392 errors:0 dropped:0 overruns:0 carrier:0
             collisions:0 txqueuelen:1000
             RX bytes:7118 (7.1 KB)  TX bytes:39336 (39.3 KB)
             Interrupt:19 Base address:0x2000

    lo        Link encap:Local Loopback  
             inet addr:127.0.0.1  Mask:255.0.0.0
             inet6 addr: ::1/128 Scope:Host
             UP LOOPBACK RUNNING  MTU:16436  Metric:1
             RX packets:0 errors:0 dropped:0 overruns:0 frame:0
             TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
             collisions:0 txqueuelen:0
             RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

    lolinternet@ubuntu:~$ route
    Kernel IP routing table
    Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
    default         10.0.1.1        0.0.0.0         UG    0      0        0 eth0
    10.0.1.0        *               255.255.255.0   U     1      0        0 eth0
    link-local      *               255.255.0.0     U     1000   0        0 eth0
    lolinternet@ubuntu:~$ ping 192.168.30.1
    PING 192.168.30.1 (192.168.30.1) 56(84) bytes of data.
    64 bytes from 192.168.30.1: icmp_req=1 ttl=127 time=0.580 ms
    64 bytes from 192.168.30.1: icmp_req=2 ttl=127 time=0.452 ms
    64 bytes from 192.168.30.1: icmp_req=3 ttl=127 time=0.399 ms
    ^V64 bytes from 192.168.30.1: icmp_req=4 ttl=127 time=0.366 ms
    ^C^
    –- 192.168.30.1 ping statistics ---
    4 packets transmitted, 4 received, 0% packet loss, time 3000ms
    rtt min/avg/max/mdev = 0.366/0.449/0.580/0.082 ms
    lolinternet@ubuntu:~$ ping google.ca
    PING google.ca (74.125.226.19) 56(84) bytes of data.
    ^C
    --- google.ca ping statistics ---
    8 packets transmitted, 0 received, 100% packet loss, time 7000ms

    lolinternet@ubuntu:~$

    Here are the configs for WAN2 and LAN2

    WAN2:

    LAN2:

    Routing table:I read some freeBSD docs that basically said that the Link# refers to the ethernet port #, but I still can't figure out how to read the routing table to describe how to read a route. In the routing table the Netif always matches the Link #, sometimes the link # will have a localhost lo0 Netif…..........


  • Rebel Alliance

    1º In "Gateways" remove LAN2GW

    2º In  Firewall Rules remove the WAN2 Rule

    3º Modify the LAN Rule "Default allow LAN to any rule" and set the GW that you want to use for LAN

    Now you must be able to browse the net



  • @ptt:

    1º In "Gateways" remove LAN2GW

    2º In  Firewall Rules remove the WAN2 Rule

    3º Modify the LAN Rule "Default allow LAN to any rule" and set the GW that you want to use for LAN

    Now you must be able to browse the net




    results are still not successful

    lolinternet@ubuntu:~$ ifconfig
    eth0      Link encap:Ethernet  HWaddr 00:0c:29:d4:76:e6  
             inet addr:10.0.1.3  Bcast:10.0.1.255  Mask:255.255.255.0
             inet6 addr: fe80::20c:29ff:fed4:76e6/64 Scope:Link
             UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
             RX packets:30 errors:0 dropped:0 overruns:0 frame:0
             TX packets:524 errors:0 dropped:0 overruns:0 carrier:0
             collisions:0 txqueuelen:1000
             RX bytes:3349 (3.3 KB)  TX bytes:54628 (54.6 KB)
             Interrupt:19 Base address:0x2000

    lo        Link encap:Local Loopback  
             inet addr:127.0.0.1  Mask:255.0.0.0
             inet6 addr: ::1/128 Scope:Host
             UP LOOPBACK RUNNING  MTU:16436  Metric:1
             RX packets:0 errors:0 dropped:0 overruns:0 frame:0
             TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
             collisions:0 txqueuelen:0
             RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

    lolinternet@ubuntu:~$ route
    Kernel IP routing table
    Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
    default         10.0.1.1        0.0.0.0         UG    0      0        0 eth0
    10.0.1.0        *               255.255.255.0   U     1      0        0 eth0
    link-local      *               255.255.0.0     U     1000   0        0 eth0
    lolinternet@ubuntu:~$ ping 192.168.30.1
    PING 192.168.30.1 (192.168.30.1) 56(84) bytes of data.
    64 bytes from 192.168.30.1: icmp_req=1 ttl=127 time=0.629 ms
    64 bytes from 192.168.30.1: icmp_req=2 ttl=127 time=0.447 ms
    64 bytes from 192.168.30.1: icmp_req=3 ttl=127 time=0.386 ms
    64 bytes from 192.168.30.1: icmp_req=4 ttl=127 time=0.482 ms
    ^C
    –- 192.168.30.1 ping statistics ---
    4 packets transmitted, 4 received, 0% packet loss, time 3001ms
    rtt min/avg/max/mdev = 0.386/0.486/0.629/0.089 ms
    lolinternet@ubuntu:~$ ping google.ca
    PING google.ca (74.125.226.18) 56(84) bytes of data.
    ^C
    --- google.ca ping statistics ---
    6 packets transmitted, 0 received, 100% packet loss, time 5041ms

    lolinternet@ubuntu:~$


  • Rebel Alliance

    Ping Form your pfSense WAN2  ( Diagnostics –> Ping )




  • I get no reply when pinging from the WAN2 interface.

    I know for sure that the network WAN2 is connected to is fine because when i plug any computer to it, i get an address from dhcp and it can get on the net.

    I've configured WAN2 to configure itself by DHCP



  • Try hard setting all the WAN IP addresses.



  • BIG THANK YOU TO PODILARIUS & PTT.

    I got it to work on real hardware as opposed to VMs and it works.

    I am going to write a little how to  maybe this can help people.



  • lolinternet - Have you written a how to on this yet?  I am doing a very similar thing.  I have ATT business DSL and Comcast internet.  I have 2 WAN  and 3 LAN's.  Lan 1 and 2 are running through WAN1 which is my ATT DSL service.  They are working fine.  I cannot get Lan 3 to route through Wan 2.  I can ping from Wan 2's interface fine.  I am obviously missing a step somewhere.  I have my outbound nat set up correctly, the gateway is added in my firewall rule for Lan 3, but i get no ping results if I ping from the Lan 3 address.



  • Working on it…



  • DOCUMENTATION

    This is a simple howto. The firewall is not at all locked down, this is to get things up and running.

    To give you an idea, here is the dashboard. All my WAN interface reside in private address space.

    1) NIC CONFIGURATION

    Assign your ports:

    Go to Interfaces->WAN
    Notice that I unchecked "Block private networks" as my wan is connected to a private address subnet. I set the ip to static. Also because I am using a static IP, I had to set the gateway manually

    Let's configure the second WAN interface, in my case WAN_BCE0

    The LAN interfaces , note that I renamed my interface through the Description which is under General configuration. Static IP has been set so that DHCP server may run on this interface

    2) DHCP SERVER Go to Services->DHCP server. DHCP server should be disabled on all WAN interfaces but must be enabled on LAN interfaces




    **3) VERIFY ROUTING

    Go to System->Routing only WAN interfaces should be there, if you see anything other than WAN interfaces in there, remove them. Most of the time this fills in correctly, if anything is missing add it in**.

    **4) FIREWALL: Rules

    Go to Firewall->Rules

    The WAN is the default gateway, this is the default setting, no modification made**

    **By default LAN_IGB0_BDOMAIN4 will be using WAN as its gateway, I didnt do any firewall configuration there

    I did not need to enter any firewall rules for WAN_BCE0

    However, for LAN_IGB1_BDOMAIN3 to get internet access through WAN_BCE0, firewall rules needed to be added and the Gateway was set

    And the final product in the firewall rules summary:

    1. TESTING
      Plug a computer at each LAN nic port and do some traceroutes and pings, refer to beginning of thread to see troubleshooting tips.**

    ![FireShot Screen Capture #001 - 'pfSense_sector001 - Status_ Dashboard' - 10_0_0_1.png](/public/imported_attachments/1/FireShot Screen Capture #001 - 'pfSense_sector001 - Status_ Dashboard' - 10_0_0_1.png)
    ![FireShot Screen Capture #001 - 'pfSense_sector001 - Status_ Dashboard' - 10_0_0_1.png_thumb](/public/imported_attachments/1/FireShot Screen Capture #001 - 'pfSense_sector001 - Status_ Dashboard' - 10_0_0_1.png_thumb)



  • Nice,
    Can you also post your outbound NAT rules if they are advanced?



  • No Firewall: NAT rules were created or generated


Log in to reply