Multi WAN & Multi VLAN

jgun98

Hi All,
Is there any possibility to set multi wan and multi vlan?
I have this scenario.
I have two internet connection for example 202.140.2.15 and 202.130.4.106
and two or more vlan, for example vlan11 and vlan12
vlan11 i want to connect via 202.140.2.15
and vlan12 connect via 202.130.4.106

Three ethernet adapter only can be set for example
xl0 for wan
xl1 for lan
xl2 for opt1 -> vlan11 and vlan12
Thanks,
Regards,
jgun

stephenw10

Do you have two WAN connections or just two public IP addresses on the same WAN connection?

Either way the answer is yes you can.

Steve

jgun98

I have two physical WAN with two modems from ISP.

jgun

stephenw10

In that case you can simply use policy based routing to route traffic from VLAN 11 to WAN1 and traffic VLAN12 to WAN2 or whatever you need.

I'm slightly confused because you only have one WAN shown in your first post.

Steve

jgun98

Sorry for the delay in responding

did you mean that we can add more lan card for opt wan?
currently i have
bge0 -> for OPT VLAN90 and OPT VLAN91
xl0 -> WAN
xl1 -> LAN

so i can add forth lan card for OPT WAN?
Regards,
jgun

stephenw10

Yes, if you have space in your box it will be easier to have two separate physical interfaces for your two WANs.

Steve

jgun98

Thanks, I've got the point.
I need tutorial or sample to implement this policy based routing
Do you have it?
Regards,
jgun

stephenw10

Strangly I can't find anything in the documentation other that that page I already linked to. Like it says policy based routing is using firewall rules to route traffic matching that rule.

Here's an example. I have two WAN connections I also have two WIFI networks. In my case they are two separate wifi access points, one is an Atheros card in my pfSense box the other is an 802.11N access point some distance away connected to a separate interface.
I use policy based routing to send traffic from WIFI1 out through WAN1 while traffic from WIFI2 is sent to WAN2. It's really very simple. Each of the interfaces has a firewall rule to allow traffic out, exactly as any other internal interface, the difference is I have specified the gateway. Usually it's set as default, it's in the 'advanced features' section below the normal rule options.

See attached image.

Additionally you can add other policy rules. For example I have a rule on my WIFI1 interface that routes traffic from my personal laptop to a loadbalancing gateway.

Steve

jgun98

Thanks Steve.
How you define !LOCAL (not Local) network?

stephenw10

I added it as an alias in Firewall: Aliases:
It includes all my local subnets. I want clients on WIFI2 to have internet access but not local server access. You have to allow access to the pfSense DNS forwarder though otherwise they get no DNS.

Steve

jgun98

Hi Steve,
If you don't mind can I see your WAN2 Gateway setup/routing? and Aliases setup?

another OOT question, how you display the image?
AFAIK you have to upload to```
http://img.uploadhouse.com

then```
[IMAGE]http://img.uploadhouse.com/image.jpg [/IMAGE ]

is that correct?
Regards,
jgun

stephenw10

I'm not sure what you mean by 'WAN2 Gateway setup/routing'. The firewall acts on traffic coming into the pfSense box via whatever interface you have applied the rule to. Therefore to do any policy routing on outgoing traffic you have to use the firewall rule on the interface that traffic enters the box, WIFI2 in the above example. There is nothing special about my WAN2 config, I'd be happy to take some screen shots though.

I've attached a shot of my aliases config. As you can see the LOCAL alias is really just to make the rules more readable, I could almost as easily type 192.168.0.0/16. I could have been less lazy and included only my own subnets rather than an entire /16. The Facebook alias though is far more convenient.

Posting images in-line with the text is almost as you suggested, img not image. It's Simple Machines Forum BB code.

I have been lazy, again, and just attached the image to the post.

Steve

jgun98

Hi Steve,
I have add another LAN Card, device id xl2 -> WAN2

bge0 -> for OPT VLAN90 and OPT VLAN91
xl0 -> WAN
xl1 -> LAN

Create as WAN2, IP 10.10.10.123, Gateway 10.10.10.1

Rule for Interface OPT VLAN91
Local, Gateway OPT VLAN91 GW
!Local, Gateway WAN2GW

I use 10.90.0.0 255.255.252.0 an 10.91.0.0 255.255.252.0
My ASA is 10.10.10.1 Connect via Switch.

but seem connection still through WAN, not WAN2

According to your screenshoot did you name WAN2 Gateway as WAN2 also?
Thanks.
jgun

stephenw10

I believe the gateway is automatically named after the interface it's associated with. I can't remember now I may have edited it but either way, yes the gateway on my WAN2 interface is also named WAN2.

I'm having trouble reading your firewall rules. Can you include a screen shot?

Steve

jgun98

Steve,
where you upload the image? so I can upload at the same place also.
Thanks.
jgun

stephenw10

My images are just attached to the post, they are stored on the forum.
Click the 'Additional Options' drop down when you are replying.

Steve

jgun98

Hi Steve,
Thank you for your concern.
Here is the screen capture and I am very sorry that I have to hide some information.
Thanks.
Regards,
jgun

jgun98

Hi Steve (part 2),
Thank you for your concern.
Here is the screen capture and I am very sorry that I have to hide some information.
Thanks.
Regards,
jgun

stephenw10

Hmm, OK.

You should not have a gateway on your 'Mobile1' interface. Gateways should only be on WAN interfaces (or VPN connections).

You should not need a static route to the ASA on WAN2. pfSense will already have a route to that box via the WAN2 interface.

What do you have for your LocalIP alias?

Steve

jgun98

Hi,
Gateway mobile1 is ip on layer 3 switch therefore vlan 190 can communicate with other vlan.

and here is the capture of aliases.
Thanks
jgun