Multi WAN & Multi VLAN
-
Hi All,
Is there any possibility to set multi wan and multi vlan?
I have this scenario.
I have two internet connection for example 202.140.2.15 and 202.130.4.106
and two or more vlan, for example vlan11 and vlan12
vlan11 i want to connect via 202.140.2.15
and vlan12 connect via 202.130.4.106Three ethernet adapter only can be set for example
xl0 for wan
xl1 for lan
xl2 for opt1 -> vlan11 and vlan12
Thanks,
Regards,
jgun
-
Do you have two WAN connections or just two public IP addresses on the same WAN connection?
Either way the answer is yes you can.
Steve
-
I have two physical WAN with two modems from ISP.
jgun
-
In that case you can simply use policy based routing to route traffic from VLAN 11 to WAN1 and traffic VLAN12 to WAN2 or whatever you need.
I'm slightly confused because you only have one WAN shown in your first post.
Steve
-
Sorry for the delay in responding
did you mean that we can add more lan card for opt wan?
currently i have
bge0 -> for OPT VLAN90 and OPT VLAN91
xl0 -> WAN
xl1 -> LANso i can add forth lan card for OPT WAN?
Regards,
jgun
-
Yes, if you have space in your box it will be easier to have two separate physical interfaces for your two WANs.
Steve
-
Thanks, I've got the point.
I need tutorial or sample to implement this policy based routing
Do you have it?
Regards,
jgun
-
Strangly I can't find anything in the documentation other that that page I already linked to. Like it says policy based routing is using firewall rules to route traffic matching that rule.
Here's an example. I have two WAN connections I also have two WIFI networks. In my case they are two separate wifi access points, one is an Atheros card in my pfSense box the other is an 802.11N access point some distance away connected to a separate interface.
I use policy based routing to send traffic from WIFI1 out through WAN1 while traffic from WIFI2 is sent to WAN2. It's really very simple. Each of the interfaces has a firewall rule to allow traffic out, exactly as any other internal interface, the difference is I have specified the gateway. Usually it's set as default, it's in the 'advanced features' section below the normal rule options.See attached image.
Additionally you can add other policy rules. For example I have a rule on my WIFI1 interface that routes traffic from my personal laptop to a loadbalancing gateway.
Steve
-
Thanks Steve.
How you define !LOCAL (not Local) network?
-
I added it as an alias in Firewall: Aliases:
It includes all my local subnets. I want clients on WIFI2 to have internet access but not local server access. You have to allow access to the pfSense DNS forwarder though otherwise they get no DNS.Steve
-
Hi Steve,
If you don't mind can I see your WAN2 Gateway setup/routing? and Aliases setup?another OOT question, how you display the image?
AFAIK you have to upload to```
http://img.uploadhouse.comthen``` [IMAGE]http://img.uploadhouse.com/image.jpg [/IMAGE ]is that correct?
Regards,
jgun
-
I'm not sure what you mean by 'WAN2 Gateway setup/routing'. The firewall acts on traffic coming into the pfSense box via whatever interface you have applied the rule to. Therefore to do any policy routing on outgoing traffic you have to use the firewall rule on the interface that traffic enters the box, WIFI2 in the above example. There is nothing special about my WAN2 config, I'd be happy to take some screen shots though.
I've attached a shot of my aliases config. As you can see the LOCAL alias is really just to make the rules more readable, I could almost as easily type 192.168.0.0/16. I could have been less lazy and included only my own subnets rather than an entire /16. The Facebook alias though is far more convenient.
Posting images in-line with the text is almost as you suggested, img not image. It's Simple Machines Forum BB code.
I have been lazy, again, and just attached the image to the post.
Steve
-
Hi Steve,
I have add another LAN Card, device id xl2 -> WAN2bge0 -> for OPT VLAN90 and OPT VLAN91
xl0 -> WAN
xl1 -> LANCreate as WAN2, IP 10.10.10.123, Gateway 10.10.10.1
Rule for Interface OPT VLAN91
Local, Gateway OPT VLAN91 GW
!Local, Gateway WAN2GWI use 10.90.0.0 255.255.252.0 an 10.91.0.0 255.255.252.0
My ASA is 10.10.10.1 Connect via Switch.but seem connection still through WAN, not WAN2
According to your screenshoot did you name WAN2 Gateway as WAN2 also?
Thanks.
jgun
-
I believe the gateway is automatically named after the interface it's associated with. I can't remember now I may have edited it but either way, yes the gateway on my WAN2 interface is also named WAN2.
I'm having trouble reading your firewall rules. Can you include a screen shot?
Steve
-
Steve,
where you upload the image? so I can upload at the same place also.
Thanks.
jgun
-
My images are just attached to the post, they are stored on the forum.
Click the 'Additional Options' drop down when you are replying.Steve
-
Hi Steve,
Thank you for your concern.
Here is the screen capture and I am very sorry that I have to hide some information.
Thanks.
Regards,
jgun
-
Hi Steve (part 2),
Thank you for your concern.
Here is the screen capture and I am very sorry that I have to hide some information.
Thanks.
Regards,
jgun
-
Hmm, OK.
You should not have a gateway on your 'Mobile1' interface. Gateways should only be on WAN interfaces (or VPN connections).
You should not need a static route to the ASA on WAN2. pfSense will already have a route to that box via the WAN2 interface.
What do you have for your LocalIP alias?
Steve
-
Hi,
Gateway mobile1 is ip on layer 3 switch therefore vlan 190 can communicate with other vlan.and here is the capture of aliases.
Thanks
jgun
-
Do you have VLANs on your network other than Mobile1, Hotspot and CO? You have different subnets on the other side of your switch?
Adding a gateway to Mobile1 causes pfSense to treat it differently. If you have not changed anything it will be NATing traffic on that interface for example which you almost certainly don't want.
Steve
-
Do you have VLANs on your network other than Mobile1, Hotspot? Yes
You have different subnets on the other side of your switch? Yes, we have many vlan, but only some vlan that we route to pfsense.
I want mobile can connect to others vlan and also have different route to internet
-
Ok, your network is more complex than I realised.
However you still don't want to have a gateway on Mobile1. Instead add static routes to your other subnets.
I'm not sure how that might work with clients on the mobile1 subnet though. Traffic would have to route in and out of the same pfSense interface and I'm not sure that's possible. :-\Steve
-
Still not working… I think I have to go to alternative, install another pfsense
-
When creating a static route the Network should not be in the same subnet as the Gateway, ie 10.10.10.0/24 and 10.10.10.1 in your case. In a static route the Gateway is an IP address that is directly reachable from a local network, while the Network is one that is not directly reachable, hence the use of a route and gateway.
What type of interface is WAN2 (dhcp, static, pppoe, et)? What is WAN2's IP address?
-
Hi,
IP Address WAN2 (Static) 10.10.10.123 /24
Gateway 10.10.10.1 /24I have tried to remove the static route as advice by Steve
Regards
Gunawan
-
I think a diagram of your network could help to clear things up here.
Steve
-
When I setup WAN2, should I set the load balancer?
I have read several
