PfSense 2.0.1 Dual WAN + DMZ (bridged) + LAN + WLAN



  • Hi everyone,

    I'm using pfSense since already 6 years and now I'm moving to a new setup. For the moment I'm with dual WAN and NAT LAN.

    I've read on internet for couple of days but can't find any examples of what I want to do a new setup with a interface for servers that could use external internet address. Both WAN have multiple IPs. The WLAN interface is not in the current setup, but I think it will be an easy bridge to LAN.

    
                  +--- ISP1 Modem --- ISP1 Router ---- WAN  (WAN_ISP1) --+
                  |                   (69.XX.XXX.97)                     |
    Internet -----|                                                      |-- pfSense >
                  |                                                      |
                  +--- ISP2 Modem --- ISP2 Router ---- OPT1 (WAN_ISP2) --+
                                      (66.XXX.XXX.56)
    
                  +--- LAN  (LAN)  ---- Switch --- Multiple computers behind NAT, DHCP
                  |    (192.168.0.1)
                  |
    > pfSense ----+--- OPT3 (WLAN) ---- Wireless Switch act like a bridge --- Multiple computers behind NAT, DHCP
                  |    (192.168.1.1)
                  |
                  +--- OPT2 (DMZ)  ---- Switch -+- Server 1 (69.XX.XXX.98, 66.XXX.XXX.57, 66.XXX.XXX.58,...)
                                                |
                                                +- Server 2 (69.XX.XXX.99,...)
    
    

    Hope someone could bring me an example!

    Thank you,

    Alexandre.



  • i think the easiest way would be to assign VIPs (virtual ip's) for the public ip's that are assigned by your isp.
    then either portforward or use 1:1 NAT to your DMZ internal LAN address'.
    see youtube video posted in another related post: http://www.youtube.com/watch?v=zrBr0N0WrTY&feature=youtube_gdata_player

    the other option is creating a bridge, if you want your servers to actually have a public IP and not a LAN address.
    this is something i personally have no experience with, but check out this forum post: http://forum.pfsense.org/index.php/topic,41063.msg212423.html#msg212423

    i hope you have enough info to sort it out
    enjoy



  • Hi,

    I've used the bridge solution, described on the other post and it is working as expected! I've of course made some changes to keep NAT on the LAN and WLAN but even my load balancer is working after theses changes.

    Thank you very much!

    Alexandre.



  • Well, looks like only my IP tested was working. For the moment I have bridged WAN2 on the DMZ

    WAN2 :

    GW : 66.158.XX.57

    66.158.XX.58/29

    DMZ :

    66.158.XX.58/29

    Firewall rule 66.158.XX.60:80 in and out working 66.158.XX.62 in and out not working.

    Very strange!



  • @thevoice:

    Hi,

    I've used the bridge solution, described on the other post and it is working as expected! I've of course made some changes to keep NAT on the LAN and WLAN but even my load balancer is working after theses changes.

    Thank you very much!

    Alexandre.

    Hi Alexandre! Sorry for stealing your thread here but can you tell me what to change for having this setup?
    Im new with pfSense and I would like an exactly setup like you have.

    Two ISPs, A bridge with Public IPs, two VLANs with DHCP NAT.



  • Hi, sorry for the late answer and I hope I'll not miss anything.

    In my current configuration I have these settings :

    Interfaces > Assign > Interfaces assignments

    • WAN1 (69.70.XX.XX) Type : static
    • LAN (192.168.1.1) Type : static
    • WAN2 (66.158.XX.XX) Type : static
    • DMZ (none) Type : none

    Interfaces > Assign > Bridges

    Note : In my case I'm only using 66.158.XX.XX IPs for my servers, I'll soon use both WANs but not tested. For sure I've removed WAN1 from the bridge, it was causing strange behaviors on my DMZ server and also on the router (had random reboots or crash).

    • BRIDGE0 (WAN2, DMZ)

    System > Advanced > System tunables

    net.link.bridge.pfil_member : 1
    net.link.bridge.pfil_bridge : 1

    Firewall > NAT > Outbound

    Select : Manual Outbound NAT rule generation

    Rules

    WAN2

    TCP  *  *  66.158.XX.61  80  *  none  // Example to get http
    TCP  *  *  66.158.XX.62  80  *  none  // Example to get http
    TCP  *  *  66.158.XX.63  80  *  none  // Example to get http

    DMZ

    *      *    *  *                  *  *  none

    Local server on DMZ

    eth0 : 66.158.XX.61
    eth0:1 : 66.158.XX.62
    eth0:2 : 66.158.XX.63

    Important note : At the moment I'm not able to open http://66.158.XX.6X inside a browser from a computer on LAN since this is a BRIDGE and not a NAT there is no more NAT REFLECTION. I've not found simple solution for the moment!

    Hope this helps!



  • @thevoice:

    Hi, sorry for the late answer and I hope I'll not miss anything.

    In my current configuration I have these settings :

    Interfaces > Assign > Interfaces assignments

    • WAN1 (69.70.XX.XX) Type : static
    • LAN (192.168.1.1) Type : static
    • WAN2 (66.158.XX.XX) Type : static
    • DMZ (none) Type : none

    Interfaces > Assign > Bridges

    Note : In my case I'm only using 66.158.XX.XX IPs for my servers, I'll soon use both WANs but not tested. For sure I've removed WAN1 from the bridge, it was causing strange behaviors on my DMZ server and also on the router (had random reboots or crash).

    • BRIDGE0 (WAN2, DMZ)

    System > Advanced > System tunables

    net.link.bridge.pfil_member : 1
    net.link.bridge.pfil_bridge : 1

    Firewall > NAT > Outbound

    Select : Manual Outbound NAT rule generation

    Rules

    WAN2

    TCP   *   *   66.158.XX.61  80  *  none  // Example to get http
    TCP   *   *   66.158.XX.62  80  *  none  // Example to get http
    TCP   *   *   66.158.XX.63  80  *  none  // Example to get http

    DMZ

    *      *    *   *                  *   *  none

    Local server on DMZ

    eth0 : 66.158.XX.61
    eth0:1 : 66.158.XX.62
    eth0:2 : 66.158.XX.63

    Important note : At the moment I'm not able to open http://66.158.XX.6X inside a browser from a computer on LAN since this is a BRIDGE and not a NAT there is no more NAT REFLECTION. I've not found simple solution for the moment!

    Hope this helps!

    Thank you! :-) I guess I got the same problem as you have. I guess it is a routing problem.
    I can route out from both wans but when I want to reach the wan-bridge server from the same ISP the routing is f*** up. I can reach the wan-bridge server from any external IP, but not with same ISP.



  • Hi,

    See my other post, I've already found half of the solution :

    http://forum.pfsense.org/index.php/topic,54763.0.html

    Now my LAN can access my DMZ by public IPs.


Log in to reply