• We have two WAN connections: fiber & DSL
    We have two LAN connections: corporate & guest

    I would like to have corporate HTTP, FTP outbound and all guest traffic use the DSL.
    I would like to have all inbound SMTP, FTP, HTTP traffic use the fiber WAN.

    Is this possible? If so, what do I need to do?



  • see

    Its pretty straight forward to setup the NAT/firewall rules.

    To have the incoming smtp/www come in on the fibre just use DNS that resolves to the Fibre IP.
    You may want to setup secondary mx (dns) records for the dsl wan ip, in case you other link is down.

    you just need a box with 4 nics, or 5 if you want CARP
    you could also use VLANS if you want fewer NICs and switches capable of VLANing

  • I understand everything in that PDF document. In terms of utilizing the WAN links, it's all correct.

    However, why is it that the first hop on my second LAN (optional interface 1, "guest") is the gateway not the firewall? This can't be right.

    I do a trace route and the first hop is the DSL modem itself and not the pfSense box.

  • By "gateway" you mean the ISP's gateway correct?

    Are you trace routing from pfsense or from behind it?

    your ADSL modem has an IP address??

  • Gateway = modem / router

    Our WAN looks like: PC – pfSense -- Modem/Router(Edge device) -- ISP

    Trace route is from behind pfSense.

    ADSL modem has a static IP address - it acts as the router to the ISP (we have multiple static IPs).

  • the first hop should the lan/opt interface of the pfsense box..

    unless of course you've bridged the interfaces

  • I thought it should be as well.

    My Rule:
    *  LAN_GUEST net  *  *  *  [GATEWAY IP]    Description

    They're not bridged.

  • sorry, I don't know why thats happening… I'm only a Jr Member :D

    Good Luck

  • Thanks for help tedced.

    Anyone else understand what's going on here?

  • that's "normal" with multi WAN like you have. It's not a major issue, as everything will work as you desire, but I consider it a bug. I already have a ticket open on it.

    You can work around it by creating a rule permitting traffic to your OPT IP with no gateway selection, and move that rule to the top of your OPT ruleset.

Log in to reply