PfSense 2.0 RC3 single WAN converted to multi WAN



  • Hi,

    I am trying to get a pfsense box set up to do multi-wan failover after it's been in service nearly a year as single wan.  I followed the guide at http://doc.pfsense.org/index.php/Multi-WAN_2.0#Failover as best as I could (it wasn't very specific on the particulars of the firewall rules, so I did my best), leaving my original WAN in place as "WAN", and adding the new connection to "OPT1" (which I want to be the primary point).  When I applied it, everyone's internet went down.  I checked the status -> gateways, and both show a green light, and I can even go into diagnostics -> ping, select OPT1 and ping anything I want just fine.  My best guess so far is that I'm missing a firewall rule somewhere, and it's just blocking everyone from using it.  Here's what I did:

    -created a new gateway for OPT1
    -enabled OPT1, and added the correct static IP address/subnet, specifically selected the new gateway, blocked private/bogon networks
    -created a gateway group called MultiWANFailover, added OPT1 as a tier 1, and WAN as a tier 2, & selected the option packet loss or high latency
    -went into the LAN firewall rules, and edited the default LAN rule to use the MultiWANFailover gateway group
    -added a firewall rule in the OPT1 section to allow ICMP packets (and it is indeed pingable)

    What am I missing?  Please help.  Thanks

    EDIT:  I want to clarify that everyone's internet went down when OPT1 was tier 1 and WAN was tier 2.  I've temporarily got everyone back up by moving OPT1 to tier3.  Then everyone goes through WAN, which is working.



  • do you run a proxy ? if yes, search the forum for squid & multi-wan.

    also as a side-note: update to the latest stable release (2.0.1) it incorporates an incredible ammount of fixes/features that are not in 2.0rc3



  • No proxy; only service i do run is PPTP VPN (which I am interested in leaving on WAN).

    I plan on upgrading to latest stable at some point, however I haven't because I am running it off of a flash drive, and I don't see a quick recovery plan to upgrading should it fail (this is our primary router/firewall at our office).



  • After sleeping on it, I've come up with a plan for upgrading to 2.0.1 that I am in the process of doing.  I will report the details of that when I've completed it.  In the meantime, I would greatly appreciate anyone else's input!



  • OK, I'm now upgraded to 2.0.1 (I installed 2.0.1 to a new USB stick, and reloaded the settings from a backup/restore, and swapped them so I had a fall back measure).  And the problem still exists.  I am now more convinced than ever that it is a firewall setting, perhaps one that I am missing (but I have been going over them over and over again).  PLEASE someone help me with the firewall rules??  I have already detailed what I have done with trying to get this up and going; if you need more details, let me know, and I'll be happy to give them, but I really need someone's help.  I'm bashing my head into the keyboard at this point.



  • SOLVED!!  :o ;D

    OK, it's totally my fault.  Here's what happened for anyone else who needs to see a resolution to this.  When I set this up a year ago, I had to set up some custom outgoing NAT rules that required me to set it to Manual Outbound NAT Rule Generation (Firewall -> NAT -> Outbound).  I completely forgot that this was done.  As a result, when I followed the directions in the link above, the required rules for me to go outbound on this interface were not automatically generated, and as a result, blocked me from leaving through that interface.  The solution was for me to take the automatically generated rules made for WAN originally, clone them, and modify them for OPT1.

    Well, at least I got an upgrade out of all of this…  ::)



  • Thank you for your update and solution !
    I'm setting the same architecture. On your last post, you are saying that you "take the automatically generated rules made for WAN originally and clone them".
    From what I understand, your Manual Outbound NAT Rule is still up and you just copied your WAN rule to your OPT1 rule ? Am I correct ?

    In that case, would you mind posting the Outbbound NAT Rules on both client and server side, I'm kind of stuck on these AON settings.

    Thank you !



  • Hi Joyfulway,

    You are correct.  In my particular case, I had to create a custom NAT rule set for a coworker who required a dedicated IP address, and so I had to set it to Manual Outbound NAT Rule Generation.  I'd forgotten about this, and the documentation I referenced to above just simply made the assumption that I was running in Auto mode, with no mention of what would need to happen should I be running in Manual. (If it weren't for the custom rule, I'd still be in auto mode, and I think the documentation would've worked for me just fine).

    When in Auto, pfSense creates the outbound NAT rules for you, but it doesn't if you're in manual.  In my setup, it created 3 rules for my WAN when I first set it up (back when it was still in Auto). So what I did, was I clicked on the + sign next to each of these rules (which creates a new rule based on the rules of the one you clicked the + next to), and changed the interface from WAN to OPT1, and adjusted the description accordingly, and hit save.

    I'm not sure what you mean by "both client & server side".  But below, I've copy-pasted the relevant rules from my WAN, and then also the cloned ones for OPT1.

    Port Forward1:1Outbound
    Mode:     Automatic outbound NAT rule generation
              (IPsec passthrough included)     Manual Outbound NAT rule generation
              (AON - Advanced Outbound NAT)

    Mappings:

    Interface Source Source Port Destination Destination Port NAT Address NAT Port Static Port Description

    WAN  10.0.0.0/23 * * 500 * * YES    Auto created rule for ISAKMP - LAN to WAN

    WAN  10.0.0.0/23 * * * * * NO      Auto created rule for LAN to WAN

    WAN  127.0.0.0/8 * * * * 1024:65535    NO      Auto created rule for localhost to WAN

    OPT1  10.0.0.0/23 * * 500 * * YES        Auto created rule for ISAKMP - LAN to OPT1

    OPT1  10.0.0.0/23 * * * * * NO        Auto created rule for LAN to OPT1

    OPT1  127.0.0.0/8 * * * * 1024:65535 NO        Auto created rule for localhost to OPT1



  • Thank you so much for your detailled answer.

    My understanding was you were running a site to site architecture with an OpenVPN server on one router and an OpenVPN client on the other side. This is what I meant by "both client & server side".

    I will give it a try first thing in the morning tomorrow, following the  http://doc.pfsense.org/index.php/Multi-WAN_2.0#Failover.

    Thanks again for your reply.
    Best



  • No site-to-site for me–I am simply running pfSense with PPTP VPN for remote access to the office on it, nothing special in that regard.  Good luck with the site-to-site setup.  I know some people who have it running, and they swear by it, but I've not played around with that feature yet.


Locked