Been stuck for a month, PLEASE HELP (Multi-wan)
-
That looks just like my second image except instead of using an IP address I use firewall aliases. Essentially the first rule says, "If it's not in the alias list, go here." The next rule says, "If it is in this alias list, go there."
I shouldn't need the first one because it's the default route but nothing seems to work.
-
If you only want a few "hand picked" machines to go out the other WAN, give them static IPs if they don't have them and create a firewall rule to go out the other gateway. Make those your first rules and the last rule should take the remaining LAN traffic out the other gateway. Real easy to put in place, don't overcomplicate it.
-
They have static IPs and they are placed in an alias, which is really nothing more than a list of machines. Your theory is that aliases are buggy? I guess I could try that.
-
aliases are not buggy as far as i know.
i don't see an immediate issue with your firewall rules. (did you reset states after you applied them rules? )
could you post a screenshot of your alias ? perhaps the issue can be found there.
-
These are my aliases. They are pretty simple, each of the entries has a static ip and resolve just fine.
The routing just doesn't work and I can't explain why. If you look at the routing rules in the first post (2nd pic) it's dead simple. If you not on the alias go to ATT, if you are, go to time warner. Every machine seems to be using time warner and I can't explain why. I shouldn't even need the first rule (if not on the alias use ATT) because it's the default gateway.
Yes I've tried resetting the states. I don't know why it won't work. What could I be missing?
BTW, I tried Tim's idea of making rules with only static IPs because aliases were too complicated in his opinion. It didn't work.
-
i don't see how them aliases can work.
how would your pfsense know what hosts you specify in that alias ? windows smb hostnames are not resolved by pfsense.you need ip-address' or FQDN( something.something.org/com/net/…)
So as far as i can tell your alias is faulty, unless ofcourse you are using nested aliases that do not show up in the screenshot
-
When you assign a static ip you can give it the hostname. They all resolve.
The real question is why the routes aren't working at all? If it was hosts not resolving everything would just hit the default route but it does the opposite. Also, using static ip instead of aliases didn't change the symptom either.
-
Try this:
Create two LAN rules and put them at the top of the LAN list just below the Lockout rule.
192.168.1.245 and 192.168.1.246. Set both Gateways to TIMEWARNER.
I have very simple outbound NAT rules, and yours are a but confusing. If at all possibly I strongly suggest simplifying them to help with this process. I've enclosed a screenshot of mine. My LAN2 should never go out the WAN gateway but LAN can failover to WAN2. That's the logic behind the rules I have. I also have a static route back to an IP, that's the last rule. But, you'll see that there are no restriction for either to go out of their respective WAN gateways.
See if any of that helps. Use something like checkip.dyndns.org to see if you're getting the right IP from the appropriate gateway.
![Screen Shot 2013-03-19 at 11.37.19 AM.png](/public/imported_attachments/1/Screen Shot 2013-03-19 at 11.37.19 AM.png)
![Screen Shot 2013-03-19 at 11.37.19 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2013-03-19 at 11.37.19 AM.png_thumb) -
Try this:
Create two LAN rules and put them at the top of the LAN list just below the Lockout rule.
192.168.1.245 and 192.168.1.246. Set both Gateways to TIMEWARNER.
I tried that, it didn't work. I'll look into the outbound NAT rules but I think you missed that the radio button on the left is checked so the rules below are ignored.
-
Yup, I missed that. The drop-down menu covered it, but I also didn't think to look at the other radio button.
The only thing left to look at are the WAN rules. The gateways seem to be fine.
Have you tried failing the ATT WAN connection and then verifying if you can get traffic out the TIMEWARNER interface? Are you running any packages?