Been stuck for a month, PLEASE HELP (Multi-wan)

  • I have two WANS feeding my pfsense router/firewall.  I want the default to serve everybody while the other serves just a few machines I hand pick.  I have a bunch of screenshots attached. I have no idea if I'm doing the NAT rules correctly but nothing I try seems to work consistently.

    I made a firewall alias called "TimeWarner_Alias" so the machines on it should use that WAN.  The two rules say, "If it's no on the list, go ATT. If it is on the list, go time warner."

    Does anybody see what I'm missing? Why do machines that are not on the time warner alias still route through the time warner connection?

    Anyone that solves this get +5 internet points. Guaranteed. :)

    ![firewall rules.PNG](/public/imported_attachments/1/firewall rules.PNG)
    ![firewall rules.PNG_thumb](/public/imported_attachments/1/firewall rules.PNG_thumb)

  • Based on your screen shots I have no idea what you're trying to do, but I have a better idea based on what you wrote.

    This might help.  See the enclosed screen shot.

    I have two WANs and LANs.  LAN goes out WAN in this firewall rule but one machine, a legacy server, goes out WAN2.  The "gateway" section of these two rules tells pfSense where to route traffic from those particular devices.  The legacy server rule MUST appear about the LAN rule because the LAN rule also applies to the legacy server.  Using a top-down rule execution pfSense would see the LAN rule first and never make it to the server exception rule, so it goes first so it gets executed.

    Not sure why you're using NAT, but all you really need to do is create firewall rules for those devices and assign the appropriate gateway to them.

    ![Screen Shot 2013-03-18 at 8.12.30 PM.png](/public/imported_attachments/1/Screen Shot 2013-03-18 at 8.12.30 PM.png)
    ![Screen Shot 2013-03-18 at 8.12.30 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2013-03-18 at 8.12.30 PM.png_thumb)

  • That looks just like my second image except instead of using an IP address I use firewall aliases.  Essentially the first rule says, "If it's not in the alias list, go here."  The next rule says, "If it is in this alias list, go there."

    I shouldn't need the first one because it's the default route but nothing seems to work.

  • If you only want a few "hand picked" machines to go out the other WAN, give them static IPs if they don't have them and create a firewall rule to go out the other gateway.  Make those your first rules and the last rule should take the remaining LAN traffic out the other gateway.  Real easy to put in place, don't overcomplicate it.

  • They have static IPs and they are placed in an alias, which is really nothing more than a list of machines.  Your theory is that aliases are buggy?  I guess I could try that.

  • aliases are not buggy as far as i know.

    i don't see an immediate issue with your firewall rules.  (did you reset states after you applied them rules? )

    could you post a screenshot of your alias ? perhaps the issue can be found there.

  • These are my aliases.  They are pretty simple, each of the entries has a static ip and resolve just fine.

    The routing just doesn't work and I can't explain why.  If you look at the routing rules in the first post (2nd pic) it's dead simple. If you not on the alias go to ATT, if you are, go to time warner.  Every machine seems to be using time warner and I can't explain why.  I shouldn't even need the first rule (if not on the alias use ATT) because it's the default gateway.

    Yes I've tried resetting the states.  I don't know why it won't work.  What could I be missing?

    BTW, I tried Tim's idea of making rules with only static IPs because aliases were too complicated in his opinion. It didn't work.

  • i don't see how them aliases can work.
    how would your pfsense know what hosts you specify in that alias ? windows smb hostnames are not resolved by pfsense.

    you need ip-address' or FQDN(…)

    So as far as i can tell your alias is faulty, unless ofcourse you are using nested aliases that do not show up in the screenshot

  • When you assign a static ip you can give it the hostname.  They all resolve.

    The real question is why the routes aren't working at all?  If it was hosts not resolving everything would just hit the default route but it does the opposite. Also, using static ip instead of aliases didn't change the symptom either.

  • Try this:

    Create two LAN rules and put them at the top of the LAN list just below the Lockout rule. and  Set both Gateways to TIMEWARNER.

    I have very simple outbound NAT rules, and yours are a but confusing.  If at all possibly I strongly suggest simplifying them to help with this process.  I've enclosed a screenshot of mine.  My LAN2 should never go out the WAN gateway but LAN can failover to WAN2.  That's the logic behind the rules I have.  I also have a static route back to an IP, that's the last rule.  But, you'll see that there are no restriction for either to go out of their respective WAN gateways.

    See if any of that helps.  Use something like to see if you're getting the right IP from the appropriate gateway.

    ![Screen Shot 2013-03-19 at 11.37.19 AM.png](/public/imported_attachments/1/Screen Shot 2013-03-19 at 11.37.19 AM.png)
    ![Screen Shot 2013-03-19 at 11.37.19 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2013-03-19 at 11.37.19 AM.png_thumb)

  • @tim.mcmanus:

    Try this:

    Create two LAN rules and put them at the top of the LAN list just below the Lockout rule. and  Set both Gateways to TIMEWARNER.

    I tried that, it didn't work.  I'll look into the outbound NAT rules but I think you missed that the radio button on the left is checked so the rules below are ignored.

  • Yup, I missed that.  The drop-down menu covered it, but I also didn't think to look at the other radio button.

    The only thing left to look at are the WAN rules.  The gateways seem to be fine.

    Have you tried failing the ATT WAN connection and then verifying if you can get traffic out the TIMEWARNER interface?  Are you running any packages?

Log in to reply