Using OPT1 as (second) WAN interface
I have a proof of concept setup to try pfSense and can't seem to get OPT1 (WAN2) to pass any data.
I've read many documents about dual WAN, Gateway Groups, load balancing, Auto vs Manual NAT etc. and none seem to have help.
I've also read many accounts of others running into the same problem all the way back from 2006, but I know others get it to work OK so I must be doing something wrong.
My ultimate goal is load balancing on the WAN ports, but I need to get past the point of getting both WANs to work first.
It appears to me I have some fundamental misunderstanding about how to configure OPT# interfaces to do anything. Can someone explain clearly what must be done in NAT or firewall rules, gateway settings, etc to get OPT to work?
My setup has the following:
de0 – LAN
de1 -- WAN1 (default pfSense WAN)
de2 -- WAN2 (OPT1 interface)
I don't have any problem getting WAN1 to work and accessing the internet from LAN interface. I've tried both DHCP and static config for WAN and they both work.
For WAN2 neither of these work.
WAN2 cannot get any address from the same DHCP server that WAN1 had not trouble getting one from
WAN2 set to static IP on the same subnet as the gateway does help either. I'm unable to ping the gateway from LAN (with WAN1 disabled)
I've made WAN2 gateway the default gateway and that didn't help.
It is clear that WAN2 is not passing any traffic and can't even reach the DHCP server, but what exactly do I have to configure to make it pass traffic?
Put another way, this is what I'm looking for help and direction on.
With WAN1 disabled and out of the picture, what do I have to do to OPT1 (WAN2) for it to be have like the default WAN want interface (i.e. access internet)
I've compared firewall rules between WAN1 and WAN2 and also the Outbound NAT rule and they are identical, but WAN1 works and WAN2 doesn't.
I've tried different gateways/DHCP servers (acting as ISP servers) to rule them out. I know the DHCP server will is not the problem. I even did a quick test with ZeroShell which had no problem getting two WAN interfaces working for both static and dynamic configuration using the same setup.
I'm currently on 2.1-BETA1 and previously tried 2.0.2 with the same results. I've been at this for several days now and I'm about to ditch pfsense and use ZeroShell, but I'm hoping someone can point out the obvious problem.
I have screenshots of my configuration. How do I upload pictures in this forum? The Insert image only gives me two tags for image. How do I reference images stored on my computer?
tim.mcmanus last edited by
Do WAN1 and WAN2 share the same gateway? Not in pfSense per se, but do WAN1 and WAN2 have the same gateway assigned to them from the ISP, or are you using two different ISPs?
When you go to Status->Gateways, what does it show?
There isn't a real second ISP for this setup so both WANs have the same gateway which is my local WAN router.
In Status->Gateways it currently shows WAN2 gateway of 192.168.1.1 which is my WAN router. The status shows "pending."
WAN1 interface is temporarily disabled so there is no Gateway information for WAN1. If I enable WAN1 it will have the same gateway as WAN2 and work fine.
I read there may be some problem in pfsense using the same gateway IP address for WAN1 and WAN2. Should this still be an issue with WAN1 interface disabled?
Anyone mind sharing your OPT1 configuration for WAN? I got this working briefly without changing anything and I know it wasn't good without knowing what changed.
I backed up the config, did an upgrade to p7 RC build and now WAN2 is broken again. I restored the old configuration, but that didn't help. I don't think it has anything to do with the firmware version as I've tried 2.0.2 and two RCs with the same results.
Wireshark captures shows only WAN1 requests address from DHCP server. WAN2 (OPT1) is not going out at all.
I also noticed in the Interface status that WAN2 has an IPv6 even though I've set IPv6 configuration in Interface WAN2 to NONE.
So WAN2 status shows Gateway 192.168.1.1 (the DCHP server) and IPv6 address, but no IPv4 address. As stated packet captures shows no DHCP activity from WAN2 MAC address.
WAN2 firewall pass rule has IPv4* for Protocol, "none" for Queue, blank for Schedule, and * for everything else. This is the same as WAN1 which works fine.
Any hints will be appreciated. I've tried ZeroShell, Zentyal with no problems at all for dual WAN on the same setup, but would really like to stay with pfSense.
tim.mcmanus last edited by
You can't have the same gateway for two WAN interfaces.
I'm also trying to understand why you are splitting your WAN connections across the same gateway. I don't completely understand what you're trying to do.
Thanks for the response. This didn't seem like the problem because when I disable WAN1 completely and try to get WAN2 to work by itself where there is no common gateway problem WAN2 still doesn't work. If having the same gateway for both WANs is the problem I can put a router or intermediate gateway with different IPs on both legs of the WANs and try. As I indicated this is a test setup, but there is no second ISP for this test bed. When I eventually deploy this in production there will be second ISP with different gateways.
Then, you need to emulate that as well. Setup a different subnet with a different GW for WAN2. Otherwise you are testing something that you will not use (1 ISP with multiple WAN links).
No problem emulating that, but would like to take one step at a time. Forget dual WAN for a moment - how can I configure OPT1 interface (with WAN interface disabled) as the only WAN port? If I can't get OPT1 to work as a single WAN link by itself due to misconfiguration then adding more to the setup for emulation wouldn't help much. Anyone knows why OPT1 can't work as the sole WAN interface by itself (with the default WAN interface disabled)?
OPT1 as the only WAN link isn't supported in pfSense. You can only use it in multiwan configuration
OPT1 as only WAN link should work; you have a configuration problem; check abc and xyz
Here is a typical config for OPT1 as only WAN interface
will be helpful. Thanks.
You can certainly use OPT1 as your internet facing interface. You are going to have to basically set it up just like the WAN.
First, setup a gateway on the opt interface and set it as default. You cannot have multiple default gateways, you will have to disable WAN interface and the associated gateway.
Then setup NAT. AON wants to use WAN, but if you switch to MON (manual outbound NAT) and change the interface from WAN to OPT1. Finally an allow all rule or at least tcp/udp port 53 and ports 80 and 443 for web based traffic. Generally, if you are going to do that, you are going to just use WAN as it is all setup for you. I understand that you are testing though. Let us know how that goes.
Thanks.This is exactly the kind of pointers I was hoping for. I'll give this a shot again, but when I tried it before my posting I followed an approach similar to what you described. The only difference is instead of creating new NAT mappings for WAN2 I accepted the default for MON – i.e when I switched from AON to MON and saved it automatically populated mapping for WAN2 (OPT1) as follow:
Interface Source Src Port Dest Dest Port NAT Addr NAT Port Static Port
WAN2 192.168.3.0/24 * * 500 WAN2 Address * YES
WAN2 192.168.3.0/24 * * * WAN2 Address * NO
WAN2 127.0.0.1/8 * * * WAN2 Address 1024:65535 NO
My firewall rules for WAN2 were
Proto Source Port Dest Port Gateway Queue Schedule
IPv4 * * * * WAN2_GW none
My WAN2_GW is 192.168.1.1 which is also the DHCP server. This still didn't work. WAN2 wasn't able to get IP address from DHCP server and using static address didn't help. WAN1 when enabled did just fine. Do I need the first NAT mapping? Am I missing any NAT mapping or firewall rules?
extide last edited by
Maybe the NIC is bad? I mean the configuration shouldn't matter for the most part, it should be able to DHCP an IP if the interface is set to DHCP.
I have to agree, if set to DHCP, it should be able to pull an IP address. I would think that perhaps the nic/cable/switch port might have something wrong with it.
Traffic is probably getting to WAN2, but because of its issue will not get any farther. If you can start with the easiest, change ports, then change cable, and then change the NIC out.