Is this scenario possible at all with pfSense?



  • Hi folks,

    I have been playing with pfSense a couple of weeks now. I just upgraded to 2.0.3 last night.

    What I want my pfSense to do is:

    -Connect via OpenVPN to a VPN provider and route all LAN traffic through this, and use WAN (no VPN) as failover, if the OpenVPN connection is down.
    -Use traffic shaping on the outgoing connection (via the VPN connection). No need for traffic shaping in case of failover (over WAN).
    -Squid + SquidGuard

    I have had each of the three options working, but none of them together. What are my options, is it doable?



  • Is the only solution to run two instances of pfSense on a VM host. The first instance doing squid+traffic shaping, and the other doing OpenVPN and failover. The first routes all traffic through the second VM.

    What would the performance drop look like, and what is the best VM host for this setup?


  • Netgate Administrator

    I've never had a need to try that but is there a reason you think they might not work together?

    Steve



  • @stephenw10:

    I've never had a need to try that but is there a reason you think they might not work together?

    Steve

    Hi Steve,

    Well, I'm not quite sure if the VM-path is needed. Hopefully it would work on a single instance of pfSense. However, when searching for the answer to my problems with setting it up, I always end up with a thread on this forum with only one post (no solutions or answers), with the same problems I'm having.

    That's why I created this thread, to see if anyone have achieved what I am trying to accomplish.



  • I have installed ESXi 5.1 on the router, and deployed two pfSense VM.
    One called "inner" (LAN: 10.0.0.1, WAN: 10.0.0.2).
    One called "outer" (LAN: 10.0.0.3, WAN: DHCP (ISP)).

    I can enable the DHCP server on "outer" and successfully use this as a firewall/router for all computers on LAN (10.0.0.0/24).
    However, if I disable DHCP server on "outer" and enable it on "inner", the computers on LAN cannot reach the internet. I have set default gateway on "inner" to 10.0.0.3 (which is the LAN address on "outer"). I have also deleted all NAT rules (manual first, then deleted all rules) on "inner".

    How can i make "inner" forward all communication through to "outer", as if "inner" is not there?

    Info: "inner" will be running squid+squid guard and traffic shaping. "outer" will only run OpenVPN client and WAN failover for all traffic sent from "inner".

    EDIT: the firewall rules on both VMs are the default LAN allow all rules and anti-lockout rules (these are the only ones).


  • Netgate Administrator

    You can't have the same subnet on both the WAN and LAN interfaces if you want the box to route. If you need to have the same subnet on both sides you would have to install it as a transparent firewall. In that case you have to bridge the two interfaces with one of them (at least) set to type 'none'.

    I take it that you couldn't get the three functions to work together on one pfSense instance?

    Steve

    Edit: typo



  • @stephenw10:

    You can't have the same subnet on both the WAN and LAN interfaces if you want the box to route. If you need to have the same subnet on both sides you would have to install it as a transparent firewall. In that case you have to bridge the two interfaces with one of them (at least) set to type 'none'.

    I take it that you could get the three functions to work together on one pfSense instance?

    Steve

    I have tried moving "outer" to 10.0.1.1, and assigning the WAN interface on "inner" to 10.0.1.2. This would separate the LAN and WAN on "inner". However, no traffic are routed from "inner" to "outer". I have updated the (default) gateway to 10.0.1.1 (on "inner").

    I have also tried the transparent firewall approach. This doesn't seem to work, because every time I change the LAN interface to type "none", I loose contact with the web gui (I am connected through the WAN side, by making a firewall rule to allow this).

    Is there something essential and easy that I am missing here? How do you make pfsense route traffic from one subnet to another (10.0.0.0/24 -> 10.0.1.1 -> internet (WAN))?


  • Netgate Administrator

    Have you unchecked 'Block private networks' on the WAN interface of the 'inner' instance?

    As long as the WAN and LAN interfaces are in seperate subnets, the WAN interface has a gateway defined and outbound NAT is set to automatic it should be routing. Can you not ping anything from a client on the inner LAN?

    Steve



  • @stephenw10:

    Have you unchecked 'Block private networks' on the WAN interface of the 'inner' instance?

    As long as the WAN and LAN interfaces are in seperate subnets, the WAN interface has a gateway defined and outbound NAT is set to automatic it should be routing. Can you not ping anything from a client on the inner LAN?

    Steve

    Hi Steve,

    Thank you so much for that reply. I just rechecked everything, and when I enabled automatic NAT everything seems to work as intended!  :)

    Is there a way for "outer" to see what the source ip is (to block some traffic from entering "non-VPN gateway")? I figured that when I disabled NAT, this lead to the IPs on "inner" to be transparent towards "outer".


  • Netgate Administrator

    You can either setup one instance as a transparent firewall, in which case it will have the same subnet on both sides remving the issue. Or have the inner box setup as a router only which is what you were trying to do before. However if you do that you will need to add a route or gateway to the outer instance so that it knows where to send traffic bound for the inner LAN.

    It really would be much better to have a single instance of pfSense here.  :)

    Steve


Log in to reply