Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Is this scenario possible at all with pfSense?

    Scheduled Pinned Locked Moved General pfSense Questions
    10 Posts 2 Posters 3.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mosfet
      last edited by

      Hi folks,

      I have been playing with pfSense a couple of weeks now. I just upgraded to 2.0.3 last night.

      What I want my pfSense to do is:

      -Connect via OpenVPN to a VPN provider and route all LAN traffic through this, and use WAN (no VPN) as failover, if the OpenVPN connection is down.
      -Use traffic shaping on the outgoing connection (via the VPN connection). No need for traffic shaping in case of failover (over WAN).
      -Squid + SquidGuard

      I have had each of the three options working, but none of them together. What are my options, is it doable?

      1 Reply Last reply Reply Quote 0
      • M
        mosfet
        last edited by

        Is the only solution to run two instances of pfSense on a VM host. The first instance doing squid+traffic shaping, and the other doing OpenVPN and failover. The first routes all traffic through the second VM.

        What would the performance drop look like, and what is the best VM host for this setup?

        1 Reply Last reply Reply Quote 0
        • stephenw10S
          stephenw10 Netgate Administrator
          last edited by

          I've never had a need to try that but is there a reason you think they might not work together?

          Steve

          1 Reply Last reply Reply Quote 0
          • M
            mosfet
            last edited by

            @stephenw10:

            I've never had a need to try that but is there a reason you think they might not work together?

            Steve

            Hi Steve,

            Well, I'm not quite sure if the VM-path is needed. Hopefully it would work on a single instance of pfSense. However, when searching for the answer to my problems with setting it up, I always end up with a thread on this forum with only one post (no solutions or answers), with the same problems I'm having.

            That's why I created this thread, to see if anyone have achieved what I am trying to accomplish.

            1 Reply Last reply Reply Quote 0
            • M
              mosfet
              last edited by

              I have installed ESXi 5.1 on the router, and deployed two pfSense VM.
              One called "inner" (LAN: 10.0.0.1, WAN: 10.0.0.2).
              One called "outer" (LAN: 10.0.0.3, WAN: DHCP (ISP)).

              I can enable the DHCP server on "outer" and successfully use this as a firewall/router for all computers on LAN (10.0.0.0/24).
              However, if I disable DHCP server on "outer" and enable it on "inner", the computers on LAN cannot reach the internet. I have set default gateway on "inner" to 10.0.0.3 (which is the LAN address on "outer"). I have also deleted all NAT rules (manual first, then deleted all rules) on "inner".

              How can i make "inner" forward all communication through to "outer", as if "inner" is not there?

              Info: "inner" will be running squid+squid guard and traffic shaping. "outer" will only run OpenVPN client and WAN failover for all traffic sent from "inner".

              EDIT: the firewall rules on both VMs are the default LAN allow all rules and anti-lockout rules (these are the only ones).

              1 Reply Last reply Reply Quote 0
              • stephenw10S
                stephenw10 Netgate Administrator
                last edited by

                You can't have the same subnet on both the WAN and LAN interfaces if you want the box to route. If you need to have the same subnet on both sides you would have to install it as a transparent firewall. In that case you have to bridge the two interfaces with one of them (at least) set to type 'none'.

                I take it that you couldn't get the three functions to work together on one pfSense instance?

                Steve

                Edit: typo

                1 Reply Last reply Reply Quote 0
                • M
                  mosfet
                  last edited by

                  @stephenw10:

                  You can't have the same subnet on both the WAN and LAN interfaces if you want the box to route. If you need to have the same subnet on both sides you would have to install it as a transparent firewall. In that case you have to bridge the two interfaces with one of them (at least) set to type 'none'.

                  I take it that you could get the three functions to work together on one pfSense instance?

                  Steve

                  I have tried moving "outer" to 10.0.1.1, and assigning the WAN interface on "inner" to 10.0.1.2. This would separate the LAN and WAN on "inner". However, no traffic are routed from "inner" to "outer". I have updated the (default) gateway to 10.0.1.1 (on "inner").

                  I have also tried the transparent firewall approach. This doesn't seem to work, because every time I change the LAN interface to type "none", I loose contact with the web gui (I am connected through the WAN side, by making a firewall rule to allow this).

                  Is there something essential and easy that I am missing here? How do you make pfsense route traffic from one subnet to another (10.0.0.0/24 -> 10.0.1.1 -> internet (WAN))?

                  1 Reply Last reply Reply Quote 0
                  • stephenw10S
                    stephenw10 Netgate Administrator
                    last edited by

                    Have you unchecked 'Block private networks' on the WAN interface of the 'inner' instance?

                    As long as the WAN and LAN interfaces are in seperate subnets, the WAN interface has a gateway defined and outbound NAT is set to automatic it should be routing. Can you not ping anything from a client on the inner LAN?

                    Steve

                    1 Reply Last reply Reply Quote 0
                    • M
                      mosfet
                      last edited by

                      @stephenw10:

                      Have you unchecked 'Block private networks' on the WAN interface of the 'inner' instance?

                      As long as the WAN and LAN interfaces are in seperate subnets, the WAN interface has a gateway defined and outbound NAT is set to automatic it should be routing. Can you not ping anything from a client on the inner LAN?

                      Steve

                      Hi Steve,

                      Thank you so much for that reply. I just rechecked everything, and when I enabled automatic NAT everything seems to work as intended!  :)

                      Is there a way for "outer" to see what the source ip is (to block some traffic from entering "non-VPN gateway")? I figured that when I disabled NAT, this lead to the IPs on "inner" to be transparent towards "outer".

                      1 Reply Last reply Reply Quote 0
                      • stephenw10S
                        stephenw10 Netgate Administrator
                        last edited by

                        You can either setup one instance as a transparent firewall, in which case it will have the same subnet on both sides remving the issue. Or have the inner box setup as a router only which is what you were trying to do before. However if you do that you will need to add a route or gateway to the outer instance so that it knows where to send traffic bound for the inner LAN.

                        It really would be much better to have a single instance of pfSense here.  :)

                        Steve

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.