Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    4lan, 2wan = routing galore

    Scheduled Pinned Locked Moved Routing and Multi WAN
    9 Posts 3 Posters 5.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      df
      last edited by

      Hello, i'm currently building a pfsense setup on an old ibm x232 series, with 2 quad port dlink ethernet cards.

      I'm not really yet concerned about splitting the load to both WAN1/2, but rather to find out how to setup the routing/iface assignation properly.

      For conveniance, my lan iface's are called lan1-4, and are of the form: 192.168.0.0/16 192.168.1.0/16 192.168.2.0/16 192.168.3.0/16.
      Each time, pfsense uses the .253 IP address.
      The wan's are wan1(static ip) & wan2(dhcp)

      The goal is for each LAN Iface to be abble to talk together, altho being on different subnets

      I managed to setup a basic firewalling/nat between lan1 & wan1, wasn't much complicated.

      But it becomes much more fun when adding the other iface's

      1st) For LAN2 (192.168.1.0/16) from GUI Interface->LAN2(OPT1) i can set the ip, netmask, but also gateway, was wondering if the gateway should be 192.168.0.1 (LAN1's)

      2nd) The above made machines on LAN2 being abble to ping these on LAN1, but that didn't provide any gateway to WAN1 or WAN2..
      –> that assesment is wrong, that's my netmask that let LAN2 see LAN1, weridly tho, LAN1 still can't see LAN2

      3rd) But, LAN1 can't see anything on LAN2, i tested adding a static route from iface:LAN1 dest:192.168.1.0/16 gateway:192.168.1.253, but pfsense when validating the form always rewrites it to 192.168.0.0/16 dest 192.168.1.253 (which won't work)..

      1. Forgot to mention firewall rules on LAN1/4 are to let everything pass to any dest & any port. (just for testing)

      2. Finaly, i did not create any VLAN when installing pfsense, wonder if that's the issue.. but don't think so..

      I wasn't abble to find some infos relevant to my case, altho i'm pretty sure that kind of setup is quite possible..

      If someone could point me to some relavant infos, that would be much apreciated.

      Finaly, virtual IP's are kinda confusing me.. but they might be part of the solution (?)

      Take care.

      ps: i'm running 1.0-BETA1-TESTING-SNAPSHOT-2-8-06

      1 Reply Last reply Reply Quote 0
      • J
        jeroen234
        last edited by

        But, LAN1 can't see anything on LAN2, i tested adding a static route from iface:LAN1 dest:192.168.1.0/16 gateway:192.168.1.253, but pfsense when validating the form always rewrites it to 192.168.0.0/16 dest 192.168.1.253 (which won't work)..

        192.168.0.0/16 is 192.168.0.1 till 192.168.254.254

        so dest:192.168.1.0/16 gateway:192.168.1.253 and 192.168.0.0/16 dest 192.168.1.253 are the same

        better use /24
        then you have
        lan1 192.168.0.1 till 192.168.0.254 /24
        lan2 192.168.1.1 till 192.168.1.254 /24
        lan3 192.168.2.1 till 192.168.2.254 /24
        lan4 192.168.3.1 till 192.168.3.254 /24

        1 Reply Last reply Reply Quote 0
        • D
          df
          last edited by

          It really seems I'm quite wrong on the netmask indeed..

          @jeroen234:

          lan1 192.168.0.1 till 192.168.0.254 /24
          lan2 192.168.1.1 till 192.168.1.254 /24
          lan3 192.168.2.1 till 192.168.2.254 /24
          lan4 192.168.3.1 till 192.168.3.254 /24

          If i'm correct that would make each host on the same subnet to see each other, requests to other subnet would be handeld by each subnet's gateway

          Than if i follow you using a /24 netmask, something like this should work
          :LAN1 (iface_ip:192.168.0.254/24) dest:192.168.1.0/24 gateway:192.168.1.254
          :LAN2 (iface_ip:192.168.1.254/24) dest:192.168.0.0/24 gateway:192.168.0.254

          If the above is correct,
          I assume the default gateway automagicaly set still remains
          :LAN1 > WAN1's Default Gateway

          But how would i set the route for LAN2 > WAN1 ..?

          Thank you ;)

          1 Reply Last reply Reply Quote 0
          • H
            hoba
            last edited by

            It's magic, it just works  ;D

            Here is how it behaves by degault:

            • all subnets that are directly connected to the pfsense itself will be routed without the need to add static routes
            • the default gateway is the WAN gateway by default, so everything that is not at one of the pfsenses subnets will be routed out the internet unless there exists a static route for it, no matter if it comes in from lan, opt1, opt2, …
            • firewall rules are applied for incoming traffic at an interface. rules are applied top down, first match wins
            1 Reply Last reply Reply Quote 0
            • D
              df
              last edited by

              many thanks :)

              i'll be checking this on monday and report here

              have a nice w-e

              1 Reply Last reply Reply Quote 0
              • D
                df
                last edited by

                Ok, here is the current setup:

                Lan1: 192.168.0.0/24 iface: 192.168.0.253
                Lan2: 192.168.1.0/24 iface: 192.168.1.253
                Lan3: 192.168.2.0/24 iface: 192.168.2.253
                Lan3: 192.168.3.0/24 iface: 192.168.3.253

                Wan1: static ip

                All subnets can indeed find their way to WAN1, they can ping outside hosts fine.

                But currently, no subnet can "see" each other.

                What i know need is all subnets to be abble to access "Lan3" where the servers will be.
                I therefore tried adding for Lan1 -> Lan3 route:
                Iface: Lan1 - Network: 192.168.3.0/24 - Gw: 192.168.3.253
                But that doesn't work..
                Machines on Lan1 still cannot access machines on Lan3 ..

                (Again, my rules are to allow all in/out on all Lan1/2/3/4 )

                What could I be missing ..?

                1 Reply Last reply Reply Quote 0
                • J
                  jeroen234
                  last edited by

                  can you post youre rules here
                  mebe the order of the rules is wrong

                  1 Reply Last reply Reply Quote 0
                  • D
                    df
                    last edited by

                    I finaly got it working, here is what i do:

                    LAN1 192.168.0.0/24
                    LAN2 192.168.1.0/24
                    LAN3 192.168.2.0/24
                    LAN4 192.168.3.0/24

                    Each interface uses .253 as IP with a /24 netmask.

                    I wanted to have all subnet traffic go thru the pfsense box, and the problem came indeed not from the routes, as i first thought, but from the firewall rules.

                    I managed to get it working by doing the following config:

                    (note, i'm assuming all interfaces are properly "enabeld", and that each can properly reach an outside host -like google.com- via WAN1)

                    On LAN1:
                    allow from subnet 192.168.0.0/24 (any ports) to subnet 192.168.1.0/24 (any port)
                    allow from subnet 192.168.0.0/24 (any ports) to subnet 192.168.2.0/24 (any port)
                    allow from subnet 192.168.0.0/24 (any ports) to subnet 192.168.3.0/24 (any port)

                    On LAN2:
                    allow from subnet 192.168.1.0/24 (any ports) to subnet 192.168.0.0/24 (any port)
                    allow from subnet 192.168.1.0/24 (any ports) to subnet 192.168.2.0/24 (any port)
                    allow from subnet 192.168.1.0/24 (any ports) to subnet 192.168.3.0/24 (any port)

                    On LAN3:
                    allow from subnet 192.168.2.0/24 (any ports) to subnet 192.168.0.0/24 (any port)
                    allow from subnet 192.168.2.0/24 (any ports) to subnet 192.168.1.0/24 (any port)
                    allow from subnet 192.168.2.0/24 (any ports) to subnet 192.168.3.0/24 (any port)

                    On LAN4:
                    allow from subnet 192.168.3.0/24 (any ports) to subnet 192.168.0.0/24 (any port)
                    allow from subnet 192.168.3.0/24 (any ports) to subnet 192.168.1.0/24 (any port)
                    allow from subnet 192.168.3.0/24 (any ports) to subnet 192.168.2.0/24 (any port)

                    The result:
                    Any LANx can access any other LANx aswell as access WAN1 via their respectiv gateways.

                    Now the epilogue:
                    How to deal with WAN2 ?
                    My goal would be for example to :
                    -redirect all outgoing emails to WAN1 (static ip)
                    -redirect all outgoing web browsing to WAN2 (dhcp).
                    -if WAN2 fails, use WAN1 for web
                    -if WAN1 fails, use WAN2 for emails

                    How could i achieve such setup?
                    What part of pfsense would be needed ..?
                    Would that be comparable to what i've seen called outgoing load balancing ?

                    1 Reply Last reply Reply Quote 0
                    • H
                      hoba
                      last edited by

                      check out this article from the wiki: http://wiki.pfsense.com/wikka.php?wakka=OutgoingLoadBalancing
                      you basically have to modify the rules and create rules for different traffic (like destination any ip port 25) and select the appropriate gateway at the bottom of the rules page of each rule. the loadbalancing pool is optional. you can skip this part from the wiki for what you want to do.

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.