4lan, 2wan = routing galore



  • Hello, i'm currently building a pfsense setup on an old ibm x232 series, with 2 quad port dlink ethernet cards.

    I'm not really yet concerned about splitting the load to both WAN1/2, but rather to find out how to setup the routing/iface assignation properly.

    For conveniance, my lan iface's are called lan1-4, and are of the form: 192.168.0.0/16 192.168.1.0/16 192.168.2.0/16 192.168.3.0/16.
    Each time, pfsense uses the .253 IP address.
    The wan's are wan1(static ip) & wan2(dhcp)

    The goal is for each LAN Iface to be abble to talk together, altho being on different subnets

    I managed to setup a basic firewalling/nat between lan1 & wan1, wasn't much complicated.

    But it becomes much more fun when adding the other iface's

    1st) For LAN2 (192.168.1.0/16) from GUI Interface->LAN2(OPT1) i can set the ip, netmask, but also gateway, was wondering if the gateway should be 192.168.0.1 (LAN1's)

    2nd) The above made machines on LAN2 being abble to ping these on LAN1, but that didn't provide any gateway to WAN1 or WAN2..
    –> that assesment is wrong, that's my netmask that let LAN2 see LAN1, weridly tho, LAN1 still can't see LAN2

    3rd) But, LAN1 can't see anything on LAN2, i tested adding a static route from iface:LAN1 dest:192.168.1.0/16 gateway:192.168.1.253, but pfsense when validating the form always rewrites it to 192.168.0.0/16 dest 192.168.1.253 (which won't work)..

    1. Forgot to mention firewall rules on LAN1/4 are to let everything pass to any dest & any port. (just for testing)

    2. Finaly, i did not create any VLAN when installing pfsense, wonder if that's the issue.. but don't think so..

    I wasn't abble to find some infos relevant to my case, altho i'm pretty sure that kind of setup is quite possible..

    If someone could point me to some relavant infos, that would be much apreciated.

    Finaly, virtual IP's are kinda confusing me.. but they might be part of the solution (?)

    Take care.

    ps: i'm running 1.0-BETA1-TESTING-SNAPSHOT-2-8-06



  • But, LAN1 can't see anything on LAN2, i tested adding a static route from iface:LAN1 dest:192.168.1.0/16 gateway:192.168.1.253, but pfsense when validating the form always rewrites it to 192.168.0.0/16 dest 192.168.1.253 (which won't work)..

    192.168.0.0/16 is 192.168.0.1 till 192.168.254.254

    so dest:192.168.1.0/16 gateway:192.168.1.253 and 192.168.0.0/16 dest 192.168.1.253 are the same

    better use /24
    then you have
    lan1 192.168.0.1 till 192.168.0.254 /24
    lan2 192.168.1.1 till 192.168.1.254 /24
    lan3 192.168.2.1 till 192.168.2.254 /24
    lan4 192.168.3.1 till 192.168.3.254 /24



  • It really seems I'm quite wrong on the netmask indeed..

    @jeroen234:

    lan1 192.168.0.1 till 192.168.0.254 /24
    lan2 192.168.1.1 till 192.168.1.254 /24
    lan3 192.168.2.1 till 192.168.2.254 /24
    lan4 192.168.3.1 till 192.168.3.254 /24

    If i'm correct that would make each host on the same subnet to see each other, requests to other subnet would be handeld by each subnet's gateway

    Than if i follow you using a /24 netmask, something like this should work
    :LAN1 (iface_ip:192.168.0.254/24) dest:192.168.1.0/24 gateway:192.168.1.254
    :LAN2 (iface_ip:192.168.1.254/24) dest:192.168.0.0/24 gateway:192.168.0.254

    If the above is correct,
    I assume the default gateway automagicaly set still remains
    :LAN1 > WAN1's Default Gateway

    But how would i set the route for LAN2 > WAN1 ..?

    Thank you ;)



  • It's magic, it just works  ;D

    Here is how it behaves by degault:

    • all subnets that are directly connected to the pfsense itself will be routed without the need to add static routes
    • the default gateway is the WAN gateway by default, so everything that is not at one of the pfsenses subnets will be routed out the internet unless there exists a static route for it, no matter if it comes in from lan, opt1, opt2, …
    • firewall rules are applied for incoming traffic at an interface. rules are applied top down, first match wins


  • many thanks :)

    i'll be checking this on monday and report here

    have a nice w-e



  • Ok, here is the current setup:

    Lan1: 192.168.0.0/24 iface: 192.168.0.253
    Lan2: 192.168.1.0/24 iface: 192.168.1.253
    Lan3: 192.168.2.0/24 iface: 192.168.2.253
    Lan3: 192.168.3.0/24 iface: 192.168.3.253

    Wan1: static ip

    All subnets can indeed find their way to WAN1, they can ping outside hosts fine.

    But currently, no subnet can "see" each other.

    What i know need is all subnets to be abble to access "Lan3" where the servers will be.
    I therefore tried adding for Lan1 -> Lan3 route:
    Iface: Lan1 - Network: 192.168.3.0/24 - Gw: 192.168.3.253
    But that doesn't work..
    Machines on Lan1 still cannot access machines on Lan3 ..

    (Again, my rules are to allow all in/out on all Lan1/2/3/4 )

    What could I be missing ..?



  • can you post youre rules here
    mebe the order of the rules is wrong



  • I finaly got it working, here is what i do:

    LAN1 192.168.0.0/24
    LAN2 192.168.1.0/24
    LAN3 192.168.2.0/24
    LAN4 192.168.3.0/24

    Each interface uses .253 as IP with a /24 netmask.

    I wanted to have all subnet traffic go thru the pfsense box, and the problem came indeed not from the routes, as i first thought, but from the firewall rules.

    I managed to get it working by doing the following config:

    (note, i'm assuming all interfaces are properly "enabeld", and that each can properly reach an outside host -like google.com- via WAN1)

    On LAN1:
    allow from subnet 192.168.0.0/24 (any ports) to subnet 192.168.1.0/24 (any port)
    allow from subnet 192.168.0.0/24 (any ports) to subnet 192.168.2.0/24 (any port)
    allow from subnet 192.168.0.0/24 (any ports) to subnet 192.168.3.0/24 (any port)

    On LAN2:
    allow from subnet 192.168.1.0/24 (any ports) to subnet 192.168.0.0/24 (any port)
    allow from subnet 192.168.1.0/24 (any ports) to subnet 192.168.2.0/24 (any port)
    allow from subnet 192.168.1.0/24 (any ports) to subnet 192.168.3.0/24 (any port)

    On LAN3:
    allow from subnet 192.168.2.0/24 (any ports) to subnet 192.168.0.0/24 (any port)
    allow from subnet 192.168.2.0/24 (any ports) to subnet 192.168.1.0/24 (any port)
    allow from subnet 192.168.2.0/24 (any ports) to subnet 192.168.3.0/24 (any port)

    On LAN4:
    allow from subnet 192.168.3.0/24 (any ports) to subnet 192.168.0.0/24 (any port)
    allow from subnet 192.168.3.0/24 (any ports) to subnet 192.168.1.0/24 (any port)
    allow from subnet 192.168.3.0/24 (any ports) to subnet 192.168.2.0/24 (any port)

    The result:
    Any LANx can access any other LANx aswell as access WAN1 via their respectiv gateways.

    Now the epilogue:
    How to deal with WAN2 ?
    My goal would be for example to :
    -redirect all outgoing emails to WAN1 (static ip)
    -redirect all outgoing web browsing to WAN2 (dhcp).
    -if WAN2 fails, use WAN1 for web
    -if WAN1 fails, use WAN2 for emails

    How could i achieve such setup?
    What part of pfsense would be needed ..?
    Would that be comparable to what i've seen called outgoing load balancing ?



  • check out this article from the wiki: http://wiki.pfsense.com/wikka.php?wakka=OutgoingLoadBalancing
    you basically have to modify the rules and create rules for different traffic (like destination any ip port 25) and select the appropriate gateway at the bottom of the rules page of each rule. the loadbalancing pool is optional. you can skip this part from the wiki for what you want to do.


Locked