4lan, 2wan = routing galore

df

Hello, i'm currently building a pfsense setup on an old ibm x232 series, with 2 quad port dlink ethernet cards.

I'm not really yet concerned about splitting the load to both WAN1/2, but rather to find out how to setup the routing/iface assignation properly.

For conveniance, my lan iface's are called lan1-4, and are of the form: 192.168.0.0/16 192.168.1.0/16 192.168.2.0/16 192.168.3.0/16.
Each time, pfsense uses the .253 IP address.
The wan's are wan1(static ip) & wan2(dhcp)

The goal is for each LAN Iface to be abble to talk together, altho being on different subnets

I managed to setup a basic firewalling/nat between lan1 & wan1, wasn't much complicated.

But it becomes much more fun when adding the other iface's

1st) For LAN2 (192.168.1.0/16) from GUI Interface->LAN2(OPT1) i can set the ip, netmask, but also gateway, was wondering if the gateway should be 192.168.0.1 (LAN1's)

2nd) The above made machines on LAN2 being abble to ping these on LAN1, but that didn't provide any gateway to WAN1 or WAN2..
–> that assesment is wrong, that's my netmask that let LAN2 see LAN1, weridly tho, LAN1 still can't see LAN2

3rd) But, LAN1 can't see anything on LAN2, i tested adding a static route from iface:LAN1 dest:192.168.1.0/16 gateway:192.168.1.253, but pfsense when validating the form always rewrites it to 192.168.0.0/16 dest 192.168.1.253 (which won't work)..

4. Forgot to mention firewall rules on LAN1/4 are to let everything pass to any dest & any port. (just for testing)

5. Finaly, i did not create any VLAN when installing pfsense, wonder if that's the issue.. but don't think so..

I wasn't abble to find some infos relevant to my case, altho i'm pretty sure that kind of setup is quite possible..

If someone could point me to some relavant infos, that would be much apreciated.

Finaly, virtual IP's are kinda confusing me.. but they might be part of the solution (?)

Take care.

ps: i'm running 1.0-BETA1-TESTING-SNAPSHOT-2-8-06

jeroen234

But, LAN1 can't see anything on LAN2, i tested adding a static route from iface:LAN1 dest:192.168.1.0/16 gateway:192.168.1.253, but pfsense when validating the form always rewrites it to 192.168.0.0/16 dest 192.168.1.253 (which won't work)..

192.168.0.0/16 is 192.168.0.1 till 192.168.254.254

so dest:192.168.1.0/16 gateway:192.168.1.253 and 192.168.0.0/16 dest 192.168.1.253 are the same

better use /24
then you have
lan1 192.168.0.1 till 192.168.0.254 /24
lan2 192.168.1.1 till 192.168.1.254 /24
lan3 192.168.2.1 till 192.168.2.254 /24
lan4 192.168.3.1 till 192.168.3.254 /24

df

It really seems I'm quite wrong on the netmask indeed..

@jeroen234:

lan1 192.168.0.1 till 192.168.0.254 /24
lan2 192.168.1.1 till 192.168.1.254 /24
lan3 192.168.2.1 till 192.168.2.254 /24
lan4 192.168.3.1 till 192.168.3.254 /24

If i'm correct that would make each host on the same subnet to see each other, requests to other subnet would be handeld by each subnet's gateway

Than if i follow you using a /24 netmask, something like this should work
:LAN1 (iface_ip:192.168.0.254/24) dest:192.168.1.0/24 gateway:192.168.1.254
:LAN2 (iface_ip:192.168.1.254/24) dest:192.168.0.0/24 gateway:192.168.0.254

If the above is correct,
I assume the default gateway automagicaly set still remains
:LAN1 > WAN1's Default Gateway

But how would i set the route for LAN2 > WAN1 ..?

Thank you ;)

hoba

It's magic, it just works  ;D

Here is how it behaves by degault:

• all subnets that are directly connected to the pfsense itself will be routed without the need to add static routes
• the default gateway is the WAN gateway by default, so everything that is not at one of the pfsenses subnets will be routed out the internet unless there exists a static route for it, no matter if it comes in from lan, opt1, opt2, …
• firewall rules are applied for incoming traffic at an interface. rules are applied top down, first match wins

df

many thanks :)

i'll be checking this on monday and report here

have a nice w-e

df

Ok, here is the current setup:

Lan1: 192.168.0.0/24 iface: 192.168.0.253
Lan2: 192.168.1.0/24 iface: 192.168.1.253
Lan3: 192.168.2.0/24 iface: 192.168.2.253
Lan3: 192.168.3.0/24 iface: 192.168.3.253

Wan1: static ip

All subnets can indeed find their way to WAN1, they can ping outside hosts fine.

But currently, no subnet can "see" each other.

What i know need is all subnets to be abble to access "Lan3" where the servers will be.
I therefore tried adding for Lan1 -> Lan3 route:
Iface: Lan1 - Network: 192.168.3.0/24 - Gw: 192.168.3.253
But that doesn't work..
Machines on Lan1 still cannot access machines on Lan3 ..

(Again, my rules are to allow all in/out on all Lan1/2/3/4 )

What could I be missing ..?

jeroen234

can you post youre rules here
mebe the order of the rules is wrong

df

I finaly got it working, here is what i do:

LAN1 192.168.0.0/24
LAN2 192.168.1.0/24
LAN3 192.168.2.0/24
LAN4 192.168.3.0/24

Each interface uses .253 as IP with a /24 netmask.

I wanted to have all subnet traffic go thru the pfsense box, and the problem came indeed not from the routes, as i first thought, but from the firewall rules.

I managed to get it working by doing the following config:

(note, i'm assuming all interfaces are properly "enabeld", and that each can properly reach an outside host -like google.com- via WAN1)

On LAN1:
allow from subnet 192.168.0.0/24 (any ports) to subnet 192.168.1.0/24 (any port)
allow from subnet 192.168.0.0/24 (any ports) to subnet 192.168.2.0/24 (any port)
allow from subnet 192.168.0.0/24 (any ports) to subnet 192.168.3.0/24 (any port)

On LAN2:
allow from subnet 192.168.1.0/24 (any ports) to subnet 192.168.0.0/24 (any port)
allow from subnet 192.168.1.0/24 (any ports) to subnet 192.168.2.0/24 (any port)
allow from subnet 192.168.1.0/24 (any ports) to subnet 192.168.3.0/24 (any port)

On LAN3:
allow from subnet 192.168.2.0/24 (any ports) to subnet 192.168.0.0/24 (any port)
allow from subnet 192.168.2.0/24 (any ports) to subnet 192.168.1.0/24 (any port)
allow from subnet 192.168.2.0/24 (any ports) to subnet 192.168.3.0/24 (any port)

On LAN4:
allow from subnet 192.168.3.0/24 (any ports) to subnet 192.168.0.0/24 (any port)
allow from subnet 192.168.3.0/24 (any ports) to subnet 192.168.1.0/24 (any port)
allow from subnet 192.168.3.0/24 (any ports) to subnet 192.168.2.0/24 (any port)

The result:
Any LANx can access any other LANx aswell as access WAN1 via their respectiv gateways.

Now the epilogue:
How to deal with WAN2 ?
My goal would be for example to :
-redirect all outgoing emails to WAN1 (static ip)
-redirect all outgoing web browsing to WAN2 (dhcp).
-if WAN2 fails, use WAN1 for web
-if WAN1 fails, use WAN2 for emails

How could i achieve such setup?
What part of pfsense would be needed ..?
Would that be comparable to what i've seen called outgoing load balancing ?

hoba

check out this article from the wiki: http://wiki.pfsense.com/wikka.php?wakka=OutgoingLoadBalancing
you basically have to modify the rules and create rules for different traffic (like destination any ip port 25) and select the appropriate gateway at the bottom of the rules page of each rule. the loadbalancing pool is optional. you can skip this part from the wiki for what you want to do.