Pfsense as a router and default gateway with multiwan

bravo_prochu · Dec 13, 2013, 11:21 PM

Did You ever try to set up static routes on pfsense ?

johnpoz · Dec 14, 2013, 11:18 AM

Have I? Yes quite simple. You don't set gateways on LAN interfaces.

If you would use a non 192.168 range between pfsense and your first router pfsense route table would be quite simple with one entry for 192.168.0.0/16

Its seems you have a cluster of a setup there that seems way more complicated than it needs to be.

LAN rules looks like this for every single IP of my whole networks ie: (i use aliases)

| 192.168.32.115/24 | port: * | dest: * | gateway: DEFAULT [use in/out for that IP]

| 192.168.40.235/24 | port: * | dest: * | gateway: DEFAULT [use in/out for that IP]

| 192.168.50.25/24 | port: * | dest: * | gateway: DEFAULT [use in/out for that IP]

| 192.168.10.95/24 | port: * | dest: * | gateway: DEFAULT [use in/out for that IP]

What??? Every single IP has its own entry - WTF were you thinking?

bravo_prochu · Dec 15, 2013, 3:03 PM

Every single IP has its own rule entry, because I want to control bandwidth of every single alias-ip;
I use limiters - for every IP - as many limiters as aliases (ip)

How can I set static routes to routers without seting up geteways ?
(i need a remote connection to devices behind those routers)

I'm newbie so if You can, please, share an idea how to do it different way..

johnpoz · Dec 15, 2013, 3:22 PM

"How can I set static routes to routers without seting up geteways ?
(i need a remote connection to devices behind those routers)"

Yeah you set the routes here - see attached. And yes in the routes you pick a gateway.. But you do not apply that gateway to your lan interface. If you apply the gateway to the interface directly then pfsense thinks thats a wan interface.

bravo_prochu · Dec 15, 2013, 6:48 PM

I still don't understand: 'But you do not apply that gateway to your lan interface' ?
First i needed to setup lan gateway (see attached - staticRoutes02) to pick it up to the destinated network (see attached - staticRoutes01)

johnpoz · Dec 15, 2013, 6:57 PM

But is that applied to your interface?

Look - here is dummy gateway I created for network 10.0.0.0/24 – it uses my DMZ interface.. But notice on the actual dmz interface there is NO gateway set!!

$interfracedmz.png$
$interfracedmz.png_thumb$

bravo_prochu · Dec 15, 2013, 8:18 PM

Gateway is on my LAN interface… so there is no 'gateway' for LAN int..

What does it change ? Because I still don't get it..

I would like to use multiwan tutorial, so when I specify default gateway in rules ('multiWAN' = PPPoE1 [tier1] and PPPoE2 [tier1]) there is no traffic to routers..
(on attachement i don't have created multiWan gateway yet but i already tried it)

johnpoz · Dec 15, 2013, 9:03 PM

"What does it change ? Because I still don't get it.."

If there is a gateway on the interface - pfsense thinks its a WAN, and will auto nat it for starters.

bravo_prochu · Dec 15, 2013, 9:10 PM

There is no gateway on LAN interface, but still when I change default gateway on FIREWALL-RULES-LAN…alias..- gateway to multiWAN instead of default - there are no traffic

phil.davis · Dec 16, 2013, 5:10 AM

Not sure where you are up to, but here are the general principles when you have some internal networks and multi-WAN with gateway groups…

Define a gateway for each other internal router (gateway) that leads to an internal network that is NOT directly connected to pfSense.
Define a static route to each of these internal networks pointing to the correct internal gateway.
Add gateway group(s) that group together your real public WANs in whatever tiers you wish.
First add rules on LAN to pass traffic to the the internal networks - without specifying any gateway in the rules - the packets will be passed to the ordinary routing table and the static route/s you defined will get them to their destination.
If you have VPN site-to-site links to other offices, these also need to use the ordinary routing table - put pass rules for traffic to subnets that are across the VPN, and let the ordinary routing table and VPN software deal with it.
Further down in the LAN rule list, put rules that send traffic to particular gateway groups (e.g. near or at the end you might commonly have a rule that passes all protocols source LANnet destination any gateway LoadBalanceGWG - to load balance everything that did not match any previous special rule)
Some screen shots attached of one of my setups, with a test Firebox internally that goes to various test subnets in 10.99.0.0/16. The LAN rule passing INF_Subnets to INF_Subnets matches this Firebox traffic (among other stuff). INF_Subnets is an alias that contains all my internal subnets, local to pfSense, at the same office and across VPNs at other offices. This makes it easy to write 1 pass rule that lets all this internal private traffic pass through to the ordinary routing table, before any rules that pump traffic into a gateway or gateway group.

johnpoz · Dec 16, 2013, 5:54 AM

^exactly – needs to be turned into a doc.. If I find time tmrw at work (its been slow normally as we get closer to holidays) I will do just that ;)

bravo_prochu · Dec 20, 2013, 8:59 PM

Thanks for Your answers Guys !

Still have some questions
I use limitters for every aliases (clients) (att. staticRoutes06) on my network; My LAN rules looks like (att. staticRoutes05)
Instead of 'Private_devices' (block private devices to outside DNSserver) can I use all local subnets ??
Do 'Inf_Subnets' have LAN subnet included ? (pfsense box IP) ?

Can You help me with this ?

How to drop any other stations to the Internet (but aliases..) and still have local connections to the lan routers/Access points using multiWAN..

Can You point me a basic firewall isolation for that kind of policy ?

phil.davis · Dec 22, 2013, 5:51 PM

Instead of 'Private_devices' (block private devices to outside DNSserver) can I use all local subnets ??
Do 'Inf_Subnets' have LAN subnet included ? (pfsense box IP) ?

I have lots of different LANs, so I made some aliases like:
'Private_Devices' = IP address ranges that I give out to private devices on the LAN (like people's smart phones…)
'Inf_Subnets' = all the private subnets in my private extended network (includes LAN subnet and others)
Then I can make easy rules to block or pass traffic to or from these groups of IP address subnets.
If you just have 1 LAN subnet, then it is easy to just make rules like:
Block UDP+TCP source LAN subnet, destination !LAN IP port DNS (53)
That stops LAN clients getting DNS from anywhere else outside pfSense LAN.

bravo_prochu · Dec 24, 2013, 12:40 PM

Thanks for an explanation;
So, i should use this rule at the top of my others ?
then, the 'inf_subnets' and then - my 'aliases rules' ?

As I wrote before I use one rule for one alias - to use bandwidth per IP tutorials; Right now my rule is - alias to 'any' [any port], but when first set to exclude 53 port to any devices on LAN subnet then i should use only [alias to any - DNS port (with multiWAN gateway)] rule ?

phil.davis · Dec 24, 2013, 1:02 PM

Yes, that rule (assuming it has "Block" selected at the top) goes up the top of your list. It will stop any port 53 (DNS) packets that are not going to the pfSense LAN address. So people won't be able to access other DNS servers out on the internet - they will have to use DNS provided by pfSense (or be extra tricky to find other ways around it).

bravo_prochu · Dec 30, 2013, 3:45 PM

Hi
Tried to do exactly as You wrote, but it doesn;t work.
I have to add rule any to any at the bottom of all my rules, can You help me understand why ?
If I disable it - win7 gives me an 'Internet' access massage but there is no traffic to it

phil.davis · Dec 30, 2013, 4:13 PM

You often want a quite permissive rule at the end that feeds "ordinary" traffic into Multiwan GWG. That way most ordinary traffic ends up in the Multwan GWG, which you want. That is like your 2nd last rule, but the 2nd last rule has something special as source (which I can't read/guess since it is partly rubbed out). You need to modify the 2nd last rule so it actually passes traffic from all the sources you wish (maybe all of LANnet?) into Multiwan. Then the last rule is not needed.

bravo_prochu · Dec 31, 2013, 12:58 AM

My goal is to pass traffic ONLY from devices included in aliases… (partly rubbed out)
I dont use dhcp serwer on pfsense. I would like to block all traffic exept aliases.. I guess there is something wrong in that policy because when i set a static ip - there is an Internet on it.. (even if ip is not in aliases list)
what rules should I use ?

phil.davis · Dec 31, 2013, 3:22 AM

If you remove that last "pass all" rule, then (assuming there are no other rules like that) you will be just passing the things specified in the various aliases used in rules. If someone sets their IP address to one that is passed, they get internet. Set it to some other IP, then it will be blocked by the unseen default block rule (or whatever other block rule that might match before that). You really need to first know exactly what you want blocked and passed, then look through your rule list from top to bottom, think through what IP addresses are in which alias and make rules in order that will have the effect you want.

bravo_prochu · Dec 31, 2013, 2:36 PM

To easly modify network policy I would like to only add new rule with alias for example 'newCustomer' like in my pictures above;
In that line I have IP or IPs of newCustomer devices (included in alias - newCustomer), set default gateway - 'MultiWAN' and set limiters: newCustomerUP and newCustomerDown - to specify bandwidth
For every single customer I would like to create that kind of rule to define different UP/DOWN speed (I add 2 limiters for every alias in my network)
Is there any other way to do that ? Is it possible that the limiters slowing down speed traffic between lokal routers ?