1 WAN for General use, 1 WAN for paid use



  • I know how to set up basic load balancing and/or set up bandwidth limits, but that's not quite what I'm trying to do now.

    Set up:
    2 WAN
    1 LAN

    Everyone on the LAN uses 1 of the WAN ports like normal. We want to sale access to the second WAN port, which would be faster use and fewer users…

    How can I direct a user to use a specific WAN?

    Create a general rule for all LAN traffic to use WAN 1. Create a special rule that sets the specific LAN IP to use WAN 2?

    Is this possible?



  • Is there any way to set USERa uses WAN1 and USERb uses WAN2? Anything like that?


  • Rebel Alliance



  • Is there a way to automate that though?

    I see I could probably set up two subnets on the LAN interface, and then direct traffic that way… Where one goes to WAN1 and the other goes to WAN2.

    We don't want to have to manually set up each client each time to use the different subnet or WAN port... That's why I was wondering if we could maybe set the rules per user account or something where we don't have to create a rule each time someone logs on?

    So the end user could log in with one account, for a basic connection on WAN1, and then get the login information for a higher speed connection on WAN2 upon payment...

    Again, I'm sure we could something like everyone starts on a 192.168.1.0/24 network via the DHCP server, but then set them up statically using a 192.168.2.0/24 network on the same LAN interface, so we could create rules based on which network they were on... But we want to make this easy/automate it?



  • I'm having ZERO luck with firewall rules…. :(


  • Netgate

    There really isn't an easy way to automate what you're trying to do.

    You could always implement 802.1x in your switch and have the default VLAN (on auth failure) be the public VLAN and put them in the paid VLAN if they successfully login.  You might be able to set it up so you just keep a database of paid MAC addresses and do RADIUS MAC authentication to determine the VLAN.

    As soon as you get paid users on one VLAN and everyone else on another (or have the switch otherwise distinguishing the traffic types somehow), policy routing out the proper WAN interface is trivial.



  • I mean, if I can do this with a firewall rule for each IP/user that pays, I can automate that process. That's not a problem.

    I just can't figure out how to set this up properly…


  • Netgate

    Your problem is automating the switch config based on whether the person paid or not.  You need some way for the network to distinguish one from the other.

    Like I said, once the traffic is marked in some way it's easy.

    Set up both WAN gateways

    On the LAN interface pass traffic with one characteristic to the first gateway (the gateway selection is down in the advanced section)
    Pass traffic with the other characteristic to the other gateway.



  • This sounds mostly like a special implementation of Captive Portal usage ;)



  • OK, I'll stop speaking in general terms and get more specific.

    The first attachment is a crude network diagram.

    The second attachment is a screen shot of the firewall rules I'm trying out.

    I'm trying to push all traffic from 10.0.0.101 through WAN2 (as a demo "paid user") and then I leave the general rule to allow all other traffic through WAN1…

    To test it out, I have a simple PHP script on a local web server..

    Which simply prints what IP address each computer is using to get out the Gateway… They both seem to still be using the WAN1 IP address..?





  • Netgate

    And what about that isn't working?



  • Again, they both still seem to be using WAN1's IP address… If the one computer were using WAN2, shouldn't it show that IP address?


  • Netgate

    Are you sure the APs are APs and not Routing/NAT themselves?


  • Netgate

    How are you routing to the local web server running the PHP script?  If it's behind pfSense with the clients, that rule is never applied.

    Try www.wimi.com instead.

    You realize that your NAT AP 1 rule is never applied because the rule above it always matches right?



  • The local web server with the PHP script is not behind the pfSense router.

    I just removed the NAT rule all together if you think it was being a problem, but it's still not working.


  • Netgate

    Something is not as it is being presented then.

    Set the rule for packets with a 10.0.0.101 source address to log and check the firewall logs.

    If nothing shows up, do the same with the default any any rule.

    Check the state table and state summary to see what's being created.



  • Flush state table before testing!



  • @Derelict:

    Something is not as it is being presented then.

    Set the rule for packets with a 10.0.0.101 source address to log and check the firewall logs.

    If nothing shows up, do the same with the default any any rule.

    Check the state table and state summary to see what's being created.

    After logging it and checking the current traffic graphs, I have confirmed that it is working properly! Thanks!