Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    1 WAN for General use, 1 WAN for paid use

    Routing and Multi WAN
    5
    18
    2404
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      css.josh last edited by

      I know how to set up basic load balancing and/or set up bandwidth limits, but that's not quite what I'm trying to do now.

      Set up:
      2 WAN
      1 LAN

      Everyone on the LAN uses 1 of the WAN ports like normal. We want to sale access to the second WAN port, which would be faster use and fewer users…

      How can I direct a user to use a specific WAN?

      Create a general rule for all LAN traffic to use WAN 1. Create a special rule that sets the specific LAN IP to use WAN 2?

      Is this possible?

      1 Reply Last reply Reply Quote 0
      • C
        css.josh last edited by

        Is there any way to set USERa uses WAN1 and USERb uses WAN2? Anything like that?

        1 Reply Last reply Reply Quote 0
        • ptt
          ptt Rebel Alliance last edited by

          Firewall Rule / Policy Routing

          https://doc.pfsense.org/index.php/Multi-WAN_2.0#Firewall_Rules

          1 Reply Last reply Reply Quote 0
          • C
            css.josh last edited by

            Is there a way to automate that though?

            I see I could probably set up two subnets on the LAN interface, and then direct traffic that way… Where one goes to WAN1 and the other goes to WAN2.

            We don't want to have to manually set up each client each time to use the different subnet or WAN port... That's why I was wondering if we could maybe set the rules per user account or something where we don't have to create a rule each time someone logs on?

            So the end user could log in with one account, for a basic connection on WAN1, and then get the login information for a higher speed connection on WAN2 upon payment...

            Again, I'm sure we could something like everyone starts on a 192.168.1.0/24 network via the DHCP server, but then set them up statically using a 192.168.2.0/24 network on the same LAN interface, so we could create rules based on which network they were on... But we want to make this easy/automate it?

            1 Reply Last reply Reply Quote 0
            • C
              css.josh last edited by

              I'm having ZERO luck with firewall rules…. :(

              1 Reply Last reply Reply Quote 0
              • Derelict
                Derelict LAYER 8 Netgate last edited by

                There really isn't an easy way to automate what you're trying to do.

                You could always implement 802.1x in your switch and have the default VLAN (on auth failure) be the public VLAN and put them in the paid VLAN if they successfully login.  You might be able to set it up so you just keep a database of paid MAC addresses and do RADIUS MAC authentication to determine the VLAN.

                As soon as you get paid users on one VLAN and everyone else on another (or have the switch otherwise distinguishing the traffic types somehow), policy routing out the proper WAN interface is trivial.

                1 Reply Last reply Reply Quote 0
                • C
                  css.josh last edited by

                  I mean, if I can do this with a firewall rule for each IP/user that pays, I can automate that process. That's not a problem.

                  I just can't figure out how to set this up properly…

                  1 Reply Last reply Reply Quote 0
                  • Derelict
                    Derelict LAYER 8 Netgate last edited by

                    Your problem is automating the switch config based on whether the person paid or not.  You need some way for the network to distinguish one from the other.

                    Like I said, once the traffic is marked in some way it's easy.

                    Set up both WAN gateways

                    On the LAN interface pass traffic with one characteristic to the first gateway (the gateway selection is down in the advanced section)
                    Pass traffic with the other characteristic to the other gateway.

                    1 Reply Last reply Reply Quote 0
                    • R
                      Reiner030 last edited by

                      This sounds mostly like a special implementation of Captive Portal usage ;)

                      1 Reply Last reply Reply Quote 0
                      • C
                        css.josh last edited by

                        OK, I'll stop speaking in general terms and get more specific.

                        The first attachment is a crude network diagram.

                        The second attachment is a screen shot of the firewall rules I'm trying out.

                        I'm trying to push all traffic from 10.0.0.101 through WAN2 (as a demo "paid user") and then I leave the general rule to allow all other traffic through WAN1…

                        To test it out, I have a simple PHP script on a local web server..

                        Which simply prints what IP address each computer is using to get out the Gateway… They both seem to still be using the WAN1 IP address..?




                        1 Reply Last reply Reply Quote 0
                        • Derelict
                          Derelict LAYER 8 Netgate last edited by

                          And what about that isn't working?

                          1 Reply Last reply Reply Quote 0
                          • C
                            css.josh last edited by

                            Again, they both still seem to be using WAN1's IP address… If the one computer were using WAN2, shouldn't it show that IP address?

                            1 Reply Last reply Reply Quote 0
                            • Derelict
                              Derelict LAYER 8 Netgate last edited by

                              Are you sure the APs are APs and not Routing/NAT themselves?

                              1 Reply Last reply Reply Quote 0
                              • Derelict
                                Derelict LAYER 8 Netgate last edited by

                                How are you routing to the local web server running the PHP script?  If it's behind pfSense with the clients, that rule is never applied.

                                Try www.wimi.com instead.

                                You realize that your NAT AP 1 rule is never applied because the rule above it always matches right?

                                1 Reply Last reply Reply Quote 0
                                • C
                                  css.josh last edited by

                                  The local web server with the PHP script is not behind the pfSense router.

                                  I just removed the NAT rule all together if you think it was being a problem, but it's still not working.

                                  1 Reply Last reply Reply Quote 0
                                  • Derelict
                                    Derelict LAYER 8 Netgate last edited by

                                    Something is not as it is being presented then.

                                    Set the rule for packets with a 10.0.0.101 source address to log and check the firewall logs.

                                    If nothing shows up, do the same with the default any any rule.

                                    Check the state table and state summary to see what's being created.

                                    1 Reply Last reply Reply Quote 0
                                    • G
                                      georgeman last edited by

                                      Flush state table before testing!

                                      1 Reply Last reply Reply Quote 0
                                      • C
                                        css.josh last edited by

                                        @Derelict:

                                        Something is not as it is being presented then.

                                        Set the rule for packets with a 10.0.0.101 source address to log and check the firewall logs.

                                        If nothing shows up, do the same with the default any any rule.

                                        Check the state table and state summary to see what's being created.

                                        After logging it and checking the current traffic graphs, I have confirmed that it is working properly! Thanks!

                                        1 Reply Last reply Reply Quote 0
                                        • First post
                                          Last post

                                        Products

                                        • Platform Overview
                                        • TNSR
                                        • pfSense
                                        • Appliances

                                        Services

                                        • Training
                                        • Professional Services

                                        Support

                                        • Subscription Plans
                                        • Contact Support
                                        • Product Lifecycle
                                        • Documentation

                                        News

                                        • Media Coverage
                                        • Press
                                        • Events

                                        Resources

                                        • Blog
                                        • FAQ
                                        • Find a Partner
                                        • Resource Library
                                        • Security Information

                                        Company

                                        • About Us
                                        • Careers
                                        • Partners
                                        • Contact Us
                                        • Legal
                                        Our Mission

                                        We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                                        Subscribe to our Newsletter

                                        Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                                        © 2021 Rubicon Communications, LLC | Privacy Policy