Existing pfsense, convert to Dual WAN

  • hello,

    is it possible to convert an existing pfsense to Dual WAN?  ive seen many articles but not one that covers this type of scenario.

    in the past i have added an OPT1 interface, with its own gateway that points off to another network (a private point to point, actually), but im concerned about setting up another interface and it not getting "external" firewall rules automatically (like the WAN does on a new pfsense install).

    thanks for any advice!

  • You add another NIC, connect the modem to it, add the new interface, and you have dual WAN. But probably not, since otherwise you wouldn´t be asking this. What is going wrong°

  • The only "external" firewall rules I'm aware of are the ones that block Bogons and RFC addresses.  Those can be enabled on other interfaces by hitting the checkboxes at the bottom of the interface config pages.

  • i dunno… i just thought there was more to it, some magic or wizardry or something that make an interface an "outside" interface as opposed to an intside interface that allows all traffic bi-directionally.

    if its as simple as just adding another interface, ip and gateway, then i guess it is what it is.  thanks all!!

  • Well, it really is that simple  :P

    Next you might want to setup failover (if WAN1 down send all - or some - traffic to WAN2) or load balancing (distribute load over WAN1 and WAN2 equally). There are excellent instructions for that which you will find with a little googling/the wiki.

  • well, in this particular case, its not a redundant link, its a separate IP network on the same router from our ISP.  we got our original IP, and then a year or so later asked for a block of IPs.  they just provisioned a block of IPs thats not on the same network as the original IP.

    so i wont be bothering with any failover, i just want to have the rest of my left over IPs on my running pfsense.  :)

  • When you setup your new OPT1 interface, it will likely come with the standard Anti-Lockout rules (unless you have disabled these). Asides from that, all traffic will be blocked unless rules are explicity set to pass it (as is the default configuration of just about any firewall on the market – default block all).

    To allow traffic to host(s) behind the OPT1 interface, you will have to add rules manually. So say you setup a FTP server and you want it to be accessible, you will need to add a rule to allow this host. The parameters you'd use would be:

    • Interface: OPT1 (packets must come in on this interface to match this rule)
    • Source: Any
    • Destination: Single host or Alias <ip address="" of="" the="" ftp="" server="">- Source Port Range: FTP

    Save & Apply.

    So you won't have to worry about firewalling off the bat.</ip>

Log in to reply