Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Existing pfsense, convert to Dual WAN

    Scheduled Pinned Locked Moved General pfSense Questions
    7 Posts 4 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      Sharaz
      last edited by

      hello,

      is it possible to convert an existing pfsense to Dual WAN?  ive seen many articles but not one that covers this type of scenario.

      in the past i have added an OPT1 interface, with its own gateway that points off to another network (a private point to point, actually), but im concerned about setting up another interface and it not getting "external" firewall rules automatically (like the WAN does on a new pfsense install).

      thanks for any advice!

      Jonathan

      1 Reply Last reply Reply Quote 0
      • M
        Mr. Jingles
        last edited by

        You add another NIC, connect the modem to it, add the new interface, and you have dual WAN. But probably not, since otherwise you wouldn´t be asking this. What is going wrong°

        6 and a half billion people know that they are stupid, agressive, lower life forms.

        1 Reply Last reply Reply Quote 0
        • J
          jasonlitka
          last edited by

          The only "external" firewall rules I'm aware of are the ones that block Bogons and RFC addresses.  Those can be enabled on other interfaces by hitting the checkboxes at the bottom of the interface config pages.

          I can break anything.

          1 Reply Last reply Reply Quote 0
          • S
            Sharaz
            last edited by

            i dunno… i just thought there was more to it, some magic or wizardry or something that make an interface an "outside" interface as opposed to an intside interface that allows all traffic bi-directionally.

            if its as simple as just adding another interface, ip and gateway, then i guess it is what it is.  thanks all!!

            Jonathan

            1 Reply Last reply Reply Quote 0
            • M
              Mr. Jingles
              last edited by

              Well, it really is that simple  :P

              Next you might want to setup failover (if WAN1 down send all - or some - traffic to WAN2) or load balancing (distribute load over WAN1 and WAN2 equally). There are excellent instructions for that which you will find with a little googling/the wiki.

              6 and a half billion people know that they are stupid, agressive, lower life forms.

              1 Reply Last reply Reply Quote 0
              • S
                Sharaz
                last edited by

                well, in this particular case, its not a redundant link, its a separate IP network on the same router from our ISP.  we got our original IP, and then a year or so later asked for a block of IPs.  they just provisioned a block of IPs thats not on the same network as the original IP.

                so i wont be bothering with any failover, i just want to have the rest of my left over IPs on my running pfsense.  :)

                Jonathan

                1 Reply Last reply Reply Quote 0
                • B
                  breakaway
                  last edited by

                  When you setup your new OPT1 interface, it will likely come with the standard Anti-Lockout rules (unless you have disabled these). Asides from that, all traffic will be blocked unless rules are explicity set to pass it (as is the default configuration of just about any firewall on the market – default block all).

                  To allow traffic to host(s) behind the OPT1 interface, you will have to add rules manually. So say you setup a FTP server and you want it to be accessible, you will need to add a rule to allow this host. The parameters you'd use would be:

                  • Interface: OPT1 (packets must come in on this interface to match this rule)
                  • Source: Any
                  • Destination: Single host or Alias <ip address="" of="" the="" ftp="" server="">- Source Port Range: FTP

                  Save & Apply.

                  So you won't have to worry about firewalling off the bat.</ip>

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.