How can I do this with WAN ips on multiple adapters?



  • On the section of this picture I've attached I'm trying to attach our VOIP phone server to the PFsense rather than directly to the edge so I can monitor bandwidth and such. I also want to provide a method for failover options.

    I have 5 physical adapters in this pfsense box, 2 for incoming WAN and 3 for various LAN (Wifi/General LAN/Phone server)

    How can I go about getting this to work so that the phone server uses one of the available static ip's to go thru the fiber connection?

    Thanks.



  • I'm curious is it as simple as adding one of the available static IP's on that "phone" interface in the pfsense and it will simply direct the routes to go out the proper places?

    IE WAN1 10.0.0.1 and WAN 2 20.0.0.1 and we have 10 available ips on both wan connections, so on the phone interface I make my IP of that interface 10.0.0.3 or something and it will go out that particular wan path?



  • One thing I've done is add WAN1's IP address+1 as the interface IP of the phone interface, then enabled the DHCP server on the phone interface and gave it the rest of the public pool of IPs. I connected a laptop to that interface and it grabbed the IP perfectly.

    Are there any negative side effects to doing it like this other than utilizing 1 of my public ips just for that interface?

    Thanks.



  • Ok so the laptop connected to the phone interface cannot get online (I'm doing this all remotely btw)

    I've added a * firewall rule to the phone interface much like I did my wifiguests interface and it's still not working. :/ not sure what to do?


  • Netgate Administrator

    First off you seem to have a potential network loop in the diagram that could cause no end of headaches.

    How is your Fibre WAN IP assigned?
    If you have the phone server NIC assigned in pfSense as a separate interface it must be in different subnet to all other interfaces otherwise routing is broken.
    One way you could do this is to add a virtual IP to the fibre WAN and then portforward (or 1:1 NAT) that to the phone server.
    Another possiblity is to bridge the phone server NIC to the fibre WAN. That will allow it to be in the same subnet and devices on that would then pull additional IPs via DHCP (if your ISP provides that) or you can statically assign them.



  • @stephenw10:

    First off you seem to have a potential network loop in the diagram that could cause no end of headaches.

    How is your Fibre WAN IP assigned?
    If you have the phone server NIC assigned in pfSense as a separate interface it must be in different subnet to all other interfaces otherwise routing is broken.
    One way you could do this is to add a virtual IP to the fibre WAN and then portforward (or 1:1 NAT) that to the phone server.
    Another possiblity is to bridge the phone server NIC to the fibre WAN. That will allow it to be in the same subnet and devices on that would then pull additional IPs via DHCP (if your ISP provides that) or you can statically assign them.

    I think I like the bridging idea the best, as that sounds like no firewalling would be involved and the phone server can choose what to firewall (as it has one built into that device). I've never bridged anything before though. What all do I need to do to make that work? I just went into interfaces -> bridge and added a bridge with wan1 and phone interfaces and it is now bridge0.

    My fiber wan ip is staticly set thru the WAN interface.



  • Ok what I've done is set the PHONES interface to none for ip. Set the WAN ip to it's public ip, then I added the bridge with WAN+PHONES interfaces and called it PHONEBRIDGE, and then added the PHONEBRIDGE interface and enabled it, with no ip set.

    I went into the systems tunables and turned on that filtering option for bridging, then I went into the firewall rules and for both the PHONES and the PHONESBRIDGE interface I allowed ipv4* * * * gateway WAN on the firewall rules.

    I set one of the available public static ip addresses on my laptop and plugged it into the PHONE interface, and it works :) yay!

    This was helpful: http://people.pharmacy.purdue.edu/~tarrh/Transparent Firewall - Filtering Bridge - William Tarrh.pdf

    NOW question. I have two WANs. Is it possible to bridge both WANs with the PHONE interface?

    I currently have a round robin failover setup for the general LAN interface, maybe make that an option for the PHONE interface as well? Not sure how the phone server would handle the different ip addresses though unless DHCP could somehow be turned on in the bridging to assign that?

    Also when watching the bandwidth being used on the dashboard with the PHONES and PHONESBRIDGE interfaces expanded out updating every 1 second, I noticed the amount of bandwidth being used is not equal on the two interfaces. Any idea why that could be?



  • LAYER 8 Netgate

    That will work I think but I believe the proper way to do the bridge is to set the bridge member interfaces to no IP and set the WAN interface characteristics on the bridge interface itself.  You should simply be able to go to interfaces->assign and select the bridge interface for WAN.  Then you'll probably have to create an interface for the WANIF hardware with no IP set.  Both the WANIF and PHONE interfaces should have pass any any rules on them.  WAN (BRIDGE0) will have all your normal WAN rules.

    I believe this method will also let you mark traffic received from the phone member interface with a pf label for later QoS/shaping on WAN out if necessary.  I've never tried it with the packet filter on a bridge member.



  • @Derelict:

    That will work I think but I believe the proper way to do the bridge is to set the bridge member interfaces to no IP and set the WAN interface characteristics on the bridge interface itself.  You should simply be able to go to interfaces->assign and select the bridge interface for WAN.  Then you'll probably have to create an interface for the WANIF hardware with no IP set.  Both the WANIF and PHONE interfaces should have pass any any rules on them.  WAN (BRIDGE0) will have all your normal WAN rules.

    I believe this method will also let you mark traffic received from the phone member interface with a pf label for later QoS/shaping on WAN out if necessary.  I've never tried it with the packet filter on a bridge member.

    Not quite sure I understand when your saying WANIF.

    So basically make my WAN1, and PHONES interfaces with no ip. Bridge them. Set the PHONESBRIDGE interface to have the wans static ip, correct?

    If I do it like that, then I'll have to set all my other general LAN interface traffic to go out that bridge adapter as well I believe instead of the WAN1 adapter.

    Not sure where you go to set traffic marked.


  • LAYER 8 Netgate

    By WANIF I mean the hardware bridge member plugged into your WAN device.

    No IPs will change, the pfSense WAN IP will just be assigned to the bridge interface itself instead of one of the bridge members.

    I don't mean to confuse the issue regarding QoS in the future.  It's just a consideration in my recommendation.  Forget I said anything.

    I would just take your WAN interface in interfaces->assignment and assign it to the bridge instead of the bridge member.  This is probably not a hitless event and should probably be done during an acceptable period of a few minutes downtime.  If you do this you don't have to rebuild all your WAN rules.



  • @Derelict:

    By WANIF I mean the hardware bridge member plugged into your WAN device.

    No IPs will change, the pfSense WAN IP will just be assigned to the bridge interface itself instead of one of the bridge members.

    I don't mean to confuse the issue regarding QoS in the future.  It's just a consideration in my recommendation.  Forget I said anything.

    I would just take your WAN interface in interfaces->assignment and assign it to the bridge instead of the bridge member.  This is probably not a hitless event and should probably be done during an acceptable period of a few minutes downtime.  If you do this you don't have to rebuild all your WAN rules.

    Ah yea good idea!


  • Netgate Administrator

    @elementalwindx:

    I noticed the amount of bandwidth being used is not equal on the two interfaces. Any idea why that could be?

    I suspect because you are seeing all the incoming WAN traffic which get put onto the bridge interface but not the phonebridge.

    My normal reaction to creating a bridge would be to assign the bridge interface to WAN as Derelict suggests, that's what I would do on an internal interface. However because it's WAN I'm tempted to say leave it as you have it. If you assign the bridge as WAN it will never go down which could cause problems with linkup events etc. I'm pretty sure Chris posted something about this recently but I can't find it now.

    Edit: Here you go. In fact this whole thread is relevant here:
    https://forum.pfsense.org/index.php?topic=84447.msg464102#msg464102

    Steve


Log in to reply