Dual wan - dual lan - no loadbalance



  • i have a dual wan and dual lan setup, i don't need loadbalancing.
    i use the 1.2-RELEASE

    WAN(pppoe)–-----\                      /--- LAN (192.168.1.0/24)
                              \                  /
                                -- pfsense--
                              /               
    WAN2(dhcp)-------/                    --- AIR1 (192.168.10.0/24) |
                                                    --- AIR2 (192.168.10.0/24) | (bridged)
                                                    --- AIR3 (192.168.10.0/24) | (bridged)

    each AIR interface has an accespoint connected, there is a DHCP service running (on the pfsense only) in AIR1 subnet
    one server in the LAN subnet should use the WAN
    i want everything else (LAN and AIR subnets, and a IPSEC) on WAN2

    general settings:

    DNS servers:  193.109.184.75 (WAN primary DNS)
                        195.130.130.164 (WAN2 primary DNS)
    DNS serverlist overridden is checked off

    static route settings: (for ISP DNS servers)

    Interface    Network                    Gateway            Description
    LAN          193.109.184.75/32      WAN gateway    primary dns dommel
    LAN          195.130.130.164/32    WAN2 gateway    primary dns telenet

    advanced outbound nat:

    Interface    Src                    Port  Dest  Port  NATAddr  Port  StaticPort
    WAN          192.168.1.0/24    *        *      *      *              *      NO
    WAN          192.168.10.0/24  *        *      *      *              *      NO
    WAN2        192.168.1.0/24    *        *      *      *              *      NO
    WAN2        192.168.10.0/24  *        *      *      *              *      NO

    firewall rules:

    LAN
    Proto  Src          Port    Dest          Port  Gw          Schedule  Description
    *        LAN net    *        AIR1 net      *        *
    *        server ip    *        *                *        *
    *        LAN net    *        *                *      WAN2

    AIR1 (AIR2 & AIR3 has the same rules)
    Proto  Src          Port    Dest          Port  Gw          Schedule  Description
    *        AIR1 net    *        LAN net      *      *
    *        AIR1 net    *        *                *      WAN2

    i have 2 problems i can't get solved:

    -the AIR subnet can't resolve, it can ping server ip but it can't ping pfsense
    (if the AIR subnet has the default gateway everything works)
    all LAN ip's get routed properly to the WAN2 without problems
    the server gets routed to WAN without problems

    -IPSEC only works over WAN, but i would like it to work over WAN2

    i've been strugling with settings for over a month now, any help is greatly apreciated



  • I'm not really sure if you shouldnt set the "Interface" of your Static route to "WAN" or "WAN2".
    The description is a bit vague but from experience with other routers you usually define on which interface the route goes out.
    (Could someone that knows more shed some light on this?)

    Also i'm not really sure if that helps but could try and set your AIR rules to:

    AIR1 (AIR2 & AIR3 has the same rules)
    Proto  Src          Port    Dest            Port    Gw          Schedule  Description
    *        AIR1 net    *        LAN net        *      *
    *        AIR1 net    *        AIR1 address  *      *
    *        AIR1 net    *        *                  *      WAN2



  • yes, thanks!!  :D

    the AIR subnet gets routed to WAN2 now

    now i can focus on the IPSEC problem…



  • I have to jump in here and give my thanks to GruensFroeschli too :)
    That Interface IP Adresse trick is just nice… though i don't fully understand why it's needed.



  • These rules:

    AIR1 (AIR2 & AIR3 has the same rules)
    Proto  Src          Port    Dest          Port  Gw          Schedule  Description
    *        AIR1 net    *        LAN net      *      *
    *        AIR1 net    *        *                *      WAN2

    Allow Access to the LAN net over the routing table
    Allow Access to everything else over WAN2.

    The DNS forwarder runs on the AIR-interface address.
    There is just no rule that allows access to the AIR-interface.
    The second rule allows traffic to everywhere over WAN2, but from WAN2 you cannot reach the AIR-interface :)

    AIR1 (AIR2 & AIR3 has the same rules)
    Proto  Src          Port    Dest            Port    Gw          Schedule  Description
    *        AIR1 net    *        LAN net        *      *
    *        AIR1 net    *        AIR1 address  *      *
    *        AIR1 net    *        *                  *      WAN2

    Here we have a rule that allows access to the AIR1 interface explicit before allowing the rest to WAN2.

    yes, thanks!! :D

    the AIR subnet gets routed to WAN2 now

    now i can focus on the IPSEC problem…

    Sorry totally forgot to answer to that.
    I dont use that but from what i read on this forum you need to create a static route that points to your remote WAN-IP on your OPTx (WAN2).
    Search the forum for that since there are a few threads on that :)



  • @GruensFroeschli:

    Sorry totally forgot to answer to that.
    I dont use that but from what i read on this forum you need to create a static route that points to your remote WAN-IP on your OPTx (WAN2).
    Search the forum for that since there are a few threads on that :)

    That's correct, you need a static route to the <remote-tunnel-endpoint-ip>/32 via <gateway-of-wan2>. All services running at the pfSense directly (like ipsec, a proxy, dnsforwarder,…) only follow the routingtable definitions.</gateway-of-wan2></remote-tunnel-endpoint-ip>



  • when i set static route to the <remote-tunnel-endpoint-ip>/32 via <gateway-of-wan2>, and change the IPSEC settings on the other side towards my WAN2 ip

    i get
    No IPsec security policies.
    No IPsec security associations.

    on the other side of the tunnel IPsec security policies are created

    i'll switch it back to wan, i look into it furter tomorrow because i need to go work now…

    thanks for the quick help  :D

    i resumed this IPSEC issue in the proper section:
    http://forum.pfsense.org/index.php/topic,8487.0.html</gateway-of-wan2></remote-tunnel-endpoint-ip>



  • I have a similar problem using loadbalancing.

    I added the rules as stated:
    AIR1 (AIR2 & AIR3 has the same rules)
    Proto  Src          Port    Dest            Port    Gw          Schedule  Description
    *        AIR1 net    *        LAN net        *      *
    *        AIR1 net    *        AIR1 address  *      *
    *        AIR1 net    *        *                  *      WAN2

    Execept for the last one I used my lanloadbalance GW.
    I can now ping the lan and AIR1 as well as resolve the dns but AIR1 cannot access the internet.

    The lan has always worked with balancing and failover.


Locked