2 wans - how to direct traffic to each ?
-
Have configured 2 WAN's and I works ok.
Now I want to force a LAN ip range to only use wan2, what rules do I need to make it happen ?
Also I want to force a range of ports to only use wan2 as well .
many thanks
-
-
Am new here, but current just set this up…
Use the "gateway" option in your firewall rules to direct the traffic to the desired WAN.
-ALan
-
Setting up your IP ranges within CIDR boundaries will make the rule writing easier, too. No messy aliases to contend with.
-
thanks I read the multi wan but it inst relevant as I don't want fail over or load-balancing.
I think I have larger problem. OPT1 is not pinging outside world.
I have it set for DHCP and it is pulling an IP from the router no problem, see the shot below:
When I use the ping from diags menu I get no reply, if I chose WAN I get a reply. I know the OPT1 router is good as I have a laptop plugged into it and its fine.
help!
-
Did you read the little note below the save button about firewall rules? Gotta have a PASS rule to pass traffic.
-
thanks for the reply, I do have the default pass all rule. Do I need another one ?
-
Yeah…on your OPT1.
https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting
-
please can you tell me what to put and where.
-
Ok…back to your original posting.
You have a WAN, LAN and OPT1 interfaces. You said you have 2 WANs. You need to describe your network in detail for me to be able to give you any meaningful help. All your interfaces have private addresses, so I can't really tell, all I can do is guess, and, this morning, I am a crummy guesser.
You need to make sure that block private is turned off on your two WAN interfaces, on their respective interface tab.
You also need to READ. Read how pfSense rules work. Put forth a little effort troubleshooting this yourself. Take a look at the firewall logs. They'll tell you what's happening when your packets don't make it through. -
its pretty much all there in the screenshots.
LAN 192.168.0.x
WAN 10.0.0.x - WORKS
OPT1 192.168.1.x NOT WORKS
There is no option to 'block private network' in OPT1 see the screenshot I already posted.
At this point all I want to achieve is for OPT1 to ping the outside world. I do not see why it doesn't as its settings are no different from WAN and that works.
If you can point me to a doc that explains how to make 2 wans work WITHOUT multi balancing or failover I'll gladly follow it.
-
Set your LAN hosts up in CIDR blocks, say
192.168.0.0/25
and
192.168.0.128/25Write two firewall rules on the LAN interface. Put them at the top of the list.
Write a pass rule that passes any type of traffic from 192.168.0.0/25 to any destination and any port any protocol. Click the Advanced button by Gateway and choose WAN.
Write a second pass rule that passes any type of traffic from 192.168.0.128/25 to any destination and any port any protocol. Click the Advanced button by Gateway and choose OPT1.
Save and apply.
Now, any host with an IP in the range of 192.168.0.2 to 192.168.0.126 will have their traffic go out WAN.
Any host with an IP in the range of 192.168.0.129 to .253 will go out OPT1.If you can't get traffic out OPT1 to the Internet, then you have a problem upstream of pfSense. Maybe a DNS issue, maybe whatever device is your OPT1 gateway is blocking ICMP. I don't know.
-
thanks, thats what I did but it didn't work because of the OPT1 issue.
Issue is definitely with PFsense, I plug a laptop into opt1 router and I can ping internet hosts no problem.
pfsense cant and I don't know why or where to look to find out why as it makes no sense.
As you can see below OPT1 DNS works as its resolving the hostname but no traffic.
-
Can OPT1 ping its gateway? 192.168.1.1
-
yes
-
Do you have an upstream gateway defined for OPT1?
-
thanks I read the multi wan but it inst relevant as I don't want fail over or load-balancing.
…Actually, it IS still relevant. You need to make sure you follow the directions for multi wan, including setting gateways for each, dns for each, and so on.
The only step that isn't necessary since you do not want failover or load balancing is setting up "Gateway Groups".
That way traffic will always use your default gateway, UNLESS specified to use the other gateway in your firewall rules.
I hope this helps,
-Alan
-
@KOM:
Do you have an upstream gateway defined for OPT1?
yes, the router IP and it can be pinged per my earlier screen shot.
I still can't see why pfsense is stopping traffic on OPT1.
Very frustrating.
-
Can you post a screen shot of the fw rules for Lan & OPTx.
Have you tried creating rules for OPTx to block what you dont want OPTx devices to connect to, then as the last rule create a allow everything rule. By this I mean its any to any not an any to WAN net or any to WAN address.
If you want to stop your OPTx devices from connecting to the fw, if you use DHCP pf will create a rule for the DHCP server automatically, but you will need to create a rule to allow access to the DNS (53) but immediately below that you can do a block rule for everything to the OPTx interface ip address to stop devices from connecting to anything else in the fw.
That should get you out on the OPTx interface, even if you add block rules to WAN net and WAN address before the allow everything!
-
here are the rules,