Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Multi-WAN failover with access restrictions

    Scheduled Pinned Locked Moved Routing and Multi WAN
    4 Posts 3 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jasonl999
      last edited by

      I have a situation where a customer has WAN connections to WiFi, Cell model, and satellite phone, and I want to set up a failover system, but one that can filter clients (based on MAC address) permissions to certain WANS.  I don't need an Apple TV watching video over a sat connection  :o

      How would I go about this in pfSense?

      1 Reply Last reply Reply Quote 0
      • K
        kapara
        last edited by

        I suggest getting a nice cup of coffee…

        Oh and RTFM! :-)

        Sorry but you opened yourself to that one!

        Check out the following article...  It is best to read up on it then ask questions after showing that you made some effort otherwise you will get no response.

        https://doc.pfsense.org/index.php/Multi-WAN

        Skype ID:  Marinhd

        1 Reply Last reply Reply Quote 0
        • J
          jasonl999
          last edited by

          You are right, I did open myself up to that  :D.

          I definitely should have been more clear about my questions. I did read through the multi-wan setup, and for the most part understand what needs to be done to get it working with the exception of blocking certain MAC address from certain WANS.  Assuming I have 3 WAN gateways set up properly for failover, where all clients have access, what approach should I take to limiting certain MAC addresses?  My first guess would be to create aliases that contain them, but I'm not sure aliases work with them (I don't currently have a pfSense installation to play around with, it's been a couple years since I was at a company where we used it).  Maybe three groups – one for each wan -- called deny_access_cell, deny_access_sat, etc.  Then a rule that blocks the alias.  I started reading about floating rules, and got pretty confused about where the rules should go.

          Part of the challenge is I don't currently have any hardware with 4 ethernet ports to test this with, and I want to make sure it'll work before I buy the hardware.

          1 Reply Last reply Reply Quote 0
          • ?
            Guest
            last edited by

            It will be even the best method to ask one thing and then the next one, that all things would be able to be clear
            as possible to all users here in the forum. To ask all questions in one thread would be nice to in some situations
            but often it makes things more complicated for everybody that is involved except your self. Only my 2 cents.

            If you have three WAN interfaces and one LAN interface and you would not lead the LAN clients over specific
            WAN gateways, auth. by their MAC addresses, this will be two different things in my eyes, but able to realize
            for sure, but what I not understood is the following, why you want to filter at the WAN interface the MAC
            addresses coming from outside? As I was understanding it you will be identifying your LAN clients by
            their MAC addresses and route them then over a specific WAN interface or gateway. Can you please tell
            something more about that.

            In normal you will be setting up pfSense as the following for that actions in my eyes;

            • create three WAN interfaces and gateways
            • chose a proper load balancing method for that
              – Policy based routing
              -- service based routing
              -- session based routing
            • Install Squid with user auth. and create for each user an account and set up there the MAC address.
              (alternatively you will be able to deal with internal static IP addresses, thats also able to do)
            • set up the failover rules
              (please note, if both other WAN connections will be stopping their work all your traffic will be running over
              the last one and also the Apple TV over the SAT connection if this will be last working one)

            I would try out policy based routing in your case and then over MAC auth. and then if one or more WAN
            connections are failing all the clients would be able to route over the last one, that will be not able to do
            if the MAC address is bounded to one specific WAN interface as I know it.

            sample rules for load balancing and fail over (over the forum search function)
            nice HowTo for a multi WAN setup (little bit old but good explained with many pictures)

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.