Hi, I've got a pfSense router with a WAN connection that has 4 interfaces:
WAN - A 200 mbs connection. This is on a /20 subnet and the other side is the default route. LAN - This is a static routed /24 network from the company providing the 200 mbs WAN connection COMCAST - This is a static routed /28 network from Comcast. I set the WAN interface with a route back to Provider A, and the COMCAST interface with a route back to the Comcast gateway address. I created two gateway groups, one that the WAN network as Tier1 and COMCAST as Tier2, and another that COMCAST as Tier2 and the WAN network as Tier2. The instructions on the wiki say firewall rules must be add changed to use these groups rather than the system routing. I tried changed the allow all route to use the gateway group (rather than the default of *), but this didn't seem to route packets out the COMCAST link when the WAN link was down. I did a little bit of testing: I used the ping test and was able to ping the outside world when using WAN as the interface, but when I changed the interface to COMCAST, I could only ping the Comcast gateway (as if the packets would not route). From an external host, I was able to do an ICMP ping to the COMCAST interface, but was not able to do a UDP ping or make a TCP connection. Questions: I think I missed a step in the whole "add a firewall rule for the gateway group" process, which seem more like a "solution left as exercise for the reader", what do I need to do to get gateway groups working on the firewall? When using ping, when I pick the interface, does it work like a Cisco, where the source IP is the interface address and the next hop router would be interface's router, in this case the Comcast gateway? When I have squid running a bound to the LAN interface, I'd like the system use which ever WAN/COMCAST interface is currently up and working. I want that to be the WAN interface unless it is down. When the WAN interface is down, I'd like to be able to ssh/https to the COMCAST interface address to see what is gong wrong. Can I set up the system to work like this? Thank you for any ideas as to what I might has done wrong, Walter -- The greatest dangers to liberty lurk in insidious encroachment by men of zeal, well-meaning but without understanding. -- Justice Louis D. Brandeis
_______________________________________________ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list