Walter did you get all your questions answered?
I just set this up (Charter ethernet handoff/ATT PPoE) and there are
some nuances in the fw rules and routing that were not so intuitive. Let me
know if you need a hand. I'd be happy to webex and show you what I have.
Hit me off list ([email protected]).
-W
On Wed, Dec 4, 2013 at 2:57 PM, Walter Parker <[email protected]> wrote:
> Hi,
>
> I've got a pfSense router with a WAN connection that has 4 interfaces:
>
> WAN - A 200 mbs connection. This is on a /20 subnet and the other side is
> the default route.
> LAN - This is a static routed /24 network from the company providing the
> 200 mbs WAN connection
> COMCAST - This is a static routed /28 network from Comcast.
>
> I set the WAN interface with a route back to Provider A, and the COMCAST
> interface with a route back to the Comcast gateway address. I created two
> gateway groups, one that the WAN network as Tier1 and COMCAST as Tier2, and
> another that COMCAST as Tier2 and the WAN network as Tier2. The
> instructions on the wiki say firewall rules must be add changed to use
> these groups rather than the system routing. I tried changed the allow all
> route to use the gateway group (rather than the default of *), but this
> didn't seem to route packets out the COMCAST link when the WAN link was
> down.
>
> I did a little bit of testing: I used the ping test and was able to ping
> the outside world when using WAN as the interface, but when I changed the
> interface to COMCAST, I could only ping the Comcast gateway (as if the
> packets would not route). From an external host, I was able to do an ICMP
> ping to the COMCAST interface, but was not able to do a UDP ping or make a
> TCP connection.
>
> Questions:
>
> I think I missed a step in the whole "add a firewall rule for the gateway
> group" process, which seem more like a "solution left as exercise for the
> reader", what do I need to do to get gateway groups working on the firewall?
>
> When using ping, when I pick the interface, does it work like a Cisco,
> where the source IP is the interface address and the next hop router would
> be interface's router, in this case the Comcast gateway?
>
> When I have squid running a bound to the LAN interface, I'd like the
> system use which ever WAN/COMCAST interface is currently up and working. I
> want that to be the WAN interface unless it is down.
>
> When the WAN interface is down, I'd like to be able to ssh/https to the
> COMCAST interface address to see what is gong wrong. Can I set up the
> system to work like this?
>
>
> Thank you for any ideas as to what I might has done wrong,
>
>
> Walter
>
>
>
>
>
>
> --
> The greatest dangers to liberty lurk in insidious encroachment by men of
> zeal, well-meaning but without understanding. -- Justice Louis D. Brandeis
>
> _______________________________________________
> List mailing list
> [email protected]
> http://lists.pfsense.org/mailman/listinfo/list
>
>
--
Wade Blackwell
Solutions Architect
(D) 805.457.8825 X998
(C) 805.400.8485
(S) coc.wadeblackwell
_______________________________________________
List mailing list
[email protected]
http://lists.pfsense.org/mailman/listinfo/list
