Re: [pfSense] Multi-WAN network access
Make sure you have outbound NAT rules for both WAN and COMCAST. - Original Message - From: Walter Parker walt...@gmail.com To: pfSense support and discussion list@lists.pfsense.org Sent: Wednesday, December 4, 2013 5:57:41 PM Subject: [pfSense] Multi-WAN network access Hi, I've got a pfSense router with a WAN connection that has 4 interfaces: WAN - A 200 mbs connection. This is on a /20 subnet and the other side is the default route. LAN - This is a static routed /24 network from the company providing the 200 mbs WAN connection COMCAST - This is a static routed /28 network from Comcast. I set the WAN interface with a route back to Provider A, and the COMCAST interface with a route back to the Comcast gateway address. I created two gateway groups, one that the WAN network as Tier1 and COMCAST as Tier2, and another that COMCAST as Tier2 and the WAN network as Tier2. The instructions on the wiki say firewall rules must be add changed to use these groups rather than the system routing. I tried changed the allow all route to use the gateway group (rather than the default of *), but this didn't seem to route packets out the COMCAST link when the WAN link was down. I did a little bit of testing: I used the ping test and was able to ping the outside world when using WAN as the interface, but when I changed the interface to COMCAST, I could only ping the Comcast gateway (as if the packets would not route). From an external host, I was able to do an ICMP ping to the COMCAST interface, but was not able to do a UDP ping or make a TCP connection. Questions: I think I missed a step in the whole add a firewall rule for the gateway group process, which seem more like a solution left as exercise for the reader, what do I need to do to get gateway groups working on the firewall? When using ping, when I pick the interface, does it work like a Cisco, where the source IP is the interface address and the next hop router would be interface's router, in this case the Comcast gateway? When I have squid running a bound to the LAN interface, I'd like the system use which ever WAN/COMCAST interface is currently up and working. I want that to be the WAN interface unless it is down. When the WAN interface is down, I'd like to be able to ssh/https to the COMCAST interface address to see what is gong wrong. Can I set up the system to work like this? Thank you for any ideas as to what I might has done wrong, Walter -- The greatest dangers to liberty lurk in insidious encroachment by men of zeal, well-meaning but without understanding. -- Justice Louis D. Brandeis ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Multi-WAN network access
Walter did you get all your questions answered? I just set this up (Charter ethernet handoff/ATT PPoE) and there are some nuances in the fw rules and routing that were not so intuitive. Let me know if you need a hand. I'd be happy to webex and show you what I have. Hit me off list (wade.blackw...@bablam.com). -W On Wed, Dec 4, 2013 at 2:57 PM, Walter Parker walt...@gmail.com wrote: Hi, I've got a pfSense router with a WAN connection that has 4 interfaces: WAN - A 200 mbs connection. This is on a /20 subnet and the other side is the default route. LAN - This is a static routed /24 network from the company providing the 200 mbs WAN connection COMCAST - This is a static routed /28 network from Comcast. I set the WAN interface with a route back to Provider A, and the COMCAST interface with a route back to the Comcast gateway address. I created two gateway groups, one that the WAN network as Tier1 and COMCAST as Tier2, and another that COMCAST as Tier2 and the WAN network as Tier2. The instructions on the wiki say firewall rules must be add changed to use these groups rather than the system routing. I tried changed the allow all route to use the gateway group (rather than the default of *), but this didn't seem to route packets out the COMCAST link when the WAN link was down. I did a little bit of testing: I used the ping test and was able to ping the outside world when using WAN as the interface, but when I changed the interface to COMCAST, I could only ping the Comcast gateway (as if the packets would not route). From an external host, I was able to do an ICMP ping to the COMCAST interface, but was not able to do a UDP ping or make a TCP connection. Questions: I think I missed a step in the whole add a firewall rule for the gateway group process, which seem more like a solution left as exercise for the reader, what do I need to do to get gateway groups working on the firewall? When using ping, when I pick the interface, does it work like a Cisco, where the source IP is the interface address and the next hop router would be interface's router, in this case the Comcast gateway? When I have squid running a bound to the LAN interface, I'd like the system use which ever WAN/COMCAST interface is currently up and working. I want that to be the WAN interface unless it is down. When the WAN interface is down, I'd like to be able to ssh/https to the COMCAST interface address to see what is gong wrong. Can I set up the system to work like this? Thank you for any ideas as to what I might has done wrong, Walter -- The greatest dangers to liberty lurk in insidious encroachment by men of zeal, well-meaning but without understanding. -- Justice Louis D. Brandeis ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list -- Wade Blackwell Solutions Architect (D) 805.457.8825 X998 (C) 805.400.8485 (S) coc.wadeblackwell ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] Multi-WAN network access
Hi, I've got a pfSense router with a WAN connection that has 4 interfaces: WAN - A 200 mbs connection. This is on a /20 subnet and the other side is the default route. LAN - This is a static routed /24 network from the company providing the 200 mbs WAN connection COMCAST - This is a static routed /28 network from Comcast. I set the WAN interface with a route back to Provider A, and the COMCAST interface with a route back to the Comcast gateway address. I created two gateway groups, one that the WAN network as Tier1 and COMCAST as Tier2, and another that COMCAST as Tier2 and the WAN network as Tier2. The instructions on the wiki say firewall rules must be add changed to use these groups rather than the system routing. I tried changed the allow all route to use the gateway group (rather than the default of *), but this didn't seem to route packets out the COMCAST link when the WAN link was down. I did a little bit of testing: I used the ping test and was able to ping the outside world when using WAN as the interface, but when I changed the interface to COMCAST, I could only ping the Comcast gateway (as if the packets would not route). From an external host, I was able to do an ICMP ping to the COMCAST interface, but was not able to do a UDP ping or make a TCP connection. Questions: I think I missed a step in the whole add a firewall rule for the gateway group process, which seem more like a solution left as exercise for the reader, what do I need to do to get gateway groups working on the firewall? When using ping, when I pick the interface, does it work like a Cisco, where the source IP is the interface address and the next hop router would be interface's router, in this case the Comcast gateway? When I have squid running a bound to the LAN interface, I'd like the system use which ever WAN/COMCAST interface is currently up and working. I want that to be the WAN interface unless it is down. When the WAN interface is down, I'd like to be able to ssh/https to the COMCAST interface address to see what is gong wrong. Can I set up the system to work like this? Thank you for any ideas as to what I might has done wrong, Walter -- The greatest dangers to liberty lurk in insidious encroachment by men of zeal, well-meaning but without understanding. -- Justice Louis D. Brandeis ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list