I have a customer with a setup that sounds very similar to what you are
describing. They have 2 WAN type connections. The first is an SDSL
line that is used for IPSEC and other general WAN stuff. The second is
an ADSL line that they use to feed their proxy server/content filter.
They don't have any load balancing or failover setup. They do, however,
have a single rule in their firewall config that directs all traffic
from the content filter to use the ADSL connection.
In order to set this up correctly for them, I first read the information
available here:
http://www.pfsense.com/mirror.php?section=tutorials/policybased_multiwan/policybased_multiwan.pdf
Then, I set up the following rule on the LAN interface protocol page:
Proto -- *
Source -- Lan IP of Proxy/content filter
Destination -- *
Port -- *
Gateway -- The Default Gateway of the ADSL connection -- Note: This is
the actual ADSL interface's gateway, not the IP of the ADSL interface
itself.
All the proxy server's Internet traffic now goes out through the ADSL
interface. Even cooler that that, when the remote VPN'd sites request
stuff from the proxy, the firewall is smart enough to allow the proxy
server to answer back to the remote sites via the VPN interface (which
is WAN, not ADSL). Hope this helps.
Vaughn Reid III
Robert Goley wrote:
Just leave off the steps for creating the pools and skip straight to setting
your LAN rules. All you should have to do to send the traffic for the one
application is define a couple of rules based on either source IP on the LAN,
Destination IP, or destination ports that application uses. you will set
these rules to the gateway of your OPT1 connection. This rule will need to
be higher in the list than the default traffic rule. Leave the default
traffic rule set to the gateway of your WAN connection.
Robert
On Thursday 05 April 2007 18:06, Jaye Mathisen wrote:
Yeah, I read that. But I don't want load balancing or failover.
Logging in via shell shows the routing is set right, in that the
default route is still WAN.
# netstat -rn
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif Expire
default 70.58.179.174 UGS 0 837 sis0
I created an OPT1 interface, set it to DHCP. Went to firewall rules
and added a rule that sent proto:any, source:*, Port*, dest 4.2.2.2,
port *, Gateway OPT1.
# User-defined rules follow
pass in quick on $lan from 192.168.0.0/24 to any keep state label
"USER_RULE: D efault LAN -> any"
pass in log quick on $lan route-to ( sis2 192.168.100.1 ) from any to {
4.2.2. 2 } keep state label "USER_RULE"
But all traffic is now going out the OPT1 interface, instead of just
traffic to 4.2.2.2
Tracing route to pfsense.org [69.64.6.13]
over a maximum of 30 hops:
1 <1 ms <1 ms <1 ms 192.168.0.1
2 * * * Request timed out.
3 38 ms 38 ms 39 ms 67.42.192.195
4 36 ms 36 ms 35 ms 67.42.192.125
5 35 ms 36 ms 35 ms 205.171.150.33
What's weirder is that the ISP on OPT1 is allowing the
traffic packets with my WAN interface IP to pass through
it. It doesn't appear to be nat'd to the OPT1 interface
IP either...
On Thu, Apr 05, 2007 at 11:38:27PM +0200, Holger Bauer wrote:
http://doc.pfsense.org/index.php/Multi-Wan/Load-Balancing
Holger
-----Original Message-----
From: Fuchs, Martin [mailto:[EMAIL PROTECTED]
Sent: Thursday, April 05, 2007 11:13 PM
To: [email protected]
Subject: AW: [pfSense Support] OK, I think this is simple...
I don't have thos config, but i could imagine it works with the gateway
option (select a gateway different than default) Perhaps it might be
necessary to define a pool or else fort hat...
Just try a bit :-)
Regards, Martin
-----Urspr?ngliche Nachricht-----
Von: Jaye Mathisen [mailto:[EMAIL PROTECTED]
Gesendet: Donnerstag, 5. April 2007 22:53
An: [email protected]
Betreff: [pfSense Support] OK, I think this is simple...
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
