next »

[pethson]

Hi!

I have read a lot of post (not all) to try to figure out what I'm doing wrong. I probely missed the posts with the answer!

My specific senario is maybe a bit odd.

I'm running pfSense 2.0.1
I hava a PC with 5 NICs
1 is for LAN and 4 is for WAN
My ISP give me up to 5 DHCP adresses, and each IP adress is limited to 20 MBit. They do sell it as a 100 Mbit Internet connection, which is right if you combine all 5 adresses.

Thats why I'm trying to loadbalans over the 4 NICs (if I get this to work I will get one more interface)
All WAN NICs uses the same Default GW

I also like to be able to set up Dynamic DNS on each WAN Interface

Before I tried to set up this pfSense Firewall I used 5 TP-Link TL-R460 http://www.tp-link.com/en/products/details/?model=TL-R460 routers connected to the same 192.168.0.0 network, mostly to be able to use 5 IP addresses with Dynamic DNS, then I used port forwarding to different computers and port on the 192.168.0.0 network.

So this is what I have done in pfSense.

First I enabled assigned and enabled all interfaces, and changed the name form OPTx to WAN2 to WAN4 and I renamed WAN to WAN5
All WAN interfaces are configured as Type  DHCP and to block Private Networks. Everything else is blank.

Under System->Routing I have 4 Gateways named WAN2GW, WAN3GW, WAN4GW and WAN5GW, one for each interface with the same Gateway IP, but separated Monitor IPs that is pointing to public sites.
WAN5GW is my Default GW

In Groups I have one group called Out where alle WANxGW are marked ad Tier 1 and Trigger Level is set to Member Down

In System -> General Setup I have a Hostname and a domain. No DNS servers specified but I Allow DNS server list to be overridden by DHCP

Going to System -> Advanced and the Tab Firewall/NAT I have Bypass firewall rules for traffic on the same interface under Firewall Advanced and I have Disable NAT Reflection for port forwards and
Disable NAT Reflection for 1:1 NAT marked under Network Address Translation.

In the Tab for Networking I have checked Disable hardware TCP segmentation offload and Disable hardware large receive offload

In the Tab Miscellaneous I have checked Allow default gateway switching

And no changes under the Tab for System Tunables

The off t Firewall and NAT where I have nothing under Port Forward yet, and nothing under 1:1
Under the Tab for Outbound  I have changed mode from Automatic to Manual and pfSense have been creating manual mappings for me. Three for each WAN interface.
Auto created rule for ISAKMP - LAN to WAN5
Auto created rule for LAN to WAN5
Auto created rule for localhost to WAN5
And so on for each interface. The reason I did this was a post about problem with Automatic rules in pfSense 1.2.3

If we switch over to Firewall and Rules I have no Floating rules. For each WAN interface I have the rules to Block private networks and Block bogon networks

In the Tab for LAN I have the standard Anti-Lockout Rule and the Default allow LAN to any rule
I also added a rule for ICMP to 172.194.32.5 (google.com) which is set to use WAN4GW, this is only for testing if ping go through WAN4GW instead of WAN5GW which is the Default GW

In my Dashboard I see all 5 Interfaces with a Green up arrow and a DHCP Address for each WAN interface.
Under Status -> Interfaces all WAN interfaces looks the same exept for WAN5 that have an extra row with ISP DNS servers. This makes me wounder what happens if WAN5 goes down. In my case thats not likely to happen couse all WAN NICs are connected to the same Switch. But the monitor IP for WAN5 may go down while my ISP actualy is UP?

Over to System -> Gateways, there is only WAN5GW (Defaul GW) Online with RTT 45.191ms and Loss 0,0% while WAN4GW, WAN3GW and WAN2GW is Offline and all have RTT 0.000ms and Loss 100.0%

If I check under Services -> DNS Forwarder I only have Enable DNS forwarder

And at Service - Dynamic DNS only WAN5 i green and have the correct IP while WAN4, WAN3 and WAN2 is red with IP 0.0.0.0

If I try to ping google.com from my computer on the LAN network it works fine if I don't enable the rule for ICMP to google.com through WAN4GW, when I enable the rule it stops working.

I guess I have missed some major settings or is it not possible to have Multi-WAN through the same Gateway?

Please help before I loose all my hair!

A long post, but I guess you need more information. Let me know and I will get it.

///Peter!

[clarknova]

All WAN NICs uses the same Default GW

If I'm not mistaken, this is a show-stopper with pfsense. You need to put a NAT device between all but one gateway and pfsense so that pfsense is dealing with unique gateways. Virtualization may be the simplest way to accomplish this in your situation.

I would also recommend considering the use of a vlan switch to reduce your dependence on physical NICs, although that too can be handled with virtualization.

[Nachtfalke]

clarknova is absolutly right. If your WAN connections use the same Gateway then it is not possible to do LoadBalancing with pfsense until now.
You need different gateways so that pfsense can do LoadBalancing. That's the reason why you should think about the fact to put a NAT router between your pfsense and the modem so that pfsense has different gateways.

I am doing this with 3 ADSL connections and in front of every pfsense interface I have another router which is just doing NAT - no firewall, nothing - only NAT. This is working.

[pethson]

Thanks for your replys.
This means I'm back where I was befor. So I do own the small TP-Link routers.
The benefit woud be that I only need one interface in my pfSense, right?

I set up 5 TP-Links so they get an IP through DHCP on the WAN port.
I set up the LAN port for my TP-Link to be 192.168.0.1 - 192.168.0.5

My WAN port on pfSense is set to 192.168.0.10
I then create gateways pointing to each TP-Link LAN address

I then have to forward all trafic all TP-Links to different Virtual IPs on my pfSense to be able to set up for exampel 2 VPNs on two different external IP.

It looked so good 

[ll_hellBoy_ll]

hello. sir.clarknova . Sorry i am just using his thread instead of my own. but you did mention about something which i always like to setup. but couldn't make because of lack knowledge or don't know how to do this.
 
you said "I would also recommend considering the use of a vlan switch to reduce your dependence on physical NICs, although that too can be handled with virtualization"
 
please can you explaine how can i setup with vlan support switch. currently i am running around 13 pfsense box on 13 different cyber cafe's. and all those box has 3 or 4 wan link. and its very difficult to get 4 or 5 nic port on the mother board and also difficult to get good external nic. and also its expensive.
 
sir. please can you guide me? it would be great help for me. i will wait for your answer. Thank you God Bless...
 
 

[clarknova]

http://forum.pfsense.org/index.php/topic,28379.msg148389.html#msg148389