tag:blogger.com,1999:blog-1299820040181797045.post5688345467403092792..comments2023-11-15T09:38:18.380+00:00Comments on Martin's Random Notes: Multi-WAN + Multi-LAN + No-NAT routing with pfSense 2.0.1Unknownnoreply@blogger.comBlogger22125tag:blogger.com,1999:blog-1299820040181797045.post-54143009836797998292013-09-13T12:55:50.759+01:002013-09-13T12:55:50.759+01:00I don't know for sure, but I would think the p...I don't know for sure, but I would think the practical limit would be the number of physical NICs (or VLANs) in your system. If in doubt, ask on the pfSense forums.Martinhttps://www.blogger.com/profile/03996533690674798085noreply@blogger.comtag:blogger.com,1999:blog-1299820040181797045.post-20479052764463222422013-09-09T03:39:14.751+01:002013-09-09T03:39:14.751+01:00hi guys is there a limit for the maximum number of...hi guys is there a limit for the maximum number of NIC's or (ISP's) supported to set up with multi wan?<br />regards,<br />ThiagoThiago Beierhttps://www.blogger.com/profile/10660224690897417889noreply@blogger.comtag:blogger.com,1999:blog-1299820040181797045.post-60483489940288593162013-07-12T13:05:05.240+01:002013-07-12T13:05:05.240+01:00Hi,
VLANs are no problem. I seem to recall once...Hi, <br /><br />VLANs are no problem. I seem to recall once running pfSense with just one physical NIC by using VLANs.<br /><br />There's a good chance it will do what you want. I know you can set the NAT mappings up manually (though I don't use NAT myself).<br /><br />The software is free so just give it a go. Almost any old PC is good enough for testing.<br /><br />The pfSense message boards are good for support if you get stuck.<br /><br />- MartinMartinhttps://www.blogger.com/profile/03996533690674798085noreply@blogger.comtag:blogger.com,1999:blog-1299820040181797045.post-47243665784054050782013-07-11T15:21:41.910+01:002013-07-11T15:21:41.910+01:00Hi Martin,
Firstly thanks for the great tutorial....Hi Martin,<br /><br />Firstly thanks for the great tutorial.<br /><br />I am trying to setup a kind of hosting environment. What I want to do is I have several class C ip addresses each with its own gateway and I have several virtual server. I have connection to provider with a Ethernet connection.<br /><br />I want to use static nat for each virtual server and I want to use VLANs on both WAN and LAN port on pfsense.With the policy based routing each virtual server will use their seperate gateways.<br /><br />I am not even sure if pfsense support this kinda setup but as far as I know pfsense is only option for advanced stuff.Anonymoushttps://www.blogger.com/profile/10424775593175703289noreply@blogger.comtag:blogger.com,1999:blog-1299820040181797045.post-80497683463918979692013-02-27T18:03:01.917+00:002013-02-27T18:03:01.917+00:00Hi, yes that's easy. Define your two WAN gate...Hi, yes that's easy. Define your two WAN gateways in pfSense, then define two Gateway Groups giving the gateways the right way round for each traffic group.<br /><br />Then in your LAN egress firewall rules, above the default allow rule, stick in some TCP-port-number-specific egress rules that specify the correct Gateway Group for that class of traffic.<br /><br />I may have got the terminology a bit wrong but that's the gist of it. Pretty easy really.<br />Martinhttps://www.blogger.com/profile/03996533690674798085noreply@blogger.comtag:blogger.com,1999:blog-1299820040181797045.post-56008840156474709932013-02-27T10:56:15.557+00:002013-02-27T10:56:15.557+00:00Hey Im using Two WAN connections..My Question is I...Hey Im using Two WAN connections..My Question is I wanna use these two WAN connection separately...One is for Emails and Other connection for surf Internet..When the One connection get down automatically one should share for both services...Is pf-sense help for this network?? Johnnoreply@blogger.comtag:blogger.com,1999:blog-1299820040181797045.post-16532286454230286132012-10-02T08:21:39.107+01:002012-10-02T08:21:39.107+01:00http://linuxhotcoffee.blogspot.in/2012/09/pfsense-...http://linuxhotcoffee.blogspot.in/2012/09/pfsense-201-dual-wan-configuration.htmlsreerajuvhttps://www.blogger.com/profile/14947658665771044463noreply@blogger.comtag:blogger.com,1999:blog-1299820040181797045.post-57857225740170840832012-08-17T01:21:11.637+01:002012-08-17T01:21:11.637+01:00For financial reasons, I have terminated the secon...For financial reasons, I have terminated the second ADSL line now :-(<br /><br />Looking back at the experience, the limitations were...<br /><br />1. Two uplinks to same ISP. Buggy (not fully supported) in pfSense 2.0.1 if both uplinks have same next-hop IP.<br /><br />2. Two uplinks to different ISP's. Supported in pfSense. However, for a hosting setup this is useless unless you have a public /24 IP block. Because you need to run BGP if you want to make your hosting IP block accessible via two different ISPs.<br /><br />But, if you simply want to provide a resilient form of Internet access, then pfSense multi-WAN is just great - and using two different ISPs is the way to go.<br /><br />Regards<br /><br />- MartinMartinhttps://www.blogger.com/profile/03996533690674798085noreply@blogger.comtag:blogger.com,1999:blog-1299820040181797045.post-84094689994870132202012-08-16T14:42:08.394+01:002012-08-16T14:42:08.394+01:00Awesome dude... Martin you just ROCK man......!
G...Awesome dude... Martin you just ROCK man......!<br /><br />Great Stuff, <br /><br />Regards,<br />IndiaAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-1299820040181797045.post-29023716482499942132012-08-14T22:00:23.893+01:002012-08-14T22:00:23.893+01:00Excellent tutorial.
thanks.Excellent tutorial.<br />thanks.Hosting Chilehttp://www.anacondawebhosting.comnoreply@blogger.comtag:blogger.com,1999:blog-1299820040181797045.post-30514335161400555682012-08-13T22:44:55.706+01:002012-08-13T22:44:55.706+01:00Great project you hadGreat project you hadAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-1299820040181797045.post-32560202007301461452012-06-01T13:05:00.087+01:002012-06-01T13:05:00.087+01:00You need a bigger IP block allocation, in order to...You need a bigger IP block allocation, in order to lose the NAT.<br /> 115.193.XXX.193 - router WAN IP ?<br /> 115.193.XXX.194 - pfsense gateway WAN IP ? (You should NOT be able to browse the pfSense GUI from the Internet!)<br /> 115.193.XXX.195 - usable IP<br /> 115.193.XXX.196 - Usable IP<br /> 115.193.XXX.197 - Usable IP<br /> 115.193.XXX.198 - Usable IP<br /><br />In No-NAT mode, your pfSense would have a WAN subnet (outside) and a LAN subnet (inside), and you would configure a static route on the router so that it knew the public LAN IP range was reached through the pfSense WAN IP.<br /><br />But your existing IP block is too small to split into LAN and WAN subnets.<br /><br />With only your existing IP block, you could try using pfSense as a Layer 2 Transparent Bridge: <br /> http://pfsense.trendchiller.com/transparent_firewall.pdf<br /><br />But if you want BGP (for full resilience), then you need an extra /24 IP block anyway (in addition to your router and firewall WAN IPs).<br /><br />BGP is difficult to secure (attackers can send fake BGP adverts claiming your IP block), so if it was me, I'd be tempted to have two lines to the same ISP (and just accept that ISP as a single point of failure). Perhaps the ISP can offer private BGP or some other private routing protocol to manage the dual feed. Then you could use a smaller IP block, perhaps a /27 or a /28 to begin with.<br /><br />You could do all your BGP on one box. But in your place, I would use several cheap old boxes (ideally booting from Compact Flash cards) to give a redundant failover setup, where the network continues working even if some boxes break down. You should read up about CARP and VRRP. I believe CARP is well supported on pfSense these days, but I haven't used it myself.<br /><br />You need to do some serious reading to grow your technical knowledge. Maybe set up a test network with some cheap old boxes from EBay. pfSense and Quagga will run on really old hardware, if you are just testing.<br /><br />Sorry, I don't have time to help you any further.Martinhttps://www.blogger.com/profile/03996533690674798085noreply@blogger.comtag:blogger.com,1999:blog-1299820040181797045.post-53308182489851811642012-06-01T11:04:52.135+01:002012-06-01T11:04:52.135+01:00Dear Martin,
Thanks for your reply, This paves wa...Dear Martin,<br /><br />Thanks for your reply, This paves way to my future research.<br />I will try to put off the NAT, but does this affect my accessibility of my servers ? As right now for particular ports i have defined NAT for example 115.193.XXX.197 : 80 >> 192.168.1.7 :80 (Web Server). So should i assume the will continue to work properly ?<br /><br />Another query is, i just quickly dome some Google search could i use PFSense as BGP(http://doc.pfsense.org/index.php/OpenBGPD_package) and is it necessary to have three different machines running to get BGP done for Two ISP.<br /><br />I Don't want to use Cisco as right now i am start-up and can't afford such costly affairs.vishuhttps://www.blogger.com/profile/02931736988885945399noreply@blogger.comtag:blogger.com,1999:blog-1299820040181797045.post-3466630487426653122012-05-31T17:46:04.074+01:002012-05-31T17:46:04.074+01:00Taking the easy one first...
a) How to turn off N...Taking the easy one first...<br /><br />a) How to turn off NAT...<br /><br />From the pfSense docs.. To completely disable NAT to have a routing-only firewall, do the following.<br /><br /> * Go to the Firewall -> NAT page, and click the Outbound tab.<br /> * Select the option "Manual Outbound NAT rule generation (Advanced Outbound NAT (AON))" and click Save.<br /> * Remove all automatically generated NAT rules at the bottom of the screen.<br /> * Apply changes<br /><br />It could make the routing easier to configure in pfSense if you ask the ISP to give you a subnet of public IPs that are separate from the WAN IP of the router itself. That way, your pfSense has a single IP on the WAN interface, and a block of public IPs on the LAN interface.<br /><br />But, turning off NAT is the easy thing!<br /><br /><br />b) How to keep your servers accessible from the web, even when one ISP link goes down.<br /><br />pfSense Multi-WAN is not enough in your situation. By default, the public IP block for your web servers only has one upstream route for incoming connections. pfSense Multi-WAN can give you resilient *outbound* internet access, but not resilient *inbound* internet access (unless both uplinks use the same ISP, and the ISP does failover routing).<br /><br />For true resilient routing (inbound and outbound) with two ISPs, you need to use BGP. I've never done it myself, but you need to get your router (Cisco or pfSense or whatever) to send BGP route announcements down both your links. Then ISP routers all over the internet learn the best upstream router IPs to use to reach your public IP block at any time. If one leg fails, the BGP announcements stop going down that leg, and the ISP routers stop using the dead leg.<br /><br />You would need a block of 256 IPs (i.e. a /24 block) as that's the smallest block that will get BGP announced round the Internet. I think you also need to get an AS (autonomous system) number. And you must make sure that both ISPs allow you to send BGP announcements (as some ISPs filter them for security).<br /><br />I think there is a way to publish a list of valid upstream AS numbers (that is, to say what your normal upstream ISPs are), to prevent a third party attacker from sending fake BGP announcements and thereby stealing your traffic and your /24 IP block!<br /><br /><br />c) Any other suggestions...<br /><br />If you want to provide real resilient commercial hosting, you need to buy a good book about routing protocols.<br /><br />You might be better off using two routers for your BGP (one router for each ISP). Those routers could be Ciscos, or for development & testing they could be old PC's running the free routing package Quagga. <br /><br />You could host Quagga on pfSense, but to begin with it is probably a lot easier to do a minimal install of FreeBSD or Linux, and use that. So, for example you could have two PCs doing the BGP routing in Quagga on FreeBSD. Then you would have an Ethernet switch. Then your pfSense firewall, running some kind of routing protocol (OSPF perhaps?) to control which of your Quagga routers it should use for outbound connections. Or you could use three Quagga routers and just forget about pfSense (or just use it in Layer 2 mode as a transparent packet filter in front of your actual Web servers).<br /><br />This is all quite complicated, and certainly beyond my practical experience. It would be great fun to try though, if you can get a /24 IP block allocated to you! You just need to learn about routing protocols first. You can do that in a cheap test lab (just some old PCs, ethernet switches, etc) before you commit yourself to spending the money to do it for real.<br /><br />For starting out on a small scale, I would suggest testing with Quagga (open-source) routers for all the routing protocols. Unless you have lots of money, Cisco routers often work out too expensive, because Cisco charges lots of money for firmware upgrades and access to the more useful parts of the Cisco website. Old PCs are cheap - you just need reliable kit, and good network cards like Intel.<br /><br /><br />Hope this helps - and good luck!<br /><br /><br />- MartinMartinhttps://www.blogger.com/profile/03996533690674798085noreply@blogger.comtag:blogger.com,1999:blog-1299820040181797045.post-40406521462036205282012-05-31T08:24:44.859+01:002012-05-31T08:24:44.859+01:00Hi Martin,
Just though to take your valuable advi...Hi Martin,<br /><br />Just though to take your valuable advice as your blog is somewhere near to what i am looking. Please have patience as i am trying my best to explain <br /><br />whole situation.<br /><br />First my present condition :-<br />ISP(Internet Service Provider):-<br />I have two ISP which are totally different from each other.<br />a) Tikona Digital network:- giving me <br />2Mbps Dedicate 1:1 connectivity with 115.193.XXX.193 - where this is WAN IP<br />115.193.XXX.194 - Used in pfsense gateway using this i am able to browse my pfsense on internet.<br />115.193.XXX.195 - usable IP <br />115.193.XXX.196 - Usable IP<br />115.193.XXX.197 - Usable IP<br />115.193.XXX.198 - Usable IP<br /><br />b) Tata Communication Ltd.:- This i have recently purchased as I need more bandwidth and alternative if one ISP goes down due to local disturbance <br /><br />such as wire cut etc.,<br />2Mbps Dedicate 1:1 connectivity with A - where this is WAN IP<br />Another difference is they have different gateway for usable IP's & off-course the series of IP is also different. That i didn't understand.<br />B - Is this also going to point same Pfsense machine or i can use this in some server ?<br />C - usable IP <br />D - Usable IP<br />E - Usable IP<br />F - Usable IP<br /><br />Purpose of having all this:-<br />I want to create & run a small data center where i will provide servers, cloud hosting, website hosting etc., using physical / virtual boxes. Or i say more in professional manner i want to become IaaS provider.<br /><br />To start with, i host my own company website & its needed infrastructure within my premise as most essentially 2 name-servers(2 Windows DNS 2008 R2 in <br /><br />virtual environment). <br />a) For this i have my own domain(.com) registered with go daddy, where i registered my two nameserver hosts as {115.193.XXX.195 - (NS1.abc.com)} and <br /><br />{115.193.XXX.196 -(NS2.abc.com)}. In local network these server has IP as following 192.168.1.5 & 192.168.1.6.<br />b) I have also one web server (1 windows web edition 2008 R2 in virtual environment) binded to IP as {115.193.XXX.197 - Usable IP- (Web1)} which <br /><br />locally have IP as 192.168.1.7.<br />c) Still i left with one more IP where i put my another Linux Vm for trials to my customer. runs on 115.193.XXX.198 & locally 192.168.1.8.<br /><br />In PFsense i created virtual IP so that it start acknowledging the IP provided by the first ISP. So, by looking above setup you can guess that i use <br /><br />NAT based routing to allow traffic coming from outside world to my servers. <br /><br />I started with first ISP 4-5 months back & using various Google links etc., some how i setup my Nat based routing. Nat based routing was not my <br /><br />obvious choice as that point of time i didn't know where to start or even i don't know is there any other way exist.<br /><br />BY above setup you can also guess that i have three interface configured in PFsense:-<br />a) Wan-1 Interface (Onboard Ethernet Adapter) - Incoming <-- First ISP connection<br />b) Wan-2 Interface (PCI Card based Dlink Ethernet adapter) <-- Second ISP connection<br />c) Lan-0 Interface (PCI Card based Realtek Ethernet adapter) --> Connected to local Dlink Switch<br /><br />From switch i have connected my all machines example discussed above servers.<br /><br />Last thing is taking idea from few Google links, i implemented my Multi WAN setup and result is if i loss my first connection then traffic from my internal network to outside world switch over other ISP automatically or Vice Versa also.<br /><br />Now, but what i actually want is if my one ISP goes down let suppose first ISP, then my most important server like 2 name-servers & one web server <br /><br />should remain accessible from outside world. Or more precisely IP given by first ISP should remain accessible even if its own WAN goes down.<br /><br />My pin point Questions are :-<br />a) What i can correct in order to first rescue from NAT based routing to public IPs.<br />b) How i can achieve always on access to my servers even when one of my ISP goes down.<br />c) Any other suggestion which i should take care as i am going to grow further as IaaS provider in terms of PfSense.vishuhttps://www.blogger.com/profile/02931736988885945399noreply@blogger.comtag:blogger.com,1999:blog-1299820040181797045.post-85838249094592061312012-04-14T08:16:02.254+01:002012-04-14T08:16:02.254+01:00Thanks for sharing your info. I really appreciate ...Thanks for sharing your info. I really appreciate your efforts and I will be waiting for your further write ups thanks once again.html5 video playerhttp://viperwolfplayer.comnoreply@blogger.comtag:blogger.com,1999:blog-1299820040181797045.post-64589038863506387132012-03-11T13:29:18.364+00:002012-03-11T13:29:18.364+00:00Great tutorial on multi WAN pfSense. Thank you for...Great tutorial on multi WAN pfSense. Thank you for your great input!portable wireless routerhttp://portablewirelessrouters.orgnoreply@blogger.comtag:blogger.com,1999:blog-1299820040181797045.post-73098504847080224632012-02-02T21:59:37.171+00:002012-02-02T21:59:37.171+00:00Hi, there's a good chance your Orange card wil...Hi, there's a good chance your Orange card will just work, especially if it's something common like a Huwaei device. Definitely worth a go!Martinhttps://www.blogger.com/profile/03996533690674798085noreply@blogger.comtag:blogger.com,1999:blog-1299820040181797045.post-74977031850682922312012-02-02T18:02:08.113+00:002012-02-02T18:02:08.113+00:00I'm trying to remotely setup an Orange 3G+ usb...I'm trying to remotely setup an Orange 3G+ usb modem and am wondering if we can directly plug it into a pfSense's USB, supermicro atom, port and start configuring it? Good article and thanks.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-1299820040181797045.post-37575075675219003792012-01-23T19:24:33.697+00:002012-01-23T19:24:33.697+00:00Thanks Martin,
Your setup is very advanced... :),...Thanks Martin,<br /><br />Your setup is very advanced... :), I was looking for something easy to implement and maintain and I wasn't sure how to add a second subnet to my network...<br /><br />I've decided to have 2 separate networks that join in pfSense. <br />What I did was to add a total of 3 Nics to my server, 1 for the WAN and 2 for LANs. One of the LAN was renamed to VOICE. The LAN was set as 192.168.10.1 and the VOICE as 192.168.11.1. The Trixbox is 192.168.11.2. Now I have separate traffic on the LANs sharing a single access point feeding on Fibre.<br /><br />Regards,<br />DanielAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-1299820040181797045.post-52834632000188357682012-01-16T22:39:58.925+00:002012-01-16T22:39:58.925+00:00Hi, not entirely sure I understand what you wish t...Hi, not entirely sure I understand what you wish to know, but I'll explain a bit more about the implementation of my network.<br /><br />The Voice server and the Hosting web/mail server are set up on different subnets, so that I could add VOIP handsets and more servers (and maybe HTTPS instances) at a later date, while keeping Voice and Hosting apart for security reasons - so that if someone ever compromises one machine, that doesn't give them a platform from which to attack the others - in other words, defence in depth. You could do this more simply if you didn't have plenty of IP address blocks to play with, or if you weren't as paranoid as me.<br /><br />You could implement this using normal LANs if your firewall had enough Ethernet ports. But I thought it would be neat to create a VLAN trunk from pfSense, containing all the subnets I needed. So the two ADSL PPP modems use normal Ethernet ports on the pfSense firewall, but all the other subnets (LAN, Voice, Hosting, Pentest) exist as VLANS via the Trunk port. I have a Cisco Small Business SG200-26 managed switch in the rack. This is a small, cheap, fanless alternative to the classic Cisco Catalyst switch that you see in datacentres. It seems entirely adequate for small-scale use. <br /><br />So, the first Ethernet port on the pfSense firewall is a VLAN trunk to the Cisco switch. Frames to and from the various subnets are tagged with the relevant VLAN number and sent down the trunk. The switch then uses the VLAN tag number to forward the packet to the correct switch port(s) for the VLAN in question. The VLAN tag is stripped off before the packet is retransmitted onto the relevant switch ports. You just use the switch management GUI to define which switch ports you want to be in which VLAN. For debugging or intrusion detection, there's also a SPAN (Mirror) port: this is a read-only port that sends out a copy of all packets for audit purposes. Annoyingly the packets that are output seem to be lacking the VLAN tags though, and I'm not certain that I have the option of enabling tags on that port.<br /><br />All nice and simple, but of course it does create a SPOF (Single Point Of Failure), i.e. I'd be a bit screwed if the switch died. There are ways to create a redundant switching infrastructure of course, but you have to stop somewhere for domestic installations!<br /><br />BTW there appears to be an issue with the 3G backup link dropping its PPP session and then not coming back up unless you log into pfSense and press 'Connect' (under Status / Interfaces). I'll report that on the pfSense forum.Martinhttps://www.blogger.com/profile/03996533690674798085noreply@blogger.comtag:blogger.com,1999:blog-1299820040181797045.post-72928251688188066752012-01-12T21:20:10.011+00:002012-01-12T21:20:10.011+00:00Great tutorial on multi WAN pfSense. Thank you for...Great tutorial on multi WAN pfSense. Thank you for this!<br />I am working on a project where I want to have 1Voice and 1Data subnet with a fat Fibre connection. Could you please detail the way you setup the voice and lan as Vlans on your example? Why is DMZ chosen for the voice?<br />Kind regards<br />DanielAnonymousnoreply@blogger.com