Re: [pfSense] MultiWAN with SSH
On 12/13/2013 8:20 AM, Chris Bagnall wrote: > On 13/12/13 1:12 pm, Jim Pingle wrote: >> * Don't use interface groups or multi-interface floating rules for WAN >> rule > > I stand corrected. You learn something new every day :-) > > As an aside, is there any way to 'fix' this? On a system with 4 or 5 > WANs, the ability to define inbound rules that apply to every WAN > interface would be extremely useful and save a great deal of duplication. Not easily. We would have to internally separate that out into one rule for each interface individually using the expected gateway for each one in reply-to rather than using the group shortcuts that work fine for other rules. That may happen eventually, but we'd also need some sort of indication on the group or the rule that it should happen because it would not be good to do that for every rule unnecessarily. Jim ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] MultiWAN with SSH
On 13/12/13 1:12 pm, Jim Pingle wrote: * Don't use interface groups or multi-interface floating rules for WAN rule I stand corrected. You learn something new every day :-) As an aside, is there any way to 'fix' this? On a system with 4 or 5 WANs, the ability to define inbound rules that apply to every WAN interface would be extremely useful and save a great deal of duplication. Kind regards, Chris -- This email is made from 100% recycled electrons ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] MultiWAN with SSH
On 12/13/2013 5:10 AM, Chris Bagnall wrote: > On 13/12/13 5:48 am, Walter Parker wrote: >> What do I need to do to get the firewall to use the COMCASTGW for >> responses >> to packets sent to the COMCAST interface? > > Unless you're using advanced outbound NAT, this should happen > automatically. Actually that won't have anything to do with outbound NAT, but it will have to do with gateways and other rules. Make sure that your Interfaces > [WAN Name] pages have a gateway set/selected if they are a static IP. If they are DHCP this should happen automatically. > You said: >> I have a rule on the Comcast interface the allows all traffic , with the >> destination of Comcast net and the the Gateway set to COMCASTGW. Never set a gateway on WAN rules, it does not do what you're expecting it to do. > As an aside, if you want to easily create incoming rules in a multi-WAN > scenario, it's often worth creating an interface group called 'WANs' or > similar, then creating your incoming rules in there - saves duplicating > them across multiple interfaces, especially if you have 3 or more > interfaces. Actually using an Interface Group or Floating rules will break it worse. The reasoning behind all of this is the logic in how the firewall formulates the rules for WANs in this scenario. If an interface has a gateway selected, its rules will automatically gain a "reply-to" keyword which tells the traffic to exit back the interface from which it entered the firewall. Using floating rules for multiple interfaces or an interface group will cause reply-to not to be set because it can't be set for rules affecting multiple interfaces. So, in summary: * WANs need to have gateways set * Don't put gateways on WAN rules * Don't use interface groups or multi-interface floating rules for WAN rules * Make sure the global reply-to disable option is not set on System > Advanced, Firewall tab * Make sure the WAN rule passing the traffic does not have the advanced option checkbox set to disable reply-to Jim ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] MultiWAN with SSH
On 13/12/13 5:48 am, Walter Parker wrote: What do I need to do to get the firewall to use the COMCASTGW for responses to packets sent to the COMCAST interface? Unless you're using advanced outbound NAT, this should happen automatically. You said: I have a rule on the Comcast interface the allows all traffic , with the destination of Comcast net and the the Gateway set to COMCASTGW. That's probably your problem. I am assuming your comcast net is configured as a WAN. Here's an example from my WAN2 rules at home: IPv4 TCP* * WAN2 address222 * none SSH -> pfSense (this is my rule to allow SSH on WAN2 to pfSense's IP) You'll note 'gateway' is * - not WAN2GW. As an aside, if you want to easily create incoming rules in a multi-WAN scenario, it's often worth creating an interface group called 'WANs' or similar, then creating your incoming rules in there - saves duplicating them across multiple interfaces, especially if you have 3 or more interfaces. Kind regards, Chris -- This email is made from 100% recycled electrons ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] MultiWAN with SSH
Hi, I have a pfSense box with multiple WAN connections (on on TW and one on Comcast) I appear to got MultiWAN working for outbound traffic, in that: I can ping/traceroute from either interface and the traffic routes out and comes back. But inbound traffic only appears to work if it comes into the TW interface and not the Comcast interface. I have a rule on the TW interface that allows all traffic I have a rule on the Comcast interface the allows all traffic , with the destination of Comcast net and the the Gateway set to COMCASTGW. I can ping the Comcast interface address. But any attempts to connect to Comcast interface address fail. However I did see a few log file entries of the form IF Source DestProto COMCAST ExternalIP ComcastIP:13 TCP:S Where ExternalIP is a outside host running SSH, ComcastIP is the IP of the Comcast Interface (and 13 is where SSHD is bound to). I got no response back to the client. I then tried telnet ComcastIP 111 and got the same result. What do I need to do to get the firewall to use the COMCASTGW for responses to packets sent to the COMCAST interface? Walter -- The greatest dangers to liberty lurk in insidious encroachment by men of zeal, well-meaning but without understanding. -- Justice Louis D. Brandeis ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list