SV: [pfSense Support] triple wan to triple lan
Hi Chris or anyone who will help me... I have followed the instructions and have partly succeded. This is my setup: fxp1 = Lan (this is used for management only) fxp0 holds the following: vlan0 = Lan_1 vlan1 = Lan_2 vlan2 = Lan_3 vlan3 = Wan vlan4 = Wan_2 vlan5 = Wan_3 All these interfaces are connected to one physical port on a switch. Here it is supplied with the xDSL- and Lan-connections. I have made 1 rule for every LAN that will allow all traffic to leave through its dedicated WAN (gateway). I have tried with different rules to prevent Lan_1 users from leaving through Wan_2 and Wan_3, and the same for Lan_2 and Lan_3, but nothing seems to work. If I for instance make these rules on the Lan_1 interface: Lan_1 - any destination -through- Wan_2 [BLOCK] Lan_1 - any destination -through- Wan_3 [BLOCK] Lan_1 - any destination -through- Wan [ALLOW] Then no traffic gets through. I completely loose contact with the router, allthough I can still get an ip through dhcp. What rules will I have to make to strictly separate the three networks? Kind regards Anders -Oprindelig meddelelse- Fra: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] På vegne af Chris Buechler Sendt: 17. april 2008 08:07 Til: support@pfsense.com Emne: Re: [pfSense Support] triple wan to triple lan On Thu, Apr 17, 2008 at 2:03 AM, Anders Dahl [EMAIL PROTECTED] wrote: I have one machine and 3 xdsl-connections. I want each of them being a gateway for it's own LAN. Shouldn't that be possible!? Sure. I have succesfully created multiple WANs with one LAN, and thougt that it would be just about the same setup, but of cause with different manual outbound nat and firewall rules. But I can't make it work. Don't use manual outbound NAT, the automatically generated rules are fine no matter how many WANs you have. Disable it, it's much simpler that way. Then just define the appropriate WAN as the gateway in the firewall rules on each LAN interface. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Failover problem
On Fri, Apr 25, 2008 at 12:36 AM, Martin Kruse Jensen [EMAIL PROTECTED] wrote:
I still need to set the default lan - any rule to use the loadbalancetowan
gateway right?
correct
In http://pastebin.com/f36121457 i didn't
but in http://pastebin.com/f10483182 i did change it
yep, looks like we aren't installing the reply-to logic on WAN for
some reason (probably cause nobody had a setup where machines on wan2
tried to connect to services on wan). Can you file a bug on
cvstrac.pfsense.com for this, please? Thanks
--Bill
Martin
Bill Marquette skrev:
On Thu, Apr 24, 2008 at 4:22 AM, Martin Kruse Jensen [EMAIL PROTECTED]
wrote:
The /tmp/rules.debug can be found at http://pastebin.com/m39a0c097
Before getting /tmp/rules.debug i did the following:
- Created failover gateway in Services - Load-balancer (loadbalancetowan)
- Set the default lan - any rules gateway to loadbalancetowan
- Set the firewall rules (created by nat) to use the gateway
loadbalancetowan on both WAN's
Yeah, don't do that. You need a NAT (rdr/port forward in this case)
and filter rule per WAN, but don't change the gateway else you end up
with non-sensical rules like:
pass in quick on $wan route-to { ( vr0 10.33.56.1 ) } proto tcp from
any to main port = 80 keep state label USER_RULE: NAT
and
pass in quick on $StofaOPT1 route-to { ( vr0 10.33.56.1 ) } proto tcp
from any to { 192.168.1.3 } port = 80 keep state label USER_RULE:
NAT Stofatest
which points the next hop INBOUND for this traffic to vr0 (which is
your WAN in this case). ie. the traffic goes back outbound...bad.
I still see no reply-to's in the ruleset, so I'm suspecting that we
have an issue when dealing with rules on the default gateway, but fix
those rules to use the default gateway and give us the output of
rules.debug again if you are still having issues. Thanks
--Bill
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] FreeRadius Package external mySQl database support
I was wondering is there anyway to use the pfSense FreeRadius package with an external mySQL database without having the configuration overwritten. This option might be helpful in the configuration GUI as well as supporting some of the other databases FreeRadius supports. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] CP Issue
Setting up the Rule to put traffic to the interface address out the default gateway did not work Setting the gateway to JUST the second WAN (non-loadbalance) failed Setting the gateway to DEFAULT worked... (With Squid running) Any more ideas? I'd love to keep Load-Balancing! (or is this another area where local services must always use the default route?) Thanks! -Tim PS... sorry about the html, the thread was plaintext until I responded to your email which was html so it carried over, and I forgot to reset :( -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Thursday, April 24, 2008 10:46 AM To: support@pfsense.com Subject: Re: [pfSense Support] CP Issue On 4/24/08, Tim Dickson [EMAIL PROTECTED] wrote: (I'll be back on site tomorrow and will test) So it would be on the GUEST LAN: Proto: TCP Source: GuestLan Destination: Interface Address ports 8000 and 8001 Gateway: Default Or are you saying SOURCE should be the Interface address and port? I'll test his tomorrow and post back thanks! Set the source to any, the interface would be the captive portal interface. Gateway default. Looks good. Scott PS: please do not send html emails to public lists. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
