[pfSense Support] Multi-WAN IPSEC Failover
Hi All, I'm trying to setup an IPSEC site-to-site tunnel between two pfsense boxes (2.0 RC3)over a DSL line to a fiber connection (static IP's). This all Works perfect. To add some redundancy at the dsl site I've added a HSDPA connection, which is setup as failover. (DSL - Primary and HSDPA - Secondary) For the default access to the internet it all works fine, but can anyone tell me how to setup an IPSEC site-to-site connection in this failover setting? Regards, Jochem de Waal
[pfSense Support] Multi WAN
Dear all, I have 2 WAN ( Static and another PPPOE )connections and a LAN connection i added PPPOE as WAN and static as OPT1 two connections are active and i added a firewall rule for OPT1 allow all to all then i check the connectivity of OPT1, i can ping to OPT1 from out side but cant ping from OPT1 to anywhere, any idea??/ -- Thanks Regards Shali K R Server Administrator Vidya Academy of Science Technology Thrissur,Kerala. Mob:9846303531
Re: [pfSense Support] Multi WAN
On Thu, Jan 13, 2011 at 10:29 PM, Shali K.R. sh...@vidyaacademy.ac.in wrote: Dear all, I have 2 WAN ( Static and another PPPOE )connections and a LAN connection i added PPPOE as WAN and static as OPT1 two connections are active and i added a firewall rule for OPT1 allow all to all then i check the connectivity of OPT1, i can ping to OPT1 from out side but cant ping from OPT1 to anywhere, any idea??/ You said OPT1 is a WAN with static IP, so I assume you configured it with a gateway. If you didn't turn off automatic outbound NAT then OPT1 will not accept any LAN-destined traffic unless you define port forward rules. Alternately, you could turn off AON if your LAN is in public IP address space (or if one of your WANs is). db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Multi WAN
On Fri, Jan 14, 2011 at 1:12 AM, Shali K.R. sh...@vidyaacademy.ac.in wrote: OPT1 as wan (public IP and gateway ) i can ping from out side.first i need to configure the connection right? then NAT ing and all these... i cant make any ping from GUI choosing OPT1 as interface Read the page - Note: Multi-wan is not supported from this utility currently. Setup your rules to send some traffic out of it to test. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Multi WAN
Dear sir, How can i create rule for out going? i already created all allow rule for OPT1 in firewal- Rules On Fri, Jan 14, 2011 at 11:46 AM, Chris Buechler cbuech...@gmail.comwrote: On Fri, Jan 14, 2011 at 1:12 AM, Shali K.R. sh...@vidyaacademy.ac.in wrote: OPT1 as wan (public IP and gateway ) i can ping from out side.first i need to configure the connection right? then NAT ing and all these... i cant make any ping from GUI choosing OPT1 as interface Read the page - Note: Multi-wan is not supported from this utility currently. Setup your rules to send some traffic out of it to test. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org -- Thanks Regards Shali K R Server Administrator Vidya Academy of Science Technology Thrissur,Kerala. Mob:9846303531
Re: [pfSense Support] Multi WAN
On Thu, Jan 13, 2011 at 11:30 PM, Shali K.R. sh...@vidyaacademy.ac.in wrote: Dear sir, How can i create rule for out going? i already created all allow rule for OPT1 in firewal- Rules When you create a firewall rule on an interface, that rule will govern only packets arriving on that interface, not leaving it. So by creating a rule on OPT1 to allow all, you are allowing all internet traffic to enter your network--generally not a good idea from a security standpoint, however without any port forward rules defined you have not yet exposed any LAN hosts, only pfsense itself (ie, any services listening there, such as web UI, ssh, DNS). If you want LAN traffic to be able to connect to external hosts via OPT1 then you need to create LAN rules, wherein you may define the WAN interface/gateway that matching traffic will use. I suggest you read up on this document and then come back with specific questions you may have. http://doc.pfsense.org/index.php/Multi_WAN_/_Load_Balancing Enjoy. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Multi WAN - Failover doubts.
Op 11-8-2010 7:09, Chris Buechler schreef: On Tue, Aug 10, 2010 at 5:08 PM, Fabricio Ferreiragu...@bol.com.br wrote: Thanks Everyone! Actually I made it work, but not using the same monitoring address on both interfaces. Yeah you can't do that, as the monitor IP always is forced out only one connection (I think the book is probably the only place that documents that). 2.0 adds input validation to not allow such configurations. That probably means that the check I coded for 2.0 isn't kicking in. I used to have input validation that would deny a monitor IP which was used before. Although I think it will fail in some fashion with multi dhcp wan where the gateway is the same. I can probably easily test that. Regards, Seth - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] multi-wan, multi-lan security
On 10/08/10 03:32, Chris Buechler wrote: if your provider provides ipv6 as well as ipv4 and devices on your lan are also ipv6, then you're more likely to have a major security breach?? has IPv6, you can end up with a public IPv6 address either via stateless autoconfiguration or DHCPv6 and be completely open on the IPv6 Internet (assuming no host firewall). so if you're an attacker and you've compromised a box, it's definitely worth checking for ipv6 connectivity since there's a fair chance its not firewalled off. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Multi WAN - Failover doubts.
Hi everyone, Good morning/evening. I'm setting a PFSENSE box in a remote office with 2 WAN links (2MB each one) I just set the failover configuration, and made some tests. Unfortunately I don't know what is the time to wait for the gateway change. I've disconnected WAN1 and waited for 2 minutes and nothing happened. How long it takes to change the gateway? (in seconds I guess) Is there a way to change that time? Another doubt is about the external IP to monitor the link (talking about the failover config). Is it necessary to set 2 different IPs, right? I was using just one so I read something about that, telling to use 2 different addresses. example: WAN1 monitoring 200.204.x.x and WAN2 monitoring 201.70.x.x Thanks!!! Cordially, Fabrício. |||Fabrício Ferreira|||
Re: [pfSense Support] Multi WAN - Failover doubts.
Hi Fabricio, In fact, the main problem with failover, as far as I know, is that pfSense only checks that the physical link is up and that the local gateway is pingable. I bet you're using DSL connections with local ethernet links to reach each gateway. Sadly, this means that pfSense will only do failover when the local ethernet gateways are down, which might never occur, even if the DSL links are down. Hope this helped. Benjamin.
Re: [pfSense Support] Multi WAN - Failover doubts.
--- On Tue, 8/10/10, Benjamin LAUGIER benjamin.laug...@gmail.com wrote: From: Benjamin LAUGIER benjamin.laug...@gmail.com Subject: Re: [pfSense Support] Multi WAN - Failover doubts. To: support@pfsense.com Date: Tuesday, August 10, 2010, 1:03 PM Hi Fabricio, In fact, the main problem with failover, as far as I know, is that pfSense only checks that the physical link is up and that the local gateway is pingable. I bet you're using DSL connections with local ethernet links to reach each gateway. Sadly, this means that pfSense will only do failover when the local ethernet gateways are down, which might never occur, even if the DSL links are down. Hope this helped. Benjamin. You can choose whatever IP you want to monitor link status, just make sure this IP is reachable only via this interface. Evgeny
Re: [pfSense Support] Multi WAN - Failover doubts.
On Tue, Aug 10, 2010 at 1:03 PM, Benjamin LAUGIER benjamin.laug...@gmail.com wrote: In fact, the main problem with failover, as far as I know, is that pfSense only checks that the physical link is up and that the local gateway is pingable. That's not true, you define whatever monitor you want, and you generally don't want to use the gateway for that reason. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Multi WAN - Failover doubts.
My bad :-) But glad to hear that. In fact, it sounds that the version I was using a couple of weeks ago (beta 2 - build 20100601) had a limitation in the GUI : you couldn't declare a monitored IP on another network than the one declared on the local interface to monitor. Benjamin.
RE: [pfSense Support] multi-wan, multi-lan security
it's definitely worth checking for ipv6 connectivity since there's a fair chance its not firewalled off. I disagree with this statement. What makes you believe this? Windows has had built-in, default firewalling for quite some time, as has almost every desktop distribution of linux. SOHO firewalls that don't firewall IPv6 don't do so because they're generally not IPv6 capable (see PFSense for an example of default-deny IPv6 when $supported=0). Most ISPs drop the most vulnerable Windows ports at their border and often even at the CPE, agnostic of addressing protocol. Nathan Eisenberg - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] multi-wan, multi-lan security
I disagree with this statement. What makes you believe this? Windows has had built-in, default firewalling for quite some time, as has almost every desktop distribution of linux. SOHO firewalls that don't firewall IPv6 don't do so because they're generally not IPv6 capable (see PFSense for an example of default-deny IPv6 when $supported=0). Most ISPs drop the most vulnerable Windows ports at their border and often even at the CPE, agnostic of addressing protocol. This is again, assuming that security is in place... when looking at security at the perimeter, we must assume there is NO security in place. (and adjust for it) Is it possible someone disabled the firewall on windows? Absolutely! , linux? Yes again! We can go back and forth on this Ifs, but assuming the worse, and preparing for it - is the best (and only) solution. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] multi-wan, multi-lan security
This is again, assuming that security is in place... when looking at security at the perimeter, we must assume there is NO security in place. (and adjust for it) Is it possible someone disabled the firewall on windows? Absolutely! , linux? Yes again! We can go back and forth on this Ifs, but assuming the worse, and preparing for it - is the best (and only) solution. Tim, You're missing the point - I'm hardly assuming security is in place. What I objected to was the claim that there will be many V4 hosts with good and working firewalls, who will not be protected if addressed by V6. Will there be a few home users who have a mangled network at layer 1 and get screwed by autoconfiguration? Sure. Is there going to be an epidemic of hosts that have a V4 firewall, but no V6 firewall AND V6 addressability? Absolutely not. This is a non-issue, and not a very interesting one at that. Nathan Eisenberg - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RES: [pfSense Support] Multi WAN - Failover doubts.
Thanks Everyone! Actually I made it work, but not using the same monitoring address on both interfaces. I chose an external DNS server for the WAN1 (200.221.11.100), and another one (the secondary) DNS server for the WAN2 (200.221.11.101), so it worked out! (of course I could use anything I wanted, Since they were different) Just for a test, try to monitor the same address on both link so disconnect the main one and wait for the gateway change. It doesn´t work. But if you use two different addresses it works really fine! By the way, it took 10 seconds at all to change the Gateway. really fast! Once again, Thanks a Lot! You guys are really good! PFSENSE is an AWESOME Multi-Purpose firewall. Congratulations! Cordially, Fabrício. De: Benjamin LAUGIER [mailto:benjamin.laug...@gmail.com] Enviada em: terça-feira, 10 de agosto de 2010 14:19 Para: support@pfsense.com Assunto: Re: [pfSense Support] Multi WAN - Failover doubts. My bad :-) But glad to hear that. In fact, it sounds that the version I was using a couple of weeks ago (beta 2 - build 20100601) had a limitation in the GUI : you couldn't declare a monitored IP on another network than the one declared on the local interface to monitor. Benjamin.
Re: [pfSense Support] Multi WAN - Failover doubts.
On Tue, Aug 10, 2010 at 5:08 PM, Fabricio Ferreira gu...@bol.com.br wrote: Thanks Everyone! Actually I made it work, but not using the same monitoring address on both interfaces. Yeah you can't do that, as the monitor IP always is forced out only one connection (I think the book is probably the only place that documents that). 2.0 adds input validation to not allow such configurations. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] multi-wan, multi-lan security
thinking aloud... if your provider provides ipv6 as well as ipv4 and devices on your lan are also ipv6, then you're more likely to have a major security breach?? - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] multi-wan, multi-lan security
thinking aloud... if your provider provides ipv6 as well as ipv4 and devices on your lan are also ipv6, then you're more likely to have a major security breach?? It's only really thinking out loud if you including your reasoning, otherwise it's more like 'concluding out loud'. Why do you think that? Nathan Eisenberg - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] multi-wan, multi-lan security
On 09/08/10 17:57, Nathan Eisenberg wrote: thinking aloud... if your provider provides ipv6 as well as ipv4 and devices on your lan are also ipv6, then you're more likely to have a major security breach?? It's only really thinking out loud if you including your reasoning, otherwise it's more like 'concluding out loud'. Why do you think that? people won't be using NAT in an ipv6 network, so they'll have real IPs which will contain their MAC addresses, making it much more likely that the internet at large will be able to connect to them. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: Re: [pfSense Support] multi-wan, multi-lan security
On Mon, 2010-08-09 at 18:06 +0100, Paul Mansfield wrote: if your provider provides ipv6 as well as ipv4 and devices on your lan are also ipv6, then you're more likely to have a major security breach?? people won't be using NAT in an ipv6 network, so they'll have real IPs which will contain their MAC addresses, making it much more likely that the internet at large will be able to connect to them. The MAC address is only 48 bits out of 128, leaving 80 bits of assigned address in comparison to IPv4's 64 assigned bits. How is stumbling across a (nominally) random 80-bit address easier than stumbling across a (nominally) random 64-bit address? Obviously neither case is truly random, and I would argue that at this stage, IPv4 address allocation is more predictable than IPv6 address allocation. Finding either is bound to be easier than finding a truly random number, as there are many real-world constraints, but I believe there are more constraints on the 64-bit number than the 80-bit number, which would skew the model towards being even easier to find the IPv4 address... -Adam Thompson Chief Architect, C3A Inc. athom...@c3a.camailto:athom...@c3a.ca Tel: (204) 272-9628 x8004 / Fax: (204) 272-8291 attachment: winmail.dat- To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] multi-wan, multi-lan security
people won't be using NAT in an ipv6 network, so they'll have real IPs which will contain their MAC addresses, making it much more likely that the internet at large will be able to connect to them. I still don't follow. NAT is not a security mechanism, and MAC addresses are not privileged information. If you're suggesting that more people will be connecting to the internet without a firewall, then I beg to differ (though pfsense doesn't support v6 yet, and just blocks ipv6 by default). Adam - While that's certainly true, in my opinion, whether an IP is known or unknown is irrelevant to that host's security. Best Regards, Nathan Eisenberg - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] multi-wan, multi-lan security
I still don't follow. NAT is not a security mechanism, and MAC addresses are not privileged information. True, but once you know the MAC you can find out the vendor quite easily, and then go about running exploits specific to that piece of hardware. Adam - While that's certainly true, in my opinion, whether an IP is known or unknown is irrelevant to that host's security. Again true, but i would change whether an IP is known or unknown IS irrelevant to whether an IP is known or unknown SHOULD BE irrelevant - the truth is, it's not though... For the most part we are talking mainstream people here... and while if a piece of hardware has been bullet tested (security wise) by a professional - a public address/mac shouldn't effect it, as the security measures are in place... to an untrained person with no or little security in place, every piece of information that is accessible is more fuel used to attach the host. You can fight either way, but the truth is , the more information you can keep secret - the better, this whole thread can be summed up with that... -Tim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] multi-wan, multi-lan security
On Mon, Aug 9, 2010 at 12:07 PM, Paul Mansfield it-admin-pfse...@taptu.com wrote: thinking aloud... if your provider provides ipv6 as well as ipv4 and devices on your lan are also ipv6, then you're more likely to have a major security breach?? I was thinking of that scenario earlier in the thread but didn't mention it, if you happen to combine your LAN and WAN at L2, your internal hosts have IPv6 enabled (as most new OSes do), and your ISP has IPv6, you can end up with a public IPv6 address either via stateless autoconfiguration or DHCPv6 and be completely open on the IPv6 Internet (assuming no host firewall). Granted the chances of getting attacked via v6 on a random address are very, very slim because there are too many IPs to scan the entire IPv6 Internet in a reasonable amount of time (until someone builds a large IPv6-connected botnet). My guess is you could take a machine full of security holes (old Linux distro at defaults, unpatched Windows XP, etc.), leave it wide open to the Internet on IPv6 only, and it probably wouldn't get touched for a year or more where it'd be owned in hours if not minutes open on IPv4. A more likely scenario to be opened to the Internet and not realize it, yes possibly. But highly unlikely to be attacked, at random at least, in such a scenario. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] multi-wan, multi-lan security
That's poetry. It might be, if it were true. I'm not sure that it is, though. From a distribution layer (/30 for routing to a firewall from a router), I can't think of what you'd need to intentionally do to allow bypass of the firewall that has anything to do with VLANs. If I somehow moved the router into one of the 'internal' networks, bypassing the firewall, the router would have no route to a host, nor would the host have a route to the router. The only exception would be if you're running a L2 bridging firewall, but then I don't think the concept of VLANs is even applicable... Explain? Best Regards, Nathan Eisenberg
Re: [pfSense Support] multi-wan, multi-lan security
On Fri, Aug 6, 2010 at 7:40 PM, Nathan Eisenberg nat...@atlasnetworks.us wrote: That's poetry. It might be, if it were true. I'm not sure that it is, though. From a distribution layer (/30 for routing to a firewall from a router), I can't think of what you'd need to intentionally do to allow bypass of the firewall that has anything to do with VLANs. If I somehow moved the router into one of the 'internal' networks, bypassing the firewall, the router would have no route to a host, nor would the host have a route to the router. The only exception would be if you're running a L2 bridging firewall, but then I don't think the concept of VLANs is even applicable... You're missing the entire point. If you have one switch, VLAN 2 is your LAN, and VLAN 3 is your unfiltered Internet, and you put both 2 and 3 untagged on the same port... there ya go. From there the amount of damage possible and ease of it happening depends on what kind of Internet connection you have. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] multi-wan, multi-lan security
You're missing the entire point. If you have one switch, VLAN 2 is your LAN, and VLAN 3 is your unfiltered Internet, and you put both 2 and 3 untagged on the same port... there ya go. From there the amount of damage possible and ease of it happening depends on what kind of Internet connection you have. You lose me right where you say ... there ya go. How do you propose to get your malicious traffic to my vulnerable host? Yes, it's now on the same layer 2 domain - but I'm not sure how that can be exploited by an external attacker. Think of it this way, if you'll accept an analogy: I have a router that passes 1.1.1.0/30 to my firewall's WAN port. 1.1.2.0/24 is routed to that IP, so my LAN interface is 1.1.2.1, and I have a host at 1.1.2.2. I remove the firewall from the equation and plug my router straight into my LAN's physical network. Find a way to ping 1.1.2.2. You can't. My network is, for all external intents and purposes, down. My hosts can't route out. You can't route in, because my router's sending packets to 1.1.1.1, which is down. Your attack is thwarted by the way that layer 3 works. Say I'm not being routed a /24. Say I'm on Comcast and I have a 192.168.0.0/24 LAN. The problem is now even bigger: your carrier, their carrier, and Comcast won't route 192.168.0.0/24. What I'm trying to point out is that there is a difference between real and false security. I don't see a clear, enumerable threat, or any conditions that I, an attacker, could use to break in. There's a lot of real security work to do; work that can be explained in terms of technically possible/probable vectors. Whenever someone says this makes you more secure, I like to ask Is that true? And if so, what makes it true?. So, what makes your claim, that using VLANs on the same switching fabric for both interfaces of a firewall allows the network the firewall protects to be exploited, true? Best Regards, Nathan Eisenberg - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] multi-wan, multi-lan security
On Fri, Aug 6, 2010 at 8:50 PM, Nathan Eisenberg nat...@atlasnetworks.us wrote: You're missing the entire point. If you have one switch, VLAN 2 is your LAN, and VLAN 3 is your unfiltered Internet, and you put both 2 and 3 untagged on the same port... there ya go. From there the amount of damage possible and ease of it happening depends on what kind of Internet connection you have. You lose me right where you say ... there ya go. How do you propose to get your malicious traffic to my vulnerable host? Yes, it's now on the same layer 2 domain - but I'm not sure how that can be exploited by an external attacker. That's my last point - depends on your Internet connection. If it's DHCP or DHCP is available, you could be pulling a public IP from upstream and leaving a LAN host wide open outside the firewall. If you're on a connection type where WAN is a large broadcast domain like cable, a few thousand hosts will then start seeing your internal ARP and could ARP poison your LAN. There are other possibilities depending on your connection type. It's not worth the risk. With many commercial-grade connections there are less options there, and with some it would be virtually impossible to do anything where there's a router between your ISP and your firewall, but it's still not worth the risk. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] multi-wan, multi-lan security
- Original Message - From: Nathan Eisenberg nat...@atlasnetworks.us To: support@pfsense.com Sent: Saturday, August 07, 2010 12:50 PM Subject: RE: [pfSense Support] multi-wan, multi-lan security Say I'm not being routed a /24. Say I'm on Comcast and I have a 192.168.0.0/24 LAN. The problem is now even bigger: your carrier, their carrier, and Comcast won't route 192.168.0.0/24. I think that is the theory however in practice I'm not so sure. It doesn't take much to, for example, accidentally connect a LAN to the net and suddenly...with some else doing the same...I think the private LAN becomes public and pretty sick pretty quickly also... Maybe Comcast can control for this but I doubt all ISP's do? My ISP advised us not use common private LAN addresses for this (common problem) reason. (I now use randomly generated addresses) - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] multi-wan, multi-lan security
On Fri, Aug 6, 2010 at 9:37 PM, Tortise tort...@paradise.net.nz wrote: - Original Message - From: Nathan Eisenberg nat...@atlasnetworks.us To: support@pfsense.com Sent: Saturday, August 07, 2010 12:50 PM Subject: RE: [pfSense Support] multi-wan, multi-lan security Say I'm not being routed a /24. Say I'm on Comcast and I have a 192.168.0.0/24 LAN. The problem is now even bigger: your carrier, their carrier, and Comcast won't route 192.168.0.0/24. I think that is the theory however in practice I'm not so sure. It doesn't take much to, for example, accidentally connect a LAN to the net and suddenly...with some else doing the same...I think the private LAN becomes public and pretty sick pretty quickly also... Maybe Comcast can control for this but I doubt all ISP's do? My ISP advised us not use common private LAN addresses for this (common problem) reason. (I now use randomly generated addresses) There are good reasons to use uncommon subnets, primarily because it eases connecting with other networks without hacks like NAT, but that's not among them. What subnet you use internally has no relevance to your ISP. The risk isn't in the private subnet leaking out to WAN unless you're talking about the ARP poisoning possibility, or the fact if you do that on a medium like cable any of the thousands on your segment could easily join your LAN (even inadvertently if that also brings your internal DHCP server onto the ISP network, but that is likely to either be blocked by the ISP or get you cut off very quickly once it happens). An obscure subnet wouldn't matter in that scenario, everyone on the segment would see what your subnet is. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] multi-wan, multi-lan security
- Original Message - From: Chris Buechler cbuech...@gmail.com To: support@pfsense.com Sent: Saturday, August 07, 2010 2:09 PM Subject: Re: [pfSense Support] multi-wan, multi-lan security On Fri, Aug 6, 2010 at 9:37 PM, Tortise tort...@paradise.net.nz wrote: - Original Message - From: Nathan Eisenberg nat...@atlasnetworks.us To: support@pfsense.com Sent: Saturday, August 07, 2010 12:50 PM Subject: RE: [pfSense Support] multi-wan, multi-lan security Say I'm not being routed a /24. Say I'm on Comcast and I have a 192.168.0.0/24 LAN. The problem is now even bigger: your carrier, their carrier, and Comcast won't route 192.168.0.0/24. I think that is the theory however in practice I'm not so sure. It doesn't take much to, for example, accidentally connect a LAN to the net and suddenly...with some else doing the same...I think the private LAN becomes public and pretty sick pretty quickly also... Maybe Comcast can control for this but I doubt all ISP's do? My ISP advised us not use common private LAN addresses for this (common problem) reason. (I now use randomly generated addresses) There are good reasons to use uncommon subnets, primarily because it eases connecting with other networks without hacks like NAT, but that's not among them. What subnet you use internally has no relevance to your ISP. The risk isn't in the private subnet leaking out to WAN unless you're talking about the ARP poisoning possibility, or the fact if you do that on a medium like cable any of the thousands on your segment could easily join your LAN (even inadvertently if that also brings your internal DHCP server onto the ISP network, but that is likely to either be blocked by the ISP or get you cut off very quickly once it happens). An obscure subnet wouldn't matter in that scenario, everyone on the segment would see what your subnet is. - Yes I was referring to ARP poisoning and my cable connection experience which is the reason for the random (obscure) LAN subnet range selection... It just seemed an example of a situation that was outside the example posed where it was suggested there was no risk, when there may be? - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] multi-wan, multi-lan security
On Thu, Aug 5, 2010 at 1:51 AM, David Burgess apt@gmail.com wrote: I've been running the 2.0 betas for a few months and I'm quite happy with it. Some network and hardware upgrades present me with a few questions, and maybe I'm overthinking it, but I thought I would ask the opinion of the wise ones. I'm running mlppp and it works beautifully. For the last 2-3 months it's been just 2 DSL connections, so they each got a dedicated NIC on the net5501. Now I'm upsizing significantly to 8 DSL lines, and since there's no reasonable way of getting enough physical ports into the 5501, I'm obviously forced to use vlans to get all the DSL and LAN connections up. I have a single smart swith with vlan capability, but a second smart switch is not in the budget at the moment. A managed switch can be bought for very little. Bunch of HP 2512/2524s on ebay that go for $50 USD or less shipped, lot of similar others. In the scheme of things, compared to paying for 8 DSL lines, that's nothing. Doing VLANs properly all on one switch is probably pretty safe if done right (biggest risk in those kind of setups is accidental misconfiguration). I wouldn't do it though, managed switches are too cheap to not physically segment your internal and external networks. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] multi-wan, multi-lan security
- Original Message - From: Chris Buechler cbuech...@gmail.com To: support@pfsense.com Sent: Thursday, August 05, 2010 6:01 PM Subject: Re: [pfSense Support] multi-wan, multi-lan security Doing VLANs properly all on one switch is probably pretty safe if done right (biggest risk in those kind of setups is accidental misconfiguration). I wouldn't do it though, managed switches are too cheap to not physically segment your internal and external networks. Hi Chris, Do you mind if I ask you re-express the last sentence please, (I wouldn't do it though, managed switches are too cheap to not physically segment your internal and external networks. ) I am having trouble gleaning what I think is your intended meaning. Too cheap doesn't seem an adequate justification in itself, if that is what you intend? - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] multi-wan, multi-lan security
On Thu, Aug 5, 2010 at 2:08 AM, Tortise tort...@paradise.net.nz wrote: - Original Message - From: Chris Buechler cbuech...@gmail.com To: support@pfsense.com Sent: Thursday, August 05, 2010 6:01 PM Subject: Re: [pfSense Support] multi-wan, multi-lan security Doing VLANs properly all on one switch is probably pretty safe if done right (biggest risk in those kind of setups is accidental misconfiguration). I wouldn't do it though, managed switches are too cheap to not physically segment your internal and external networks. Hi Chris, Do you mind if I ask you re-express the last sentence please, (I wouldn't do it though, managed switches are too cheap to not physically segment your internal and external networks. ) I am having trouble gleaning what I think is your intended meaning. Too cheap doesn't seem an adequate justification in itself, if that is what you intend? It's best to physically segregate networks of considerably different trust levels. Especially unfiltered Internet traffic and your internal network - I would never setup a network like that. To answer an initial question posed: At what point does 'should' become 'must'? I would say it's never should, always must. That option shouldn't be discarded because it's not in the budget. If you have the budget for 8 DSL lines, you can afford a switch. I would do two switches even so you have some switch redundancy, 4 connections on each of two switches (we did a config exactly like that for a customer in the past week, one of many), where you have adequate ports on the firewall. Additional ports configured on each so if one fails, you can physically move the ports and be back up and running on them all again within minutes. That would cost considerably less than just one month of 8 DSL lines, and you have a network that you should feel much better about. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] multi-wan, multi-lan security
On 05/08/10 06:51, David Burgess wrote: my DSL and LAN ports will be on the same switch, different vlans. This ... what are my risks? I know it has been said on this list that WAN and if you can clearly label the switch so that you yourself cannot make a mistake when connecting cables if you use colour-coded cables to prevent accidental cable swapping if the switch is physically secure requiring a key if the switch has no IP address on untrusted/dangerous vlans if the switch has access controls to limit access to management port to trusted networks, and has username/password authentication (preferably over ssh or https) if the switch's port are set so that connected devices can't cause them to flip from untagged to tagged mode (in cisco speak from access to trunk - switchport nonegotiate then I'd say it's fairly safe. but even so I still really want to physically isolate unfirewalled network strands just in case! - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] multi-wan, multi-lan security
Paul, I understand your post up to this point: if the switch's port are set so that connected devices can't cause them to flip from untagged to tagged mode (in cisco speak from access to trunk - switchport nonegotiate I'm looking at the help file for my switch, and thinking this section is saying what you're saying: Ingress Filtering - When enabled, the frame is discarded if this port is not a member of the VLAN with which this frame is associated. In a tagged frame, the VLAN is identified by the VLAN ID in the tag. In an untagged frame, the VLAN is the Port VLAN ID specified for the port that received this frame. When disabled, all frames are forwarded in accordance with the 802.1Q VLAN bridge specification. The factory default is disabled. Would you agree that Ingress Filtering on this switch appears to be the feature that you're describing? but even so I still really want to physically isolate unfirewalled network strands just in case! Point taken, from you and Chris as well. I should be able to get my hands on a used Cisco 3550 in the next few months to accomplish this. In the mean time I'm going to use this opportunity to learn the functions of my switch and improve my security practices. At this point I trust the small number of users on my OPT interfaces, however that will change. Thanks for the feedback. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] multi-wan, multi-lan security
On 8/5/10 8:13 AM, David Burgess wrote: Paul, I understand your post up to this point: if the switch's port are set so that connected devices can't cause them to flip from untagged to tagged mode (in cisco speak from access to trunk - switchport nonegotiate I'm looking at the help file for my switch, and thinking this section is saying what you're saying: Ingress Filtering - When enabled, the frame is discarded if this port is not a member of the VLAN with which this frame is associated. In a tagged frame, the VLAN is identified by the VLAN ID in the tag. In an untagged frame, the VLAN is the Port VLAN ID specified for the port that received this frame. When disabled, all frames are forwarded in accordance with the 802.1Q VLAN bridge specification. The factory default is disabled. The switchport nonegotiate command has a different meaning in the context of Cisco Catalyst switches: It disables the use of Dynamic Trunking Protocol, a proprietary means of determining whether two switches will use trunking (tagged frames) to carry traffic between them. There may be exceptions, but DTP generally won't work between a Cisco and a non-Cisco device, or between two non-Cisco devices. Here's an sample reference from the Catlyst 3560 docs: http://is.gd/e4mFq dn - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] multi-wan, multi-lan security
Comments from another perspective on the must/should question: Best practice says to physically segregate networks by trust level and by impact of error or breach. Somewhat self-evidently, this is to mitigate the impact of a) errors, and b) security breaches. Of the two, errors (i.e. human errors) are by far the more common problem. If you have a separate NIC for each network coming in to your firewall, the cables are well-identified, the ports are well-identified, and the other endpoint of those cables is also well-identified, it's much harder to accidentally expose high-trust traffic to a low-trust network. Specifically, it's far likelier that someone will notice that the cable they're holding has an ATT tag on it but the port they're about to plug it into has a PacBell label over it. When you use a switch and VLANs to segregate traffic, you have to worry about things like: in a pathological power situation (lightning strike, UPS blows up, whatever) if the switch is suddenly reset to factory defaults - and I've seen this happen - what will happen? Every port gets reset to VLAN 1 with no filtering, and all your traffic is suddenly being propagated to every network segment. Maybe you're thinking big deal, but now consider the fairly-typical WAN situation where you're running routing protocols across WAN links, say RIPv2 without authentication (because you trust all the networks involved, right? It's a point-to-point link, right?). Your network topology suddenly collapses and takes [fixing or unplugging]+2hrs to reconverge. Or the situation I once found: two smallish WAN providers both (stupidly) left STP turned on at the edge... when they were suddenly bridged together (by accident, I made a typo when setting up the VLANs) I managed to take down most of both providers' networks, and typical of STP both were down for time to figure out what I did and fix it+5 minutes. Obviously I wasn't happy, and when we all figured out what had happened they weren't very happy with me, either. As to security breaches, it is extremely difficult to a) know about the switch, b) target the switch, and c) hack the switch, but it's *infinitely* harder to hack a piece of Cat5 cable than a switch! Having said all that, many of the firewall modules/blades you can buy for chassis-based routers and switches (Cisco 3600 ISR, Catalyst 1, Juniper [something], etc.) require you to configure their ports entirely using VLANs anyway. So it's hardly a universal must, certainly not in the technical sense - it's a very, very strong should that you should only disregard if a) you're overconfident of your own abilities, b) you have no truly private data, c) you don't care too much about pissing off your WAN providers (or you know they won't even notice!), and d) you don't have enough space to mount one or two more switches in the server closet. Note also that you might be tempted to use 802.1q-over-802.3ad (VLAN-over-LAG), which does work... but also generally speaking turns off a lot of the hardware acceleration your NIC can do for you. Many NICs (certainly any half-decent one!) can still do IP offload with 802.1q (VLAN tagging), but I haven't run into any that can still do IP offload with 802.3ad (link aggregation, aka bonding, or etherchannel). Bundling links together (LAG) actually slowed my router down instead of speeding it up. Another aspect is that if you're going to run your router in a blade chassis, say, (virtualized or not) you really won't have much choice but to use VLANs for everything - most blade chassis don't give you dedicated physical Ethernet ports, certainly not more than two on any I've seen. Most of 'em have an embedded NIC (or two, or four...) that plug straight into a backplane and are only exposed via a switch module. (I am also noticing that pfSense 1.2.3 does not have good performance (for me, at least) forwarding traffic between virtual switches on a VMWare ESXi 4 host connected to the switch through a 4x V-in-LAG trunk. I haven't had time to isolate the problem yet, although I observed slightly better performance when I let VMWare handle the VLAN tagging instead of pfSense (i.e. created 4 untagged virtual e1000 NICs instead of 1 tagged vnic). Performance only seems affected if either ingress or egress traffic is local to the ESXi host, I see more-or-less normal performance if both src and dst are off-host.) -Adam Thompson athom...@athompso.net - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] multi-wan, multi-lan security
Just want to throw another data point into this confusing discussion. The low-end Cisco ASA 5505 requires VLAN configuration since it is just a switch. The Cisco ASA 5510 has four Ethernet ports. If you need more, just use VLAN. Perhaps, Cisco is expecting a firewalled network to use managed switches. Is it best practice? Why is there a resistance to VLAN in the pfSense community? I had somebody asked about at least ten port pfSense router with ability adding more as needed. He wants to provide Internet to a building but wants each tenant to be on a separate network. I asked why doesn't he just use a managed switch and trunk everybody to the router? I sold a Cisco Catalyst 3500XL with 48 Fast Ethernet ports for $35 a couple of months ago on eBay. I don't think cost is the issue. Bao On Thu, Aug 5, 2010 at 10:08 AM, Adam Thompson athom...@c3a.ca wrote: Comments from another perspective on the must/should question: Best practice says to physically segregate networks by trust level and by impact of error or breach. Somewhat self-evidently, this is to mitigate the impact of a) errors, and b) security breaches. Of the two, errors (i.e. human errors) are by far the more common problem. If you have a separate NIC for each network coming in to your firewall, the cables are well-identified, the ports are well-identified, and the other endpoint of those cables is also well-identified, it's much harder to accidentally expose high-trust traffic to a low-trust network. Specifically, it's far likelier that someone will notice that the cable they're holding has an ATT tag on it but the port they're about to plug it into has a PacBell label over it. When you use a switch and VLANs to segregate traffic, you have to worry about things like: in a pathological power situation (lightning strike, UPS blows up, whatever) if the switch is suddenly reset to factory defaults - and I've seen this happen - what will happen? Every port gets reset to VLAN 1 with no filtering, and all your traffic is suddenly being propagated to every network segment. Maybe you're thinking big deal, but now consider the fairly-typical WAN situation where you're running routing protocols across WAN links, say RIPv2 without authentication (because you trust all the networks involved, right? It's a point-to-point link, right?). Your network topology suddenly collapses and takes [fixing or unplugging]+2hrs to reconverge. Or the situation I once found: two smallish WAN providers both (stupidly) left STP turned on at the edge... when they were suddenly bridged together (by accident, I made a typo when setting up the VLANs) I managed to take down most of both providers' networks, and typical of STP both were down for time to figure out what I did and fix it+5 minutes. Obviously I wasn't happy, and when we all figured out what had happened they weren't very happy with me, either. As to security breaches, it is extremely difficult to a) know about the switch, b) target the switch, and c) hack the switch, but it's *infinitely* harder to hack a piece of Cat5 cable than a switch! Having said all that, many of the firewall modules/blades you can buy for chassis-based routers and switches (Cisco 3600 ISR, Catalyst 1, Juniper [something], etc.) require you to configure their ports entirely using VLANs anyway. So it's hardly a universal must, certainly not in the technical sense - it's a very, very strong should that you should only disregard if a) you're overconfident of your own abilities, b) you have no truly private data, c) you don't care too much about pissing off your WAN providers (or you know they won't even notice!), and d) you don't have enough space to mount one or two more switches in the server closet. Note also that you might be tempted to use 802.1q-over-802.3ad (VLAN-over-LAG), which does work... but also generally speaking turns off a lot of the hardware acceleration your NIC can do for you. Many NICs (certainly any half-decent one!) can still do IP offload with 802.1q (VLAN tagging), but I haven't run into any that can still do IP offload with 802.3ad (link aggregation, aka bonding, or etherchannel). Bundling links together (LAG) actually slowed my router down instead of speeding it up. Another aspect is that if you're going to run your router in a blade chassis, say, (virtualized or not) you really won't have much choice but to use VLANs for everything - most blade chassis don't give you dedicated physical Ethernet ports, certainly not more than two on any I've seen. Most of 'em have an embedded NIC (or two, or four...) that plug straight into a backplane and are only exposed via a switch module. (I am also noticing that pfSense 1.2.3 does not have good performance (for me, at least) forwarding traffic between virtual switches on a VMWare ESXi 4 host connected to the switch through a 4x V-in-LAG trunk. I haven't had time to isolate the problem yet, although
RE: [pfSense Support] multi-wan, multi-lan security
The low-end Cisco ASA 5505 requires VLAN configuration since it is just a switch. The Cisco ASA 5510 has four Ethernet ports. If you need more, just use VLAN. Perhaps, Cisco is expecting a firewalled network to use managed switches. Is it best practice? Why is there a resistance to VLAN in the pfSense community? You'll note that the *switch* vendors are generally the ones pushing VLANs on firewalls: I don't think this is a coincidence. Of course, every major firewall vendor does support VLANs now, and most also support LAGs, because many people do use them. I wouldn't say I put up any resistance to VLANs, nor anything I've seen in this thread. It's just that experience has shown many of us (me, anyway) that implementing VLANs adds another layer of complexity. VLAN-on-LAG adds another layer on top of that. Every additional layer we have to work with increases the possibility of making errors. (In my experience, the occurrence of errors roughly doubles with each layer added.) And in what is usually the most secure device on the network - the firewall - you don't want to make errors. Especially when, more often than not, the firewall is the *only* secure device on the network! As I indicated in my post, using VLANs allows for new and (*cough*) interesting failure modes that you just don't have to deal with otherwise. Note that I do use VLANs and will continue to do so. The largest network I've designed (for a regional ISP) trunks over 100 different VLANs back to the core, and there's a Cisco 7206 with 100 subifs managing it all quite happily, even their two upstream pipes are trunked in on VLANs, and internal and external networks share the same wire in many places, separated only by tags. Most of my firewall deployments do use VLANs; one must be much more careful when doing so. I have encountered (and caused!) problems that would not have occurred in a non-VLAN environment. So if you don't *need* VLANs, don't use them. If you *need* VLANs, go ahead and use them. Just like any other technology. I sold a Cisco Catalyst 3500XL with 48 Fast Ethernet ports for $35 a couple of months ago on eBay. I don't think cost is the issue. I agree. Chris also pointed this out a few posts ago. Although it could be argued that GigE smart switches still aren't negligibly cheap: I think the cheapest one I can get in Canada is around $300. Still not very expensive, especially compared to the firewall hardware I'd need to actually route data at over 100Mbps. -Adam - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] multi-wan, multi-lan security
On Thu, Aug 5, 2010 at 1:25 PM, Bao Ha b...@hacom.net wrote: Perhaps, Cisco is expecting a firewalled network to use managed switches. Is it best practice? Why is there a resistance to VLAN in the pfSense community? I don't think anyone in this thread is expressing resistance to VLANs in general, not me at least. Every network that runs this project uses VLANs in some fashion. None of them combine unfiltered Internet traffic on the same switch as networks behind the firewall though. That's the only point I'm trying to get across here. If you're putting unfiltered Internet traffic on the same switch as your internal networks, it's a simple fat finger to drop that traffic into your LAN. It's much harder to plug something into the wrong place inadvertently, and if you do, it's not going to work as expected, where a VLAN misconfiguration could put a port into both the unfiltered Internet segment and the LAN segment, so you may not notice. I had somebody asked about at least ten port pfSense router with ability adding more as needed. He wants to provide Internet to a building but wants each tenant to be on a separate network. I asked why doesn't he just use a managed switch and trunk everybody to the router? That's a good solution, exactly what we've done a number of times for similar scenarios, there are production setups like that running more than 100 VLANs on a box (and I did a proof of concept with 4000 VLANs assigned. you'll want 2.0 for 100+, 1.2.x is way too slow in processing interfaces). Everyone in their own VLAN, so if they're infected by some ARP poisoning tool, or plug their router in backwards adding a rogue DHCP server, etc. they can't impact anyone else. Depending on your switches there are other options like PVLANs, DHCP snooping, etc. Generally with lower end managed switches your only option is one VLAN per port, and that works fine. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] multi-wan, multi-lan security
On Thu, Aug 5, 2010 at 9:20 PM, Chris Buechler cbuech...@gmail.com wrote: it's a simple fat finger to drop that traffic into your LAN. That's poetry. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] multi-wan, multi-lan security
I've been running the 2.0 betas for a few months and I'm quite happy with it. Some network and hardware upgrades present me with a few questions, and maybe I'm overthinking it, but I thought I would ask the opinion of the wise ones. I'm running mlppp and it works beautifully. For the last 2-3 months it's been just 2 DSL connections, so they each got a dedicated NIC on the net5501. Now I'm upsizing significantly to 8 DSL lines, and since there's no reasonable way of getting enough physical ports into the 5501, I'm obviously forced to use vlans to get all the DSL and LAN connections up. I have a single smart swith with vlan capability, but a second smart switch is not in the budget at the moment. Therefore, my DSL and LAN ports will be on the same switch, different vlans. This brings me to my first question. 1. Given that -nobody but me has physical access to pfsense or its connected switch, -nobody outside my immediate family will have access to the management vlan of the switch, -nobody but me will have access to the web UI or console of pfsense, -WAN packets will be split across 8 DSL connections, what are my risks? I know it has been said on this list that WAN and LAN should be physically separated. At what point does 'should' become 'must'? Next, I have decided to replace the net5501 with a dual-Atom board (the Supermicro X7SPA of legend), which has 2 Intel GBE NICs*. Next question. 2. Given that -my WAN and LAN interfaces will coexist on a single switch, separated only by vlans, -my total throughput will be well below 1 gbps, -I have switch ports to spare, is there any advantage or disadvantage to using either one or both physical NICs on pfsense? Do I gain any security by running the mlppp member vlans on one physical NIC and the LAN/OPT vlans on the second physical NIC? Would I save any power by parenting all the vlans on a single physical NIC and leaving the other one (and another switch port) unplugged? Am I splitting hairs on this one? Thanks for your thoughts. I'm very grateful for the quality of the pfsense product, and for the unequalled body of expertise on this list. I considered posting this on a networking-specific forum, but I'm not convinced there is one quarter the talent hanging out there. db *I'm a little disappointed to retire the 5501 from firewall duty so soon. I chose it over other embedded hardware specifically for it's advantage in RAM and number of NICs, but my needs grew rapidly and before I ever really got to load it up I found myself needing more ports and faster storage. Ah well, I think it may still make a good monitoring tool and perhaps pbx and/or seedbox. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Multi-Wan Question
On 08/10/09 02:13, Anil Garg wrote: Will something like this work and be secure enough. no. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Multi-WAN with Fail Over
On Wed, Mar 25, 2009 at 10:07 PM, Alexsander Loula alex.lo...@gmail.com wrote: This is my config: You're missing a static route for a DNS server on your second WAN, assuming you use the DNS forwarder on pfSense. You may be using a monitor IP that doesn't reliably respond to pings when the connection is up. Your LAN rules route all TCP to the load balancing pool and every other protocol out WAN2, which may not be your intention. Your last LAN rule doesn't do anything because it'll never be hit. Your balance and failover pools are fine. I don't see any issues other than that. If you're more specific about how you're testing and what you're seeing, maybe something will be apparent. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Multi-WAN with Fail Over
Chris Buechler wrote: Works fine, I've setup a number of boxes like that. You have something setup wrong. Like what? What is your exact setup like? - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Multi-WAN with Fail Over
Hi Chuck, I'll try these suggestions this weekend. I let you know the results. Thanks, Alex 2009/3/26 Chuck Mariotti cmario...@xunity.com Alex, as I said before, I am not an expert on this and I’m not one to look at XML config files. I am not completely convinced I have this working 100%... but I’ll try to contribute. dnsallowoverride/ is something I disabled on my config, so that the DNS entries I specified are not taken over by the DHCP on WAN. Try to write down some test IP addresses that are public that you can PING so that you try to see if your connections/failover are working WITHOUT letting DNS get it the way. I found DNS got in the way of trying to get things working first on an IP level. The RULES you specify need to be in a certain order, refer back to your install document, it should say something about the order the rules are to appear in the chart (top down). Here are my RULES from my config: - filter - rule typepass/type interfacelan/interface max-src-nodes / max-src-states / statetimeout / statetypekeep state/statetype os / - source networklan/network /source - destination address192.168.1.0/24/address /destination log / descrMake sure that DMZ1 traffic goes to the right interf/descr /rule - rule typepass/type interfacelan/interface max-src-nodes / max-src-states / statetimeout / statetypekeep state/statetype os / - source networklan/network /source - destination networkopt1/network /destination descrMake sure DMZ2 traffic goes to WAN2/descr gatewayopt1/gateway /rule - rule typepass/type interfacelan/interface max-src-nodes / max-src-states / statetimeout / statetypekeep state/statetype os / - source networklan/network /source - destination any / /destination descrDefault LAN - any via LoadBlanced WAN/descr gatewayLoadBalance/gateway /rule - rule typepass/type interfacepptp/interface max-src-nodes / max-src-states / statetimeout / statetypekeep state/statetype os / - source any / /source - destination networklan/network /destination descr / /rule /filter HERE IS MY LOAD BALANCE STATEMENT – It appears that you do not have a monitorIP entry for each. I think it uses these to ping the monitor IP addresses to verify that the WAN / WAN2 links are up and running. If not, it fails over. In other words, if there is no response, it assumes the WAN link is down. - load_balancer - lbpool typegateway/type behaviourfailover/behaviour monitorip67.69.184.7/monitorip nameLoadBalance/name descRound robin load balancing/desc port / serverswan|67.69.184.199/servers serversopt1|67.69.184.7/servers monitor / /lbpool - lbpool typegateway/type behaviourfailover/behaviour monitorip / nameWANFailsToWAN2/name descWAN2 preferred when WAN fails/desc port / serversopt1|67.69.184.7/servers serverswan|67.69.184.199/servers monitor / /lbpool - lbpool typegateway/type behaviourfailover/behaviour monitorip67.69.184.7/monitorip nameWAN2FailsToWAN/name descWAN preferred when WAN2 fails/desc port / serverswan|67.69.184.199/servers serversopt1|67.69.184.7/servers monitor / /lbpool /load_balancer Are you able to get RED/GREEN/YELLOW entries when viewing Loadbalancing under the Status menu? It should look something like this: *Name* *Type* *Gateways* *Status* *Description* LoadBalance gateway (failover) wan opt1 Offline Last change Mar 25 2009 19:21:53 Online Last change Mar 25 2009 19:21:53 Round robin load balancing WANFailsToWAN2 gateway (failover) opt1 wan Online Last change Mar 25 2009 19:21:53 Offline Last change Mar 25 2009 19:21:53 WAN2 preferred when WAN fails WAN2FailsToWAN gateway (failover) wan opt1 Offline Last change Mar 25 2009 19:21:53 Online Last change Mar 25 2009 19:21:53 WAN preferred when WAN2 fails In this case, my MAIN WAN link is down (unplugged in fact). Let me know how it goes for you. Regards, Chuck *From:* Alexsander Loula [mailto:alex.lo...@gmail.com] *Sent:* Wednesday, March 25, 2009 10:08 PM *To:* support@pfsense.com *Subject:* Re: [pfSense Support] Multi-WAN with Fail Over This is my config: 2009/3/25 Chris Buechler c...@pfsense.org On Wed, Mar 25, 2009 at 4:15 PM, Alexsander Loula alex.lo...@gmail.com wrote: Could you please share your XML config? The boxes don't belong to me, they're those of various support customers, so no I can't. If you post yours maybe someone will tell you what's wrong. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h
Re: [pfSense Support] Multi-WAN with Fail Over
The DNS should switch over with the fail BUT if you use an ISP DNS server then it may not be available from an IP address that does not belong to the ISP. If your second link is not with the same ISP (good Idea for redundancy) then you will have to look at DNS that can be reached from both networks. Free ones exist but they tend to pay for themselves using a search page to replace the Not Found when a name is incorrectly typed by a user. Alternatively you can name both ISP servers (and add a static route for the backup DNS server so it is always seen while the link is up or you may get some performance issues) Or you can run your own DNS and do the lookup yourself! Rob - Original Message - From: Alexsander Loula alex.lo...@gmail.com To: support@pfsense.com Sent: Tuesday, 24 March, 2009 12:20:52 GMT +00:00 GMT Britain, Ireland, Portugal Subject: Re: [pfSense Support] Multi-WAN with Fail Over I'll try to do it this night (GMT -3:00). 2009/3/23 Chris Buechler c...@pfsense.org On Mon, Mar 23, 2009 at 10:13 PM, Chuck Mariotti cmario...@xunity.com wrote: Alex, I share your pain. I’m not a pf guru, but I can’t seem to get this working either… I have managed to get the Load Balancer Status to turn Green/Yellow/Red as expected when I unplug a connection. But the internet get’s all wonky… as if DNS isn’t working, old records seem to work, some pages take forever, etc... You have to add a static route to push one of the DNS servers over the second WAN. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Multi-WAN with Fail Over
Robert Mortimer wrote: If you have two PF machines (One for each ADSL) you can use CARP to get the failover you require. No, with two identical machines, using CARP for hardware failover, the dual WAN failover does not work with pfsense. -- Veiko - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Multi-WAN with Fail Over
I tried both suggestions (static route and opendns) without success. As I can use a regular PC in this case, I'm using Endian community edition that is working perfectly for WAN1 to WAN 2 failover. I'll try to play a little more with pfSense because I'd like to have the option to use embedded hardware as well. Thanks anyway! 2009/3/25 Veiko Kukk veiko.k...@krediidipank.ee Robert Mortimer wrote: If you have two PF machines (One for each ADSL) you can use CARP to get the failover you require. No, with two identical machines, using CARP for hardware failover, the dual WAN failover does not work with pfsense. -- Veiko - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Multi-WAN with Fail Over
On Wed, Mar 25, 2009 at 5:26 AM, Veiko Kukk veiko.k...@krediidipank.ee wrote: No, with two identical machines, using CARP for hardware failover, the dual WAN failover does not work with pfsense. Works fine, I've setup a number of boxes like that. You have something setup wrong. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Multi-WAN with Fail Over
Hi Chris, Could you please share your XML config? So I can check if I'm setting something wrong. Tks, Alex 2009/3/25 Chris Buechler c...@pfsense.org On Wed, Mar 25, 2009 at 5:26 AM, Veiko Kukk veiko.k...@krediidipank.ee wrote: No, with two identical machines, using CARP for hardware failover, the dual WAN failover does not work with pfsense. Works fine, I've setup a number of boxes like that. You have something setup wrong. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Multi-WAN with Fail Over
On Wed, Mar 25, 2009 at 4:15 PM, Alexsander Loula alex.lo...@gmail.com wrote: Could you please share your XML config? The boxes don't belong to me, they're those of various support customers, so no I can't. If you post yours maybe someone will tell you what's wrong. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Multi-WAN with Fail Over
This is my config: 2009/3/25 Chris Buechler c...@pfsense.org On Wed, Mar 25, 2009 at 4:15 PM, Alexsander Loula alex.lo...@gmail.com wrote: Could you please share your XML config? The boxes don't belong to me, they're those of various support customers, so no I can't. If you post yours maybe someone will tell you what's wrong. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org ?xml version=1.0? pfsense version3.0/version lastchange/ themenervecenter/theme system optimizationnormal/optimization hostnamepfsense/hostname domainlocaldomain/domain usernameadmin/username password/password timezoneAmerica/Sao_Paulo/timezone time-update-interval/ timeservers0.pfsense.pool.ntp.org/timeservers webgui protocolhttp/protocol port/ certificate/ private-key/ /webgui disablenatreflectionyes/disablenatreflection afterfilterchangeshellcmd/ dnsserver201.6.0.115/dnsserver dnsserver201.6.0.112/dnsserver dnsserver200.169.116.22/dnsserver dnsserver200.169.116.23/dnsserver ssh authorizedkeys/ port/ /ssh sharednet/ maximumstates/ shapertype/ /system interfaces lan ifnfe0/if ipaddr10.1.1.1/ipaddr subnet24/subnet media/ mediaopt/ bandwidth100/bandwidth bandwidthtypeMb/bandwidthtype /lan wan ifrl0/if mtu/ ipaddrdhcp/ipaddr subnet/ gateway/ disableftpproxy/ dhcphostname/ media/ mediaopt/ bandwidth100/bandwidth bandwidthtypeMb/bandwidthtype spoofmac/ /wan opt1 ifrl1/if descrWAN2/descr bridge/ enable/ ipaddrdhcp/ipaddr spoofmac/ mtu/ dhcphostname/ /opt1 /interfaces staticroutes/ pppoe username/ password/ provider/ /pppoe pptp username/ password/ local/ subnet/ remote/ timeout/ /pptp bigpond username/ password/ authserver/ authdomain/ minheartbeatinterval/ /bigpond dyndns typedyndns/type usernameloula/username passwordTruth2145amp;*/password hostbigdogwall.homelinux.com/host mx/ enable/ /dyndns dhcpd lan enable/ range from10.1.1.10/from to10.1.1.245/to /range /lan /dhcpd pptpd mode/ redir/ localip/ remoteip/ /pptpd ovpn/ dnsmasq enable/ regdhcp/ regdhcpstatic/ /dnsmasq snmpd syslocation/ syscontact/ rocommunitypublic/rocommunity /snmpd diag ipv6nat/ /diag bridge/ syslog/ nat ipsecpassthru enable/ /ipsecpassthru advancedoutbound rule source network10.1.1.0/24/network /source sourceport/ descrAuto created rule for LAN/descr target/ interfacewan/interface destination any/ /destination natport/ /rule rule source network10.1.1.0/24/network /source sourceport/ descr/ target/ interfaceopt1/interface destination any/ /destination natport/ dstport/ /rule /advancedoutbound /nat filter rule typepass/type interfacelan/interface max-src-nodes/ max-src-states/ statetimeout/ statetypekeep state/statetype os/ protocoltcp/protocol source networklan/network /source destination any/ /destination descr/ gatewayLoadBalance/gateway /rule rule typepass/type interfacelan/interface max-src-nodes/ max-src-states/ statetimeout/ statetypekeep state/statetype os/ source networklan/network /source destination any/ /destination descr/ gatewayopt1/gateway /rule rule typepass/type interfacelan/interface max-src-nodes/ max-src-states/ statetimeout/ statetypekeep state/statetype os/ source networklan/network /source destination any/ /destination descrDefault LAN -gt; any/descr /rule /filter shaper/ ipsec preferredoldsa/ /ipsec aliases/ proxyarp/ cron item minute0/minute hour*/hour mday*/mday month*/month wday*/wday whoroot/who command/usr/bin/nice -n20 newsyslog/command /item item minute1,31/minute hour0-5/hour mday*/mday month*/month wday*/wday whoroot/who command/usr/bin/nice -n20 adjkerntz -a/command /item item minute1/minute hour3/hour mday1/mday month*/month wday*/wday whoroot/who command/usr/bin/nice -n20 /etc/rc.update_bogons.sh/command /item item minute*/60/minute hour*/hour mday*/mday month*/month wday*/wday whoroot/who command/usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 sshlockout/command /item item minute1/minute hour1/hour mday*/mday month*/month wday*/wday whoroot/who command/usr/bin/nice -n20 /etc/rc.dyndns.update/command /item item minute*/60/minute hour*/hour mday*/mday month*/month wday*/wday whoroot/who command/usr/bin/nice -n20
RE: [pfSense Support] Multi-WAN with Fail Over
Alex, as I said before, I am not an expert on this and I'm not one to look at XML config files. I am not completely convinced I have this working 100%... but I'll try to contribute. dnsallowoverride/ is something I disabled on my config, so that the DNS entries I specified are not taken over by the DHCP on WAN. Try to write down some test IP addresses that are public that you can PING so that you try to see if your connections/failover are working WITHOUT letting DNS get it the way. I found DNS got in the way of trying to get things working first on an IP level. The RULES you specify need to be in a certain order, refer back to your install document, it should say something about the order the rules are to appear in the chart (top down). Here are my RULES from my config: - filter - rule typepass/type interfacelan/interface max-src-nodes / max-src-states / statetimeout / statetypekeep state/statetype os / - source networklan/network /source - destination address192.168.1.0/24/address /destination log / descrMake sure that DMZ1 traffic goes to the right interf/descr /rule - rule typepass/type interfacelan/interface max-src-nodes / max-src-states / statetimeout / statetypekeep state/statetype os / - source networklan/network /source - destination networkopt1/network /destination descrMake sure DMZ2 traffic goes to WAN2/descr gatewayopt1/gateway /rule - rule typepass/type interfacelan/interface max-src-nodes / max-src-states / statetimeout / statetypekeep state/statetype os / - source networklan/network /source - destination any / /destination descrDefault LAN - any via LoadBlanced WAN/descr gatewayLoadBalance/gateway /rule - rule typepass/type interfacepptp/interface max-src-nodes / max-src-states / statetimeout / statetypekeep state/statetype os / - source any / /source - destination networklan/network /destination descr / /rule /filter HERE IS MY LOAD BALANCE STATEMENT - It appears that you do not have a monitorIP entry for each. I think it uses these to ping the monitor IP addresses to verify that the WAN / WAN2 links are up and running. If not, it fails over. In other words, if there is no response, it assumes the WAN link is down. - load_balancer - lbpool typegateway/type behaviourfailover/behaviour monitorip67.69.184.7/monitorip nameLoadBalance/name descRound robin load balancing/desc port / serverswan|67.69.184.199/servers serversopt1|67.69.184.7/servers monitor / /lbpool - lbpool typegateway/type behaviourfailover/behaviour monitorip / nameWANFailsToWAN2/name descWAN2 preferred when WAN fails/desc port / serversopt1|67.69.184.7/servers serverswan|67.69.184.199/servers monitor / /lbpool - lbpool typegateway/type behaviourfailover/behaviour monitorip67.69.184.7/monitorip nameWAN2FailsToWAN/name descWAN preferred when WAN2 fails/desc port / serverswan|67.69.184.199/servers serversopt1|67.69.184.7/servers monitor / /lbpool /load_balancer Are you able to get RED/GREEN/YELLOW entries when viewing Loadbalancing under the Status menu? It should look something like this: Name Type Gateways Status Description LoadBalance gateway (failover) wan opt1 Offline Last change Mar 25 2009 19:21:53 Online Last change Mar 25 2009 19:21:53 Round robin load balancing WANFailsToWAN2 gateway (failover) opt1 wan Online Last change Mar 25 2009 19:21:53 Offline Last change Mar 25 2009 19:21:53 WAN2 preferred when WAN fails WAN2FailsToWAN gateway (failover) wan opt1 Offline Last change Mar 25 2009 19:21:53 Online Last change Mar 25 2009 19:21:53 WAN preferred when WAN2 fails In this case, my MAIN WAN link is down (unplugged in fact). Let me know how it goes for you. Regards, Chuck From: Alexsander Loula [mailto:alex.lo...@gmail.com] Sent: Wednesday, March 25, 2009 10:08 PM To: support@pfsense.com Subject: Re: [pfSense Support] Multi-WAN with Fail Over This is my config: 2009/3/25 Chris Buechler c...@pfsense.orgmailto:c...@pfsense.org On Wed, Mar 25, 2009 at 4:15 PM, Alexsander Loula alex.lo...@gmail.commailto:alex.lo...@gmail.com wrote: Could you please share your XML config? The boxes don't belong to me, they're those of various support customers, so no I can't. If you post yours maybe someone will tell you what's wrong. - To unsubscribe, e-mail: support-unsubscr...@pfsense.commailto:support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.commailto:support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Multi-WAN with Fail Over
I'll try to do it this night (GMT -3:00). 2009/3/23 Chris Buechler c...@pfsense.org On Mon, Mar 23, 2009 at 10:13 PM, Chuck Mariotti cmario...@xunity.com wrote: Alex, I share your pain. I’m not a pf guru, but I can’t seem to get this working either… I have managed to get the Load Balancer Status to turn Green/Yellow/Red as expected when I unplug a connection. But the internet get’s all wonky… as if DNS isn’t working, old records seem to work, some pages take forever, etc... You have to add a static route to push one of the DNS servers over the second WAN. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Multi-WAN with Fail Over
Hi Folks, I have 2 WAN's (WAN1 - production and WAN2 - backup) and I need to set them as fail over (when WAN1 goes down WAN2 takes the traffic and when WAN1 goes up again it will takes the traffic). Both are DHCP. I have followed this procedure in 2 machines (PC and WRAP) without success: http://doc.pfsense.org/index.php/MultiWanVersion1.2 I did several tests changing mainly the Load Balance and Firewall (NAT/Rules) services with no success. It's very intermittent even doing the 3 pools that's not my case. Sometimes it works mainly when the Load Balance status indicators are green and sometimes does not work when the indicators are yellow. Actually I don't want to have the load balance between WAN1 and WAN2, only the fail over from WAN1 to WAN2. Is someone doing it successfully? Best Regards, Alex
Re: [pfSense Support] Multi-WAN with Fail Over
Alexsander Loula wrote: Hi Folks, I have 2 WAN's (WAN1 - production and WAN2 - backup) and I need to set them as fail over (when WAN1 goes down WAN2 takes the traffic and when WAN1 goes up again it will takes the traffic). Both are DHCP. I have followed this procedure in 2 machines (PC and WRAP) without success: http://doc.pfsense.org/index.php/MultiWanVersion1.2 I did several tests changing mainly the Load Balance and Firewall (NAT/Rules) services with no success. It's very intermittent even doing the 3 pools that's not my case. Sometimes it works mainly when the Load Balance status indicators are green and sometimes does not work when the indicators are yellow. Actually I don't want to have the load balance between WAN1 and WAN2, only the fail over from WAN1 to WAN2. Is someone doing it successfully? Best Regards, Alex Many people are doing this successfully. If you have your WAN interfaces load balancing, then it means you have your pool configured for load balancing. Change the behavior to failover. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Multi-WAN with Fail Over
Alexsander Loula wrote: Hi Folks, I have 2 WAN's (WAN1 - production and WAN2 - backup) and I need to set them as fail over (when WAN1 goes down WAN2 takes the traffic and when WAN1 goes up again it will takes the traffic). Both are DHCP. Do you have dual router setup or are those WAN's connected to the same machine? If you have dual router setup, then WAN failover won't work for you. I have tested it extensively with no luck of any combination. Single machile dual WAN failover works. veiko - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Multi-WAN with Fail Over
If you have two PF machines (One for each ADSL) you can use CARP to get the failover you require. Otherwise failover between to WANs on the same Pf machine is covered in the load balancing. Rob - Original Message - From: Veiko Kukk veiko.k...@krediidipank.ee To: support@pfsense.com Sent: Monday, 23 March, 2009 14:30:28 GMT +00:00 GMT Britain, Ireland, Portugal Subject: Re: [pfSense Support] Multi-WAN with Fail Over Alexsander Loula wrote: Hi Folks, I have 2 WAN's (WAN1 - production and WAN2 - backup) and I need to set them as fail over (when WAN1 goes down WAN2 takes the traffic and when WAN1 goes up again it will takes the traffic). Both are DHCP. Do you have dual router setup or are those WAN's connected to the same machine? If you have dual router setup, then WAN failover won't work for you. I have tested it extensively with no luck of any combination. Single machile dual WAN failover works. veiko - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Multi-WAN with Fail Over
This is my current setup: I'm not using CARP, only the Load Balance service (pools). 2009/3/23 Robert Mortimer rmorti...@bluechiptechnology.co.uk If you have two PF machines (One for each ADSL) you can use CARP to get the failover you require. Otherwise failover between to WANs on the same Pf machine is covered in the load balancing. Rob - Original Message - From: Veiko Kukk veiko.k...@krediidipank.ee To: support@pfsense.com Sent: Monday, 23 March, 2009 14:30:28 GMT +00:00 GMT Britain, Ireland, Portugal Subject: Re: [pfSense Support] Multi-WAN with Fail Over Alexsander Loula wrote: Hi Folks, I have 2 WAN's (WAN1 - production and WAN2 - backup) and I need to set them as fail over (when WAN1 goes down WAN2 takes the traffic and when WAN1 goes up again it will takes the traffic). Both are DHCP. Do you have dual router setup or are those WAN's connected to the same machine? If you have dual router setup, then WAN failover won't work for you. I have tested it extensively with no luck of any combination. Single machile dual WAN failover works. veiko - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org attachment: topology.gif- To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Multi-WAN with Fail Over
On Mon, Mar 23, 2009 at 11:04 AM, Alexsander Loula alex.lo...@gmail.com wrote: This is my current setup: I'm not using CARP, only the Load Balance service (pools). Are the gateways the same? If so, that won't work as it balances by gateway IP, you need an intermediate NAT device on one. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Multi-WAN with Fail Over
No, I have two completely different gateways. One is 200.XXX.XXX.XXX and the other is 192.XXX.XXX.XXX. 2009/3/23 Chris Buechler c...@pfsense.org On Mon, Mar 23, 2009 at 11:04 AM, Alexsander Loula alex.lo...@gmail.com wrote: This is my current setup: I'm not using CARP, only the Load Balance service (pools). Are the gateways the same? If so, that won't work as it balances by gateway IP, you need an intermediate NAT device on one. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Multi-WAN with Fail Over
Alex, I share your pain. I'm not a pf guru, but I can't seem to get this working either... I have managed to get the Load Balancer Status to turn Green/Yellow/Red as expected when I unplug a connection. But the internet get's all wonky... as if DNS isn't working, old records seem to work, some pages take forever, etc... I have a similar setup to you it looks like. I was suspect that it doesn't like 192. series as a gateway and that there is some filtering in the default rules. I have removed all default filtering for these IPs (since my test environment has a WAN connected to a real internet connection / router (200.x) and the second WAN is to an internal router (192.x), that then goes to the internet), internal LAN is 192.168.1.x. I wonder if the issue I am having is that the WAN's are load balancing, part traffic goes across one, part the other... when one goes down, it get's screwy... not failing over... Like you, I don't want to use TWO WANS at the same time, I just want one to work, or the other... and on recovery revert back to the primary. Does anyone have a solution to this? Let me know if you make any progress, I am about to call it a night. Regards, Chuck From: Alexsander Loula [mailto:alex.lo...@gmail.com] Sent: March-23-09 9:00 PM To: support@pfsense.com Subject: Re: [pfSense Support] Multi-WAN with Fail Over No, I have two completely different gateways. One is 200.XXX.XXX.XXX and the other is 192.XXX.XXX.XXX. 2009/3/23 Chris Buechler c...@pfsense.orgmailto:c...@pfsense.org On Mon, Mar 23, 2009 at 11:04 AM, Alexsander Loula alex.lo...@gmail.commailto:alex.lo...@gmail.com wrote: This is my current setup: I'm not using CARP, only the Load Balance service (pools). Are the gateways the same? If so, that won't work as it balances by gateway IP, you need an intermediate NAT device on one. - To unsubscribe, e-mail: support-unsubscr...@pfsense.commailto:support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.commailto:support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Multi-WAN with Fail Over
On Mon, Mar 23, 2009 at 10:13 PM, Chuck Mariotti cmario...@xunity.com wrote: Alex, I share your pain. I’m not a pf guru, but I can’t seem to get this working either… I have managed to get the Load Balancer Status to turn Green/Yellow/Red as expected when I unplug a connection. But the internet get’s all wonky… as if DNS isn’t working, old records seem to work, some pages take forever, etc... You have to add a static route to push one of the DNS servers over the second WAN. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Multi-wan load balancing
Good morning all, If this has been answered already sorry for the repeat. When in a multi-wan environment what method is used to load balance the traffic? Per-packet, per-conn or other? TIA. -W Wade Blackwell Sent from Mobile www.cupofcompassion.com - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Multi-WAN PPTP?
Christopher Iarocci wrote: I'd love to use OpenVPN, but the end users have to set it up themselves, and what I've done is to have one config file with all the common stuff at the top and a section at the bottom with individual people's config (just two lines for their key/cert) commented out, saying uncomment. I then hand them the key or cert physically on a USB key when they're in the office. only had one muppet struggle, but that was partly my fault as they used an out of date config file. that said most of our users are moderately to very technical. we also have an ADSL service separate from our main leased line which we can use for VPN testing, so people having issues can bring their laptops along and we can prove it works. it's also used for out-of-band monitoring of systems, so it's not wasted! - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Multi-WAN PPTP?
On Wed, Jan 14, 2009 at 03:00:21PM -0500, Chris Buechler wrote: You can build an installer file that has no prompts for the user to click and auto installs the config - double click the installer, wait a bit, and you're done. pfSense 2.0 has the capability to create such I'm really looking forward to that feature. I need it yesterday ;) an install file for Windows clients. I wouldn't recommend running that in production yet, though it does work perfectly last I tried it. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Multi-WAN PPTP?
I'm embarrassed to write this, and I'm having trouble finding someone to lend me a gun, but you were right. The PPTP server was enabled on my side causing the problem. Christopher Iarocci Network Solutions Manager Twin Forks Office Products 631-727-3354 -Original Message- From: Tim Nelson [mailto:tnel...@rockbochs.com] Sent: Monday, January 12, 2009 9:56 AM To: support@pfsense.com Cc: support@pfsense.com Subject: Re: [pfSense Support] Multi-WAN PPTP? Is the PPTP server enabled on the 'other' pfSense firewall where the clients are connecting *FROM*? That may be your problem... see here: http://www.pfsense.org/index.php?option=com_contenttask=viewid=40Itemid=43 ' Specifically this text: Limitations * Because of limitations in pf NAT, when the PPTP Server is enabled, PPTP clients cannot use the same public IP for outbound PPTP connections. This means if you have only one public IP, and use the PPTP Server, PPTP clients inside your network will not work. The work around is to use a second public IP with Advanced Outbound NAT for your internal clients. See also the PPTP limitation under NAT on this page. Tim Nelson Systems/Network Support Rockbochs Inc. (218)727-4332 x105 - Christopher Iarocci ciaro...@tfop.net wrote: Tried putting an unused LAN IP in the server field, no difference whatsoever. It gives me the same exact errors on the client side and in the PFSense logs. Anything else I can try? Just as an FYI, the clients I am testing with are XP Pro and Vista Ultimate. Both are behind another PFSense firewall. I only try a single machine at any one time. I can't get my head wrapped around the fact that it used to work like a charm with the same exact config. I even went back into previously saved configs and compared them and there is no difference. It worked with this config as recently as 12/29/07 (last PPTP log entry). Christopher Iarocci Network Solutions Manager Twin Forks Office Products 631-727-3354 -Original Message- From: Chris Buechler [mailto:cbuech...@gmail.com] Sent: Friday, January 09, 2009 2:31 PM To: support@pfsense.com Subject: Re: [pfSense Support] Multi-WAN PPTP? On Fri, Jan 9, 2009 at 1:08 PM, Christopher Iarocci ciaro...@tfop.net wrote: Chris, Does it matter which IP address on my LAN it is? Should it be the LAN IP of the PFSense box, or something other than that? Just pick an unused IP on your LAN. Does the radius server see requests coming from the IP address specified there or the LAN IP? In the past with the WAN IP in that field, requests to the radius server came from the LAN IP. The IP of the interface closest to the RADIUS server, usually LAN. The server IP is just for PPTP client - server communication. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Multi-WAN PPTP?
Christopher - Thank you for the early morning laugh. If you were closer to New York like us - I am willing to bet the gun would be easier to find due to this cruddy market ;-) I have found most every problem I have had has been user error... PEBKAC is the motto of the day I guess problem exists between keyboard and chair Glenn On Jan 14, 2009, at 9:02 AM, Christopher Iarocci wrote: I'm embarrassed to write this, and I'm having trouble finding someone to lend me a gun, but you were right. The PPTP server was enabled on my side causing the problem. Christopher Iarocci Network Solutions Manager Twin Forks Office Products 631-727-3354 -Original Message- From: Tim Nelson [mailto:tnel...@rockbochs.com] Sent: Monday, January 12, 2009 9:56 AM To: support@pfsense.com Cc: support@pfsense.com Subject: Re: [pfSense Support] Multi-WAN PPTP? Is the PPTP server enabled on the 'other' pfSense firewall where the clients are connecting *FROM*? That may be your problem... see here: http://www.pfsense.org/index.php?option=com_contenttask=viewid=40Itemid=43 ' Specifically this text: Limitations * Because of limitations in pf NAT, when the PPTP Server is enabled, PPTP clients cannot use the same public IP for outbound PPTP connections. This means if you have only one public IP, and use the PPTP Server, PPTP clients inside your network will not work. The work around is to use a second public IP with Advanced Outbound NAT for your internal clients. See also the PPTP limitation under NAT on this page. Tim Nelson Systems/Network Support Rockbochs Inc. (218)727-4332 x105 - Christopher Iarocci ciaro...@tfop.net wrote: Tried putting an unused LAN IP in the server field, no difference whatsoever. It gives me the same exact errors on the client side and in the PFSense logs. Anything else I can try? Just as an FYI, the clients I am testing with are XP Pro and Vista Ultimate. Both are behind another PFSense firewall. I only try a single machine at any one time. I can't get my head wrapped around the fact that it used to work like a charm with the same exact config. I even went back into previously saved configs and compared them and there is no difference. It worked with this config as recently as 12/29/07 (last PPTP log entry). Christopher Iarocci Network Solutions Manager Twin Forks Office Products 631-727-3354 -Original Message- From: Chris Buechler [mailto:cbuech...@gmail.com] Sent: Friday, January 09, 2009 2:31 PM To: support@pfsense.com Subject: Re: [pfSense Support] Multi-WAN PPTP? On Fri, Jan 9, 2009 at 1:08 PM, Christopher Iarocci ciaro...@tfop.net wrote: Chris, Does it matter which IP address on my LAN it is? Should it be the LAN IP of the PFSense box, or something other than that? Just pick an unused IP on your LAN. Does the radius server see requests coming from the IP address specified there or the LAN IP? In the past with the WAN IP in that field, requests to the radius server came from the LAN IP. The IP of the interface closest to the RADIUS server, usually LAN. The server IP is just for PPTP client - server communication. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Multi-WAN PPTP?
No need for self-induced bodily harm... we've all been there. :-) The PPTP problem is one of those 'gotchas' when working with pfSense that we used to run into all the time. BUT, frankly we don't use PPTP anymore for many reasons and it hasn't been an issue for us. If you simply need to give road warriors access to your network, *PLEASE* check out OpenVPN as it is incredibly robust and infinitely more secure. It is a tad more difficult to setup but that's what the forum, list, and paid pfSense support are for! :-) Tim Nelson Systems/Network Support Rockbochs Inc. (218)727-4332 x105 - Christopher Iarocci ciaro...@tfop.net wrote: I'm embarrassed to write this, and I'm having trouble finding someone to lend me a gun, but you were right. The PPTP server was enabled on my side causing the problem. Christopher Iarocci Network Solutions Manager Twin Forks Office Products 631-727-3354 -Original Message- From: Tim Nelson [mailto:tnel...@rockbochs.com] Sent: Monday, January 12, 2009 9:56 AM To: support@pfsense.com Cc: support@pfsense.com Subject: Re: [pfSense Support] Multi-WAN PPTP? Is the PPTP server enabled on the 'other' pfSense firewall where the clients are connecting *FROM*? That may be your problem... see here: http://www.pfsense.org/index.php?option=com_contenttask=viewid=40Itemid=43 ' Specifically this text: Limitations * Because of limitations in pf NAT, when the PPTP Server is enabled, PPTP clients cannot use the same public IP for outbound PPTP connections. This means if you have only one public IP, and use the PPTP Server, PPTP clients inside your network will not work. The work around is to use a second public IP with Advanced Outbound NAT for your internal clients. See also the PPTP limitation under NAT on this page. Tim Nelson Systems/Network Support Rockbochs Inc. (218)727-4332 x105 - Christopher Iarocci ciaro...@tfop.net wrote: Tried putting an unused LAN IP in the server field, no difference whatsoever. It gives me the same exact errors on the client side and in the PFSense logs. Anything else I can try? Just as an FYI, the clients I am testing with are XP Pro and Vista Ultimate. Both are behind another PFSense firewall. I only try a single machine at any one time. I can't get my head wrapped around the fact that it used to work like a charm with the same exact config. I even went back into previously saved configs and compared them and there is no difference. It worked with this config as recently as 12/29/07 (last PPTP log entry). Christopher Iarocci Network Solutions Manager Twin Forks Office Products 631-727-3354 -Original Message- From: Chris Buechler [mailto:cbuech...@gmail.com] Sent: Friday, January 09, 2009 2:31 PM To: support@pfsense.com Subject: Re: [pfSense Support] Multi-WAN PPTP? On Fri, Jan 9, 2009 at 1:08 PM, Christopher Iarocci ciaro...@tfop.net wrote: Chris, Does it matter which IP address on my LAN it is? Should it be the LAN IP of the PFSense box, or something other than that? Just pick an unused IP on your LAN. Does the radius server see requests coming from the IP address specified there or the LAN IP? In the past with the WAN IP in that field, requests to the radius server came from the LAN IP. The IP of the interface closest to the RADIUS server, usually LAN. The server IP is just for PPTP client - server communication. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Multi-WAN PPTP?
Tim Nelson wrote: If you simply need to give road warriors access to your network, *PLEASE* check out OpenVPN yes, what he said. we've got windows (XP, vista), linux and Mac users all on openVPN and it mainly just works. don't make life hard for yourself :-) - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Multi-WAN PPTP?
I'd love to use OpenVPN, but the end users have to set it up themselves, and honestly, it's not easy enough for an end user to do. Editing a text file with technical information is beyond most end users capability. If there was a point and click GUI made for it, that would be different. Getting them just to run an install on their laptops to install OpenVPN is a chore (and that's the easy part). Configuring it, well, I gave up completely after talking to too many end users who just sat on the other end of the phone silent because they didn't know what a text file was, or how to find Notepad...etc. I do agree that OpenVPN is better than PPTP, except when it comes to setting it up. In that part if falls way behind PPTP. Maybe someone can prove me wrong and show me a simple tutorial that a typical computer illiterate end user can follow and be successful. BTW, when you're not stupid like me, and you don't enable your local PPTP server on your local PFSense box, PPTP just works too. This was the first time I ever had a problem with it, and the fact that the other administrator enabled it on the same day as the upgrade I did made me think it was upgrade related when in fact it was not. Christopher Iarocci Network Solutions Manager Twin Forks Office Products 631-727-3354 -Original Message- From: Paul Mansfield [mailto:it-admin-pfse...@taptu.com] Sent: Wednesday, January 14, 2009 1:42 PM To: support@pfsense.com Subject: Re: [pfSense Support] Multi-WAN PPTP? Tim Nelson wrote: If you simply need to give road warriors access to your network, *PLEASE* check out OpenVPN yes, what he said. we've got windows (XP, vista), linux and Mac users all on openVPN and it mainly just works. don't make life hard for yourself :-) - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Multi-WAN PPTP?
On Wed, Jan 14, 2009 at 2:50 PM, Christopher Iarocci ciaro...@tfop.net wrote: I'd love to use OpenVPN, but the end users have to set it up themselves, and honestly, it's not easy enough for an end user to do. You can build an installer file that has no prompts for the user to click and auto installs the config - double click the installer, wait a bit, and you're done. pfSense 2.0 has the capability to create such an install file for Windows clients. I wouldn't recommend running that in production yet, though it does work perfectly last I tried it. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Multi-WAN PPTP?
Now THAT is easy. That being said, I can't wait for 2.0 to come out. Christopher Iarocci Network Solutions Manager Twin Forks Office Products 631-727-3354 -Original Message- From: cbuech...@gmail.com [mailto:cbuech...@gmail.com] On Behalf Of Chris Buechler Sent: Wednesday, January 14, 2009 3:00 PM To: support@pfsense.com Subject: Re: [pfSense Support] Multi-WAN PPTP? On Wed, Jan 14, 2009 at 2:50 PM, Christopher Iarocci ciaro...@tfop.net wrote: I'd love to use OpenVPN, but the end users have to set it up themselves, and honestly, it's not easy enough for an end user to do. You can build an installer file that has no prompts for the user to click and auto installs the config - double click the installer, wait a bit, and you're done. pfSense 2.0 has the capability to create such an install file for Windows clients. I wouldn't recommend running that in production yet, though it does work perfectly last I tried it. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Multi-WAN PPTP?
Is the PPTP server enabled on the 'other' pfSense firewall where the clients are connecting *FROM*? That may be your problem... see here: http://www.pfsense.org/index.php?option=com_contenttask=viewid=40Itemid=43 ' Specifically this text: Limitations * Because of limitations in pf NAT, when the PPTP Server is enabled, PPTP clients cannot use the same public IP for outbound PPTP connections. This means if you have only one public IP, and use the PPTP Server, PPTP clients inside your network will not work. The work around is to use a second public IP with Advanced Outbound NAT for your internal clients. See also the PPTP limitation under NAT on this page. Tim Nelson Systems/Network Support Rockbochs Inc. (218)727-4332 x105 - Christopher Iarocci ciaro...@tfop.net wrote: Tried putting an unused LAN IP in the server field, no difference whatsoever. It gives me the same exact errors on the client side and in the PFSense logs. Anything else I can try? Just as an FYI, the clients I am testing with are XP Pro and Vista Ultimate. Both are behind another PFSense firewall. I only try a single machine at any one time. I can't get my head wrapped around the fact that it used to work like a charm with the same exact config. I even went back into previously saved configs and compared them and there is no difference. It worked with this config as recently as 12/29/07 (last PPTP log entry). Christopher Iarocci Network Solutions Manager Twin Forks Office Products 631-727-3354 -Original Message- From: Chris Buechler [mailto:cbuech...@gmail.com] Sent: Friday, January 09, 2009 2:31 PM To: support@pfsense.com Subject: Re: [pfSense Support] Multi-WAN PPTP? On Fri, Jan 9, 2009 at 1:08 PM, Christopher Iarocci ciaro...@tfop.net wrote: Chris, Does it matter which IP address on my LAN it is? Should it be the LAN IP of the PFSense box, or something other than that? Just pick an unused IP on your LAN. Does the radius server see requests coming from the IP address specified there or the LAN IP? In the past with the WAN IP in that field, requests to the radius server came from the LAN IP. The IP of the interface closest to the RADIUS server, usually LAN. The server IP is just for PPTP client - server communication. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Multi-WAN PPTP?
Tim, If that is it, I'm going to shoot myself. I'll check again tonight when I am home. I've never used the PPTP server at home so my first instinct would be no, it is not enabled, but who knows. Maybe I checked the box at one time, or maybe someone else did (there is another admin in my web of IPSec VPNs that can modify my firewall). Thank you for pointing that out though. I wouldn't have checked it. Christopher Iarocci Network Solutions Manager Twin Forks Office Products 631-727-3354 -Original Message- From: Tim Nelson [mailto:tnel...@rockbochs.com] Sent: Monday, January 12, 2009 9:56 AM To: support@pfsense.com Cc: support@pfsense.com Subject: Re: [pfSense Support] Multi-WAN PPTP? Is the PPTP server enabled on the 'other' pfSense firewall where the clients are connecting *FROM*? That may be your problem... see here: http://www.pfsense.org/index.php?option=com_contenttask=viewid=40Itemid=43 ' Specifically this text: Limitations * Because of limitations in pf NAT, when the PPTP Server is enabled, PPTP clients cannot use the same public IP for outbound PPTP connections. This means if you have only one public IP, and use the PPTP Server, PPTP clients inside your network will not work. The work around is to use a second public IP with Advanced Outbound NAT for your internal clients. See also the PPTP limitation under NAT on this page. Tim Nelson Systems/Network Support Rockbochs Inc. (218)727-4332 x105 - Christopher Iarocci ciaro...@tfop.net wrote: Tried putting an unused LAN IP in the server field, no difference whatsoever. It gives me the same exact errors on the client side and in the PFSense logs. Anything else I can try? Just as an FYI, the clients I am testing with are XP Pro and Vista Ultimate. Both are behind another PFSense firewall. I only try a single machine at any one time. I can't get my head wrapped around the fact that it used to work like a charm with the same exact config. I even went back into previously saved configs and compared them and there is no difference. It worked with this config as recently as 12/29/07 (last PPTP log entry). Christopher Iarocci Network Solutions Manager Twin Forks Office Products 631-727-3354 -Original Message- From: Chris Buechler [mailto:cbuech...@gmail.com] Sent: Friday, January 09, 2009 2:31 PM To: support@pfsense.com Subject: Re: [pfSense Support] Multi-WAN PPTP? On Fri, Jan 9, 2009 at 1:08 PM, Christopher Iarocci ciaro...@tfop.net wrote: Chris, Does it matter which IP address on my LAN it is? Should it be the LAN IP of the PFSense box, or something other than that? Just pick an unused IP on your LAN. Does the radius server see requests coming from the IP address specified there or the LAN IP? In the past with the WAN IP in that field, requests to the radius server came from the LAN IP. The IP of the interface closest to the RADIUS server, usually LAN. The server IP is just for PPTP client - server communication. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Multi-WAN PPTP?
Chris, Does it matter which IP address on my LAN it is? Should it be the LAN IP of the PFSense box, or something other than that? Christopher Iarocci Network Solutions Manager Twin Forks Office Products 631-727-3354 -Original Message- From: cbuech...@gmail.com [mailto:cbuech...@gmail.com] On Behalf Of Chris Buechler Sent: Friday, January 09, 2009 1:34 AM To: support@pfsense.com Subject: Re: [pfSense Support] Multi-WAN PPTP? On Wed, Jan 7, 2009 at 7:29 PM, Christopher Iarocci ciaro...@tfop.net wrote: I also noticed that when I save the config, it shows the PPTP server address as 0.0.0.0 in the log, even though I clearly have the WAN IP address in that field. There's at least one problem, that has to be an IP on your LAN, assuming you're putting the PPTP clients on your LAN subnet. I don't know how that ever could have worked. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Multi-WAN PPTP?
Chris, Does it matter which IP address on my LAN it is? Should it be the LAN IP of the PFSense box, or something other than that? [Christopher Iarocci] Does the radius server see requests coming from the IP address specified there or the LAN IP? In the past with the WAN IP in that field, requests to the radius server came from the LAN IP. Sorry for the double post. Christopher Iarocci Network Solutions Manager Twin Forks Office Products 631-727-3354 -Original Message- From: cbuech...@gmail.com [mailto:cbuech...@gmail.com] On Behalf Of Chris Buechler Sent: Friday, January 09, 2009 1:34 AM To: support@pfsense.com Subject: Re: [pfSense Support] Multi-WAN PPTP? On Wed, Jan 7, 2009 at 7:29 PM, Christopher Iarocci ciaro...@tfop.net wrote: I also noticed that when I save the config, it shows the PPTP server address as 0.0.0.0 in the log, even though I clearly have the WAN IP address in that field. There's at least one problem, that has to be an IP on your LAN, assuming you're putting the PPTP clients on your LAN subnet. I don't know how that ever could have worked. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Multi-WAN PPTP?
On Fri, Jan 9, 2009 at 1:08 PM, Christopher Iarocci ciaro...@tfop.net wrote: Chris, Does it matter which IP address on my LAN it is? Should it be the LAN IP of the PFSense box, or something other than that? Just pick an unused IP on your LAN. Does the radius server see requests coming from the IP address specified there or the LAN IP? In the past with the WAN IP in that field, requests to the radius server came from the LAN IP. The IP of the interface closest to the RADIUS server, usually LAN. The server IP is just for PPTP client - server communication. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Multi-WAN PPTP?
Chris, Thank you. I will try the new config tonight and report back. Christopher Iarocci Network Solutions Manager Twin Forks Office Products 631-727-3354 -Original Message- From: Chris Buechler [mailto:cbuech...@gmail.com] Sent: Friday, January 09, 2009 2:31 PM To: support@pfsense.com Subject: Re: [pfSense Support] Multi-WAN PPTP? On Fri, Jan 9, 2009 at 1:08 PM, Christopher Iarocci ciaro...@tfop.net wrote: Chris, Does it matter which IP address on my LAN it is? Should it be the LAN IP of the PFSense box, or something other than that? Just pick an unused IP on your LAN. Does the radius server see requests coming from the IP address specified there or the LAN IP? In the past with the WAN IP in that field, requests to the radius server came from the LAN IP. The IP of the interface closest to the RADIUS server, usually LAN. The server IP is just for PPTP client - server communication. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Multi-WAN PPTP?
On the increasingly rare occasions I set up PPTP, I put the server on .15 and clients starting at .16 for the LAN subnet. If your client 'subnet' does not begin on a CIDR boundary, pfSense will complain. Hence, the .16 choice. Tim Nelson Systems/Network Support Rockbochs Inc. (218)727-4332 x105 - Christopher Iarocci ciaro...@tfop.net wrote: Chris, Thank you. I will try the new config tonight and report back. Christopher Iarocci Network Solutions Manager Twin Forks Office Products 631-727-3354 -Original Message- From: Chris Buechler [mailto:cbuech...@gmail.com] Sent: Friday, January 09, 2009 2:31 PM To: support@pfsense.com Subject: Re: [pfSense Support] Multi-WAN PPTP? On Fri, Jan 9, 2009 at 1:08 PM, Christopher Iarocci ciaro...@tfop.net wrote: Chris, Does it matter which IP address on my LAN it is? Should it be the LAN IP of the PFSense box, or something other than that? Just pick an unused IP on your LAN. Does the radius server see requests coming from the IP address specified there or the LAN IP? In the past with the WAN IP in that field, requests to the radius server came from the LAN IP. The IP of the interface closest to the RADIUS server, usually LAN. The server IP is just for PPTP client - server communication. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Multi-WAN PPTP?
That being said, does ANYONE have a clue why my PPTP server is suddenly broken after the 1.2.1 upgrade? BTW, doing more testing, I tried eliminating the Radius server and used local authentication. The same exact errors appear, so it does not seem to be a problem with the radius setup. Christopher Iarocci Network Solutions Manager Twin Forks Office Products 631-727-3354 -Original Message- From: Chris Buechler [mailto:cbuech...@gmail.com] Sent: Wednesday, January 07, 2009 8:59 PM To: support@pfsense.com Subject: Re: [pfSense Support] Multi-WAN PPTP? On Wed, Jan 7, 2009 at 8:55 PM, Morgan Reed morgan.s.r...@gmail.com wrote: On Thu, Jan 8, 2009 at 11:29 AM, Christopher Iarocci ciaro...@tfop.net wrote: I have a single WAN setup and PPTP has been broken since I upgraded to 1.2.1. In version 1.2 it worked perfectly. I've tried changing settings and putting them back, but it continues to fail at the authentication process as you've described. I have the same setup as you, a W2K3 server acting as radius and the PFSense machine acting as the PPTP server. Anyone else notice that PPTP has broken since 1.2.1 upgrade? Here is a snippit of my logs Apparently there are three major bugs being fixed in 1.2.2, this may be one of them. They aren't major, aside from the setup wizard issue they're rare edge cases or minor things. PPTP isn't one. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Multi-WAN PPTP?
On Thu, Jan 8, 2009 at 3:10 PM, Christopher Iarocci ciaro...@tfop.net wrote: That being said, does ANYONE have a clue why my PPTP server is suddenly broken after the 1.2.1 upgrade? BTW, doing more testing, I tried eliminating the Radius server and used local authentication. The same exact errors appear, so it does not seem to be a problem with the radius setup. Not sure, I did look at the PPTP server last night and didn't have any trouble at all. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Multi-WAN PPTP?
On Wed, Jan 7, 2009 at 7:29 PM, Christopher Iarocci ciaro...@tfop.net wrote: I also noticed that when I save the config, it shows the PPTP server address as 0.0.0.0 in the log, even though I clearly have the WAN IP address in that field. There's at least one problem, that has to be an IP on your LAN, assuming you're putting the PPTP clients on your LAN subnet. I don't know how that ever could have worked. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Multi-WAN PPTP?
in that field. Here is a snippit of that.. Jan 7 19:26:28 mpd: [pt15] using interface ng16 Jan 7 19:26:28 mpd: [pt15] ppp node is mpd57834-pt15 Jan 7 19:26:28 mpd: [pt14] using interface ng15 Jan 7 19:26:28 mpd: [pt14] ppp node is mpd57834-pt14 Jan 7 19:26:28 mpd: [pt13] using interface ng14 Jan 7 19:26:28 mpd: [pt13] ppp node is mpd57834-pt13 Jan 7 19:26:28 mpd: [pt12] using interface ng13 Jan 7 19:26:28 mpd: [pt12] ppp node is mpd57834-pt12 Jan 7 19:26:28 mpd: [pt11] using interface ng12 Jan 7 19:26:28 mpd: [pt11] ppp node is mpd57834-pt11 Jan 7 19:26:28 mpd: [pt10] using interface ng11 Jan 7 19:26:28 mpd: [pt10] ppp node is mpd57834-pt10 Jan 7 19:26:28 mpd: [pt9] using interface ng10 Jan 7 19:26:28 mpd: [pt9] ppp node is mpd57834-pt9 Jan 7 19:26:28 mpd: [pt8] using interface ng9 Jan 7 19:26:28 mpd: [pt8] ppp node is mpd57834-pt8 Jan 7 19:26:28 mpd: [pt7] using interface ng8 Jan 7 19:26:28 mpd: [pt7] ppp node is mpd57834-pt7 Jan 7 19:26:28 mpd: [pt6] using interface ng7 Jan 7 19:26:28 mpd: [pt6] ppp node is mpd57834-pt6 Jan 7 19:26:28 mpd: [pt5] using interface ng6 Jan 7 19:26:28 mpd: [pt5] ppp node is mpd57834-pt5 Jan 7 19:26:28 mpd: [pt4] using interface ng5 Jan 7 19:26:28 mpd: [pt4] ppp node is mpd57834-pt4 Jan 7 19:26:28 mpd: [pt3] using interface ng4 Jan 7 19:26:28 mpd: [pt3] ppp node is mpd57834-pt3 Jan 7 19:26:28 mpd: [pt2] using interface ng3 Jan 7 19:26:28 mpd: [pt2] ppp node is mpd57834-pt2 Jan 7 19:26:28 mpd: [pt1] using interface ng2 Jan 7 19:26:28 mpd: [pt1] ppp node is mpd57834-pt1 Jan 7 19:26:28 mpd: [pt0] using interface ng1 Jan 7 19:26:28 mpd: mpd: local IP address for PPTP is 0.0.0.0 Jan 7 19:26:28 mpd: [pt0] ppp node is mpd57834-pt0 Jan 7 19:26:28 mpd: mpd: pid 57834, version 3.18 (r...@freebsd7-releng_1_2.pfsense.org 20:18 9-Nov-2008) Any help would be appreciated as I'm at a loss as to why it worked perfectly under 1.2 but not under 1.2.1 with the same config. Christopher Iarocci Network Solutions Manager Twin Forks Office Products 631-727-3354 -Original Message- From: Morgan Reed [mailto:morgan.s.r...@gmail.com] Sent: Monday, January 05, 2009 7:27 AM To: support@pfsense.com Subject: [pfSense Support] Multi-WAN PPTP? Hi all, We've a multi-WAN setup on our pfSense (no redundancy or load balancing, one is dedicated to office internet traffic, the other is dedicated to inbound server traffic), just wondering if it's possible to setup pfSense so we can accept PPTP in on either WAN link (that way if the main link is down we can come in the backup and vice versa). pfSense is our PPTP server, and it authenticates against our Windows 2000 AD via RADIUS/IAS if that makes any difference. I've added a firewall rule to allow 1723 in on WAN2 but there appears to be something else required as my connection attempts timeout at authentication (I've been able to connect PPTP to the WAN2 interface from inside the office with no trouble so I assume that means that the PPTP daemon listens on all interfaces) I recall PPTP also uses IP Proto 47 (GRE), do I need to add a rule to allow that traffic on WAN2? Any suggestions? Thanks, Morgan - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Multi-WAN PPTP?
On Thu, Jan 8, 2009 at 11:29 AM, Christopher Iarocci ciaro...@tfop.net wrote: I have a single WAN setup and PPTP has been broken since I upgraded to 1.2.1. In version 1.2 it worked perfectly. I've tried changing settings and putting them back, but it continues to fail at the authentication process as you've described. I have the same setup as you, a W2K3 server acting as radius and the PFSense machine acting as the PPTP server. Anyone else notice that PPTP has broken since 1.2.1 upgrade? Here is a snippit of my logs Apparently there are three major bugs being fixed in 1.2.2, this may be one of them. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Multi-WAN PPTP?
On Wed, Jan 7, 2009 at 8:55 PM, Morgan Reed morgan.s.r...@gmail.com wrote: On Thu, Jan 8, 2009 at 11:29 AM, Christopher Iarocci ciaro...@tfop.net wrote: I have a single WAN setup and PPTP has been broken since I upgraded to 1.2.1. In version 1.2 it worked perfectly. I've tried changing settings and putting them back, but it continues to fail at the authentication process as you've described. I have the same setup as you, a W2K3 server acting as radius and the PFSense machine acting as the PPTP server. Anyone else notice that PPTP has broken since 1.2.1 upgrade? Here is a snippit of my logs Apparently there are three major bugs being fixed in 1.2.2, this may be one of them. They aren't major, aside from the setup wizard issue they're rare edge cases or minor things. PPTP isn't one. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Multi-WAN PPTP?
On Thu, Jan 8, 2009 at 12:59 PM, Chris Buechler cbuech...@gmail.com wrote: They aren't major, aside from the setup wizard issue they're rare edge cases or minor things. PPTP isn't one. *shrug* commenting based on what I've seen about the place, admittedly I haven't actually read the changelog... - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Multi-WAN PPTP?
Hi all, We've a multi-WAN setup on our pfSense (no redundancy or load balancing, one is dedicated to office internet traffic, the other is dedicated to inbound server traffic), just wondering if it's possible to setup pfSense so we can accept PPTP in on either WAN link (that way if the main link is down we can come in the backup and vice versa). pfSense is our PPTP server, and it authenticates against our Windows 2000 AD via RADIUS/IAS if that makes any difference. I've added a firewall rule to allow 1723 in on WAN2 but there appears to be something else required as my connection attempts timeout at authentication (I've been able to connect PPTP to the WAN2 interface from inside the office with no trouble so I assume that means that the PPTP daemon listens on all interfaces) I recall PPTP also uses IP Proto 47 (GRE), do I need to add a rule to allow that traffic on WAN2? Any suggestions? Thanks, Morgan - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Multi Wan Load Balancing / Fail over weighted?
On Sat, Nov 8, 2008 at 9:27 PM, Tim Nelson [EMAIL PROTECTED] wrote: AHA! Mention of the book again... updates and details please. :-) It's coming along well, I'll have a better idea of timing in two weeks (taking some time off the day job) and will have an update on the blog then. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Multi Wan Load Balancing / Fail over weighted?
On Sat, Nov 8, 2008 at 7:56 AM, Chris Bagnall [EMAIL PROTECTED] wrote: That's really useful to know, thanks! Might be worth adding that to the wiki (if it's not already there) ? It's in the book, I was just feeling kind and gave it away. ;) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Multi Wan Load Balancing / Fail over weighted?
Yes and yes. For the former, it's a hack, but if you have connection A and connection B, and you add connection A to the pool twice and connection B to the pool once, A will get 66% of the traffic and B will get 33%. That's really useful to know, thanks! Might be worth adding that to the wiki (if it's not already there) ? Regards, Chris - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Multi Wan Load Balancing / Fail over weighted?
AHA! Mention of the book again... updates and details please. :-) Tim Nelson Systems/Network Support Rockbochs Inc. (218)727-4332 x105 - Chris Buechler [EMAIL PROTECTED] wrote: On Sat, Nov 8, 2008 at 7:56 AM, Chris Bagnall [EMAIL PROTECTED] wrote: That's really useful to know, thanks! Might be worth adding that to the wiki (if it's not already there) ? It's in the book, I was just feeling kind and gave it away. ;) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] multi-wan / ha
its support muli- wan traffic shaping version 1.3 On Thu, Sep 18, 2008 at 12:31 AM, JJB [EMAIL PROTECTED] wrote: On Sep 17, 2008, at 6:11 PM, cassio lima wrote: you using version 1.3 ? On Wed, Sep 17, 2008 at 7:41 PM, JJB [EMAIL PROTECTED] wrote: Any issues to look out for when configuring dual redundant pf firewalls load balancing to multiple wan connections? In our case a 3mb line and a 3mb dsl line. We have LAN, WAN and DMZ interfaces on the pf firewall. We were attempting to use QOS until someone on the list hipped us that QOS doesn't work with more than two interfaces. Just wondering if anything is waiting to bite us when we go live with the config. - Joel - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Hi Cassio, we are using 1.2 - Joel
Re: [pfSense Support] multi-wan / ha
JJB wrote: Any issues to look out for when configuring dual redundant pf firewalls load balancing to multiple wan connections? In our case a 3mb line and a 3mb dsl line. We have LAN, WAN and DMZ interfaces on the pf firewall. We were attempting to use QOS until someone on the list hipped us that QOS doesn't work with more than two interfaces. Just wondering if anything is waiting to bite us when we go live with the config. - Joel - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Joel, Excepting that the traffic shaper doesn't work with a multi-wan configuration in the 1.2 series, you should have no difficulty with the rest of your setup. CARP clustering works fine with multi-WAN. I would encourage you to set up your primary firewall first, configure your multi-WAN and load balanced setup before bringing in the secondary CARP member. -Gary - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] multi-wan / ha
cassio lima wrote: its support muli- wan traffic shaping version 1.3 On Thu, Sep 18, 2008 at 12:31 AM, JJB [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: On Sep 17, 2008, at 6:11 PM, cassio lima wrote: you using version 1.3 ? On Wed, Sep 17, 2008 at 7:41 PM, JJB [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Any issues to look out for when configuring dual redundant pf firewalls load balancing to multiple wan connections? In our case a 3mb line and a 3mb dsl line. We have LAN, WAN and DMZ interfaces on the pf firewall. We were attempting to use QOS until someone on the list hipped us that QOS doesn't work with more than two interfaces. Just wondering if anything is waiting to bite us when we go live with the config. - Joel - To unsubscribe, e-mail: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Hi Cassio, we are using 1.2 - Joel 1.3 isn't expected to be released till 2009 as I understand it - this is production environment. - Joel - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] multi-wan / ha
Any issues to look out for when configuring dual redundant pf firewalls load balancing to multiple wan connections? In our case a 3mb line and a 3mb dsl line. We have LAN, WAN and DMZ interfaces on the pf firewall. We were attempting to use QOS until someone on the list hipped us that QOS doesn't work with more than two interfaces. Just wondering if anything is waiting to bite us when we go live with the config. - Joel - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] multi-wan / ha
you using version 1.3 ? On Wed, Sep 17, 2008 at 7:41 PM, JJB [EMAIL PROTECTED] wrote: Any issues to look out for when configuring dual redundant pf firewalls load balancing to multiple wan connections? In our case a 3mb line and a 3mb dsl line. We have LAN, WAN and DMZ interfaces on the pf firewall. We were attempting to use QOS until someone on the list hipped us that QOS doesn't work with more than two interfaces. Just wondering if anything is waiting to bite us when we go live with the config. - Joel - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]