Hi Sai, Thanks for your advice on your last email, i would take your advice to consolidate everything in PFSENSE rather than putting Netscreen and Pfsense which to make my network complex, thanks. by the way, Sorry to bother u again, i am having a problem on my pfsense with load balancer and fail over, on today morning, i had brought my company internet line down for 3 hours, i had tested it out but the load balancer didn't work well. i had pulgged the one of those WAN lines out or vice versa to test the fail over but it doesn't seem to be work, below is my spec for your reference, please advice me if i am wrong, thank you.
I had been trying to configure the load balancer and fail over for my PFSENSE with this doc http://doc.pfsense.org/index.php/Multi-Wan/Load-Balancing, my objective is to get these 2 WAN2 line to be configured for outgoing load balancing and fail over, but it is not working, LAN IP=10.1.253.254 Gateway= 10.1.253.254 WAN IP=219.94.36.34 Gateway=219.94.36.33 DNS= 202.188.1.5 and 202.188.0.133 OPT1 IP=61.4.110.200 Gateway=61.4.110.193 Pool load balancer Name Type Servers/Gateways Port Monitor Description balancer WAN1 to WAN2 1) WAN1balancerWAN2 Gateway WAN and OPT1 219.94.36.33 and 61.4.110.193 load balancer WAN1 to OPT1 2) WAN1failoverWAN2 Gateway WAN and OPT1 219.94.36.33 and 61.4.110.193 WAN1 failover to OPT1 3) WAN2failoverWAN1 Gateway OPT1 and WAN 61.4.110.193 and 219.94.36.33 OPT1 failover to WAN1 Rule Proto Source Port Destination Port Gateway Description * LANnet * * * WAN1balancerWAN2 load balancer WAN1 to OPT1 * LANnet * * * WAN2failoverWAN1 Failover OPT1 to WAN1 * LANnet * * * WAN1failoverWAN2 Failover WAN1 to OPT1 * LANnet * * * * Default LAN > any NAT outbound Interface Source Source Port Destination Destination Port NAT Address NAT Port Static Port Description WAN 10.1.253.0/24 * * * * * No Auto created rule LAN General setup for DNS setting from WAN ISP DNS 202.188.1.5 and 202.188.0.133 From: CE Ang --- sai <[EMAIL PROTECTED]> wrote: > Date: Wed, 31 Jan 2007 17:55:21 +0500 > From: sai <[EMAIL PROTECTED]> > To: support@pfsense.com > Subject: Re: Fw: [pfSense Support] Pfsense load > balancer and fail over for outgoing traffic > > My preffered solution would be Internet --> pfSense > ---->LAN/DMZ but I > think the main problem you have is the migration of > a Live network. > > You could have the OpenVPN work on pfSense. Also it > can do all the Nat > stuff. Adding the Netscreen and IPcop will only make > the network more > complicated without makeing it more secure, IMHO. > However you know > your circumstances better. > > If you are new to IPcop and pfSense then I would > suggest that you > focus on one distro - go for Ipcop or go for > pfSense. Learning about > both on a live production network is not going to > help you sleep at > night. > > pfsense is much newer than IPcop but the vision of > the developers is > amazing. There are rough edges here, but its a > really great product. I > would suggest that you dump the IPcop and go for > the pfSense. You > will learn a lot more and end up with a much more > powerful firewall. > > What I usually do is install pfSense but keep the > old firewall around. > If the net admin sees a problem then he can put > the old firewall > back in again just by switching cables. There are > almost always > problems because this is the nature of networking, > but you shjould be > able to cope because the pfsense is REALLY > excellent. > > sai > > On 1/30/07, AngChorEng <[EMAIL PROTECTED]> > wrote: > > > > > > Hi Sai, > > > > Do you have any other recommendation for better > solution, please advice. > > > > Thank you. > > > > > > From: > > > > CE Ang > > > ----- Original Message ----- > > > From: AngChorEng > > > To: support@pfsense.com > > > Sent: Monday, January 29, 2007 3:51 PM > > > Subject: Fw: [pfSense Support] Pfsense load > balancer > > > and fail over for outgoing traffic > > > > > > > > > Hi Sai, > > > > > > Yes, from Internet --> pfSense ----> Netscreen > ----> > > > Lan, DMZ, > > > > > > For DMZ internal server, it is still ok to use > > > static route. the traffic can be routed in only > > > using one layer port mapping from PFSENSE > instead of > > > two layer of port mapping, however, for LAN, > static > > > route is not recommended because of port mapping > is > > > still preference for security concern, please > > > correct me if i am wrong > > > > > > My main concern is , i do have one OPENVPN > server > > > (IPCOP)sitting after the netscreen firewall > which is > > > using port mapping method, the authentication is > > > taken place after going through the netscreen > with > > > allow port 1194, let me explain my existing > senario > > > and workflow, from Internet --> pfSense ----> > > > Netscreen ----> Cisco core switch > 4507R------>VLAN > > > server farm( IPCOP OPEN VPN), it is how my > remote > > > user like senior manager, CEO get access to > company > > > resource. below is the option for your review, > > > > > > Solution 1) Actually, i am thinking to replace > my > > > netscreen firewall to IPCOP( we called it IPCOP > A), > > > and migrate the exisiting OPEN VPN policy from > the > > > box to IPCOP A, that would be centralize as > whole, > > > with the new workflow, from Internet --> pfSense > > > ----> IPCOP A plus OPEN VPN---------> LAN in > multi > > > vlan > > > > > > Solution 2) Alternatively, pfSense ----> > Netscreen > > > ----> Cisco core switch--------> VLAN server > farm( > > > OPENVPN), but it is require two layer of port > > > mapping. > > > > > > Solution 3) Pfsense-------> Pfsense with > > > OPENVPN-------> LAN in multi vlan > > > > > > if i pick the solution 2, that would be easier > for > > > the implementation, i still can sustain the > > > netscreen and OPENVPN box and just concentrate > on > > > PFSENSE in front end and port mapping, but, what > is > > > the impact of two layer of port mapping, the > reason > > > is, migrating OPEN VPN policy and replacing a > > > firewall is a nightmare. now, i am struggling to > the > > > implementation of PFSENSE because of the impact > > > reflected to the whole network infracstructure, > > > please advice me if i am wrong, > > > > > > Please let me know if i am confusing you, i can > > > explain it in more detail, Thank you. > > > > > > > > > From: > > > > > > CE Ang > > > > > > --- sai <[EMAIL PROTECTED]> wrote: > > > > > > > Internet --> pfSense ----> Netscreen ----> > Lan, > > > DMZ > > > > Is this what you mean? > > > > > > > > Yes, this can be done. It means that you do > > > NATting > > > > twice, which is > > > > not good, but it is workable. You just need a > new > > > > private subnet > > > > between the pfSense ----> Netscreen > > > > > > > > It might be easier to just replace the > Netscreen > > > so > > > > that if something > > > > is messed up you can put the Netscreen back in > and > > > > your network works > > > > again. > > > > > > > > sai > > > > > > > > On 1/29/07, AngChorEng <[EMAIL PROTECTED]> > > > > wrote: > > > > > > > > > > > > > > > Hi Sai, > > > > > > > > > > Thanks for your message, i had successfully > > > > installed the PFSENSE with > > > > > lastest snap, thank you. > > > > > > > > > > By the way, do you come cross a solution > with > > > two > > > > layer of port mapping via > > > > > two firewall, let me brief you my network > > > > infracstructure, so that, you can > > > > > understand my question, currently, i have > one > > > > netscreen firewall as a front > > > > > end box to control all the in/out bound of > all > > > the > > > > traffic even port mapping > > > > > to internal server by using pulic IP. the > reason > > > > of putting a new box in > > > > > front of netscreen is to provide load > balancer > > > and > > > > fail over function with > > > > > two WAN lines, however, initially, I am > having > > > > some difficulty of > > > > > implementing the PFSENSE is due to the IP > > > > addressing restructure, in order > > > > > to get it done, i have to step ahead by > changing > > > > the outbound netscreen's > > > > > interface to Private IP, until this stage, > > > PFSENSE > > > > becomes the main control > > > > > of inbound port mapping, with this new > design, > > > do > > > > u think that is the > > > > > inbound traffic can be routed via two layer > of > > > > firewall by port mapping > > > > > method to DMZ and LAN internal server, > please > > > > advice, > > > > > > > > > > Sorry for the confusion and long story. > please > > > let > > > > me know if you need more > > > > > detail about this, thanks. > > > > > > > > > > > > > > > > > > > > > > > > > From: > > > > > > > > > > CE Ang > > > > > > > > > > > > > > > --- sai <[EMAIL PROTECTED]> wrote: > > > > > > > > > > > the latest snapshots would be here: > > > > > > > > > http://snapshots.pfsense.com/FreeBSD6/RELENG_1/ > > > > > > which have improved > > > > > > the load balancing user interface. > > > > > > > > > > > > On 1/26/07, sai <[EMAIL PROTECTED]> > wrote: > > > > > > > the download mirrors are here: > > > > > > > > > > > > http://pfsense.com/mirror.php?section=downloads > > > > > > > > > > > > > > a copy of the Live iso is here: > > > > > > > > > > > > > > > > > > > > > > > > > > > > http://pfsense.basis06.com/download//downloads/pfSense-1.0.1-LiveCD-Installer.iso.gz > > > > > > > > > > > > > > md5 of the iso.gz : > > > > > > > > > > > > > > > > > > > > > > > > > > > > http://pfsense.basis06.com/download//downloads/pfSense-1.0.1-LiveCD-Installer.iso.gz.md5 > > > > > > > > > > > > > > I hope that this is what you were asking > for > > > > > > > > > > > > > > sai > > > > > > > > > > > > > > On 1/26/07, AngChorEng > > > <[EMAIL PROTECTED]> > > > > > > wrote: > > > > > > > > Hi Scott, > > > > > > > > > > > > > > > > Thanks for your information, sorry for > the > > > > same > > > > > > question, do you have any > > > > > > > > source of address in LIVECD.iso > download > > > for > > > > my > > > > > > PFSENSE installation, by > > > > > > > > using livecd, it is much straight > forward > > > > and > > > > > > able to run it in trial mode > > > > > > > > before installing it to hard-disk. > please > > > > > > advice. > > > > > > > > > > > > > > > > Thank you. > > > > > > > > > > > > > > > > > > > > > > > > --- Scott Ullrich <[EMAIL PROTECTED]> > > > > > === message truncated === > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: > [EMAIL PROTECTED] > For additional commands, e-mail: > [EMAIL PROTECTED] > > >