IMHO
The CARP is good in the event that an entire firewall fails. Each firewall should have access to BOTH WANs Use the load ballencer on each - it's easy to set up with fail over. Insert a route for mail (TCPIP port 25) before your route to the load balanced interface on both firewalls BINGO We have this setup withour CARP ----- Original Message ----- From: "Evgeny Yurchenko" <evgeny.yurche...@frontline.ca> To: support@pfsense.com Sent: Wednesday, 17 June, 2009 19:58:00 GMT +00:00 GMT Britain, Ireland, Portugal Subject: RE: [pfSense Support] Outbound mail & multi-wan -----Original Message----- From: JJB [mailto:onephat...@earthlink.net] Sent: June 17, 2009 2:48 PM To: support@pfsense.com Subject: Re: [pfSense Support] Outbound mail & multi-wan We've tried this 10 different ways, so far it has not worked. Current Config is two pfsense 1.22 firewalls with CARP two WAN connections (not load balanced or failover) (covad & att), with a DMZ interface where our mail and other internet servers live. I want the mail server to only make SMTP connections using the AT&T interface, but it defaults to using the WAN interface (on the Covad). We route all generic traffic over the covad 10mb wan link (the default) and for server-to-server traffic (such as Iron Mountain backups we route to a specific ip block or address over the AT&T interface. It is obvious how to do this with a static route when you have a specific address or block to communicate with, but to say "all traffic 'from this DMZ address to anywhere' should be transmitted via the AT&T link" is not working. A posting on this same subject on the forum (by my 'nix admin guy): http://forum.pfsense.org/index.php/topic,17066.0.html - Joel . Chris Buechler wrote: > On Tue, Jun 16, 2009 at 1:37 PM, JJB<onephat...@earthlink.net> wrote: > >>> Yes, setup your rules on the interface with the mail server accordingly. >>> >> I don't know how to set up pfsense to bind the mail server to the AT&T >> network interface instead of the Covad, can someone provide me with details >> of how this would be done? It doesn't look like static routes would work >> since the mail server needs to talk to an unlimited # of machines on the >> internet. >> >> > > Just add a firewall rule matching traffic from the mail server and > select the appropriate gateway or failover pool. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > > > > We --------------------------------------------------------------------- To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org May we have screenshot of your rules for the interface your mail-server is connected to? Eugene --------------------------------------------------------------------- To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
