This is an example of how you set up pfSense to support multiple ISPs.
WTF is pfSense? Look here…
=> http://www.pfsense.com/
This guide will show you how to setup two connections that require DHCP.
You can extend this to 3, 4, 5, etc connections, as many as your motherboard can handle.
In this example, I demonstrate the use of a simple routing policy to assign one PC to use Optus Cable, and the other PC to use Telstra Cable.
Before I go forward, if you have Telstra Cable, be sure this works first.
Make sure you can connect to it via pfSense before proceeding.
pfSense has a bpalogin client for this, so you do NOT need to use the Telstra client program anymore.
Once you know your ISPs work fine with pfSense, then proceed.
Test setup for pfSense (router/firewall) box…
* Celeron 1.2Ghz
* 512MB RDRAM
* i820 chipset mobo (ASUS P3C-D)
* 3x Intel NICs (i82559 chipset)
* CD-ROM
* Floppy
* pfSense 0.95 LiveCD
* ISP1 : Telstra Broadband Cable (10Mbit/128k)
* ISP2 : Optus Cable (10Mbit/256k)
Regarding system requirements : Because pfSense is aimed for the business class, the requirements are hefty compared to other solutions.
Its recommended that you get at least a PII/PIII, Duron, VIA C3, etc if you want all the features. Its also recommended that you have 128MB or more RAM. I’ve tried pfSense on a Pentium 150Mhz with 48MB RAM, but its quite sluggish.
In the case of Multi-WAN, it is better to get something with more RAM and grunt, with quality brand of network cards. (Used or 2nd hand Intel NICs are quite cheap, and perfect for this role).
If you have a WRAP or Soekris embedded board, you can use that, as pfSense has a version for this class of platform.
ALSO NOTE: I’ve used a CD-ROM/Floppy as the test platform for this guide.
Be aware that it is recommended that you use a hard disk.
If you want, you can use a Compact Flash card with CF to IDE adapter OR Use a Disk-On-Module (DOM)…But make sure you disable swap file by deleting the swap partition. (Do this when you install pfSense).
It is necessary to disable swap for DOMs and CF implementations due to their limited number of writes. (I think its about 10,000 before it dies).
Bare in mind, some functions rely on a swap partition, so they may not function properly without swap. If you don’t need those functions, don’t worry about it.
Network card assignments
1st network card => fxp0 => LAN
2nd network card => fxp1 => WAN
3rd network card => fxp2 => OPT1 (re-designated as WAN2)
I’m using three network cards which are the same, this is why they will be labelled fxp0, 1, and 2. Remember, PCs start with 0, not 1.
I also needed to note down the MAC addresses of each card as a result.
WAN = This connects to your 1st ISP.
OPT1 = Optional 1 is renamed WAN2. This connects to your 2nd ISP.
(If you have more NICs, they’ll be called OPT2, 3, 4, etc. You can rename later when you login to pfSense via web browser…)
LAN = This connects to your PC or a switch for your network behind the firewall.
SO, in this example…
WAN => Telstra Cable (due to bpalogin being needed) => BigPond (DHCP)
WAN2 => Optus Cable (DHCP)
LAN => Static IP (labelled as 192.168.1.1)
NOTE : Be aware that WAN2, 3, 4 and so on, only supports DHCP or Static IP. If you need PPPoE, etc, you need to stick a modem with ethernet port in front of the pfSense box.
IP address of PC 1 on the LAN side => 192.168.1.10
IP address of PC 2 on the LAN side => 192.168.1.12
I point PC 1 to WAN (Telstra) and PC 2 to WAN2 (Optus)
Network Layout (For this guide)
-
WAN (Telstra) WAN2 (Optus)
/
pfSense
|
8-Port Switch
| |
PC 1 PC 2
My settings in pfSense…
Firstly, you need to tell pfSense’s NAT that connections from the LAN can go to your WAN connections. (Connections to your Cable/ADSL/modem/etc. Anything that accepts ethernet.)
For Firewall => NAT Settings…
I’ve checked Enable advanced outbound NAT in the Outbound section.
-
Interface Source Destination Destination Port NAT Address NAT Port Description
WAN 192.168.1.0/24 * * * * For Telstra
WAN2 192.168.1.0/24 * * * * For Optus
The * under Destination, Destination Port, NAT Address and NAT Port is the “any” option in pfSense.
Now the following is where you define specific firewall rules.
This is where you control which PC/system uses which ISP.
For Firewall => Rules Settings…
-
Proto Source Port Destination Port Gateway Description
* 192.168.1.10 * * * * PC 1 -> Telstra
* 192.168.1.12 * * * WAN2 PC 2 -> Optus
As before, the * under Proto, Port, Destination, Port, is the “any” option. The * under Gateway is the default WAN connection. Or your 1st WAN connection.
That’s it.
NOTE : You may need to manually specify which DNS server should be used as pfSense will sometimes use DNS servers from each WAN for certain periods.
NOTE 2 : If you’re using Telstra Cable, either manually assign Telstra’s DNS server first OR use pfSense’s default setting…ie : Let DHCP handle everything. (Override with DHCP settings)
You can also set up a De-Militarised Zone (DMZ) for your servers, and such and then manually specify rules or forward ports for your servers, etc.
(If you need to forward ports, this is found in the NAT section, NOT in the Rules section).
Remember, this is NOT loadbalancing. This is useful if you want to consolidate multiple ISP connections into one router. This method is very simple and easy to work with as you don’t need to worry about VPN and such, like you do with loadbalancing.
Depending on your requirements and situation, you may find this a cheaper approach than buying a commercial router. Its up to you to assess if this is a viable solution for your needs.
References
The pfSense FAQ
http://faq.pfsense.org
Setting up policybased routing with multiple WAN-links (PDF)
policybased_multiwan
