So in the move I lost my ultra fast Charter 60mb cable I went on the prowl. Since the new house is in a more rural setting I was forced to go with ATT IPDSL. Luckily though I was able to sign up with ATT Business so I can get more than just 1 3mb pipe. In the end I wound up with 3 x 3mb DSL lines, I can add a last one making 4 if the need ever arises.
Anyway since I wanted to stick with using PF as a firewall I added a second PCI gigabit nic, and created 3 WAN interfaces.
Now many people have had issue with this in the past, especially when using the Motorola NVG510 DSL modems. These models do not have a true bridge mode.. only what Moto calls an 'IP Passthrough' which in theory should be Bridge mode and apparently sometimes, for some folks it does not work correctly.
So anyway I setup IP Passthrough mode on all three of my modems, picking DHCPS-Fixed and I specified the MAC address of teh nic that particular modem was uplinked to. While inside I also disabled WIFI since I provide my own with an 802.11N wifi ap with a MUCH better range than these crappers. I also disabled all other Firewall features.. since PF will do a much better job anyway I don;t want my traffic being looked at twice.
Then within PF I configured all three interfaces was WAN, WAN1 and WAN2.. then I gave each a unique public DNS server as a Monitor IP. If the interface loses any pings to that host it will consider the link down. Two of my WAN interfaces use Google's public DNS ip's.. because it'll be a cold day in hell when those ever go down. Then after that I rebooted each modem.. once up the modems are supposed to give the PF interface a 192.168 address for approx 3 minutes.. then it should pass it's own external IP to PF. Now what happened in my case was that my Primary WAN circuit did that. The last two did not.. PF kept using a 192.168 address but the were passing data correctly so I didn't argue about it.
Anyway once PF could see all three gateways (or Monitor IP's) up I then created a Gateway group named 'LoadBalance', then created a firewall superseding the existing LAN Net out rules specifying the gateway group.
That's basically it, I also posted about it on the PF Forums as well
https://forum.pfsense.org/index.php?topic=87639.0
No comments:
Post a Comment