This document summarizes a pfSense hangout about multi-WAN configurations. It announces two new hardware platforms for pfSense and discusses the Heartbleed vulnerability in OpenSSL and its impact on pfSense. It then covers the goals and strategies for multi-WAN configurations, including redundancy, bandwidth aggregation, and service segregation. Various multi-WAN configuration examples and demos are provided. Troubleshooting tips are also included.

1. pfSense Hang Out
April 2014
Introduction to Multi-WAN

2. Project News
● Two new hardware platforms in stock at
store.pfsense.org
○ APU (VK-T40E2) - ALIX successor, AMD T40E
CPU, 2 GB RAM, 8 GB SanDisk SDHC card, 3
gigabit Realtek NICs
○ C2758 - Rangeley Atom 8 core, 8 GB RAM, 80 GB
SATA-3 SSD, 4 gigabit Intel NICs, 1U rack mount
● Support included with these new platforms

3. Heartbleed vulnerability
● OpenSSL security vulnerability leading to
disclosure of memory contents
● Affects pfSense versions 2.1 and 2.1.1
○ For components in base system - some 2.0.x
packages potentially impacted
○ Doesn’t mean you need not upgrade 2.0x and 1.x
systems

4. Heartbleed vulnerability
● Primary components affected
○ Web interface
○ OpenVPN
■ shared key not impacted
■ SSL/TLS impacted if not using TLS
authentication, or if untrusted users have TLS
key

5. Heartbleed vulnerability
● Other impacted components
○ Some packages dependent on OpenSSL
● Recommended remediation
○ Upgrade to 2.1.2
■ WARNING: Upgrade AutoConfigBackup package
first
○ Consider re-issuing keys

6. Heartbleed vulnerability
● Non-pfSense related things
○ Check all HTTPS servers
■ https://filippo.io/Heartbleed/
○ Revoke and re-issue trusted SSL certificates after
patching
○ Check with vendors of other products on applicability

7. Multi-WAN Goals and Strategies
● Redundancy
● Bandwidth aggregation
● Segregation of priority services

8. Choosing Internet connectivity
● Cable paths
● Paths to the Internet

9. Example configuration

10. Demo setup
● Configuration of second WAN
● Configuration of monitor IPs
● Failover demo
● Load balancing demo
● Other gateway groups usage
○ IPsec
○ OpenVPN
○ Dynamic DNS

11. Demo - NAT and Multi-WAN
● Port forward example
● 1:1 NAT example
● Outbound NAT example

12. Demo - Advanced Options
● Gateway advanced options
● System>Advanced options
○ Allow default gateway switching
○ State Killing on Gateway Failure
○ Skip rules when gateway is down

13. Troubleshooting
● Verify rule configuration
● Failover not working
○ Check Status>Gateways
○ Verify monitor IPs
● Load balancing not working
○ Validate testing methodology
○ Have appropriate expectations

14. Questions?
Thanks for attending!
Comments, suggestions, etc. welcome to
gold@pfsense.org