@heper said in Gateway based on source: @sr10977 said in Gateway based on source: If traffic comes in to WAN A, it goes out via WAN A (default) If traffic comes in to WAN B, it goes out via WAN A (default) that's not default ... that's assymetric routing & will fail miserably. you probably have some configuration problem this behavior occurs when upstream gateway is not set on WAN interfaces

@JeGr said in Multiple Gateways on same subnet: Why not simply reconfigure those routers Because some devices (not mine) directly connected to router 1 have in their routing table certain rules to redirect traffic through 10.1.0.4. Hence those routers need to be on the same subnet. These routers are shared by around 20 people, in 4 rooms on single floor. Hence I cannot change settings on those routers.

Updated setup : Router 1 (College Campus) : 10.1.0.1/16 Router 2 (ISP Router) : 10.1.0.4/16 Both Routers connected to each other. Hence R1, R2, pfSense WAN on same layer 2 network. pfSense : WAN 1 : 10.1.0.2/30 Gateway : 10.1.0.1 (Default Route) WAN 2 : 10.1.0.5/30 Gateway : 10.1.0.4 LAN 1 : 192.168.1.1/24 Firewall Rules for LAN : Alias containing FQDN of all websites : [image: 1600095665365-6b96fa66-776e-4ff8-bbe7-aedc38148776-image.png] LAN Firewall Rules : [image: 1600096055812-3afd9723-cda6-4f17-aa55-6f24bb65fd59-image.png] Traceroute Diagnostics : [image: 1600096085366-8e909d0a-e047-4a0a-b12c-790c0c05c888-image.png] Results : [image: 1600096133589-e5319961-1ec7-4e52-aa9a-b74a76de46e9-image.png] Test (if BlockedWebsites firewall rule is disabled) [image: 1600096191420-b0c5d34f-029d-4947-a6a8-1741f6e7d4af-image.png] So yes, I believe that Sophos ( the firewall which my campus uses) blocks access to the TLD name, hence blocking any chance of redirect. So I guess I was partly right in saying that Sophos can't really block CDNs since many websites originate from the very same CDN. Also, I still can't understand properly what causes so much trouble if both the gateways are on the same subnet.

I understand reverse proxy could help, although I'm not sure the appliances in question would be happy with it.

Figured it out! Went back to check the NAT rules and the automatic ones were gone! I guess when I change the WAN interface it deletes the automatically generated outbound NAT rules?

@smaxwell2 I forgot you were running through tunnels, so you do need that GW. Spreading the default route via OSPF may not be the right way to go for this. If there is only one tunnel from each site to the central it will be much easier just to specify the default route for the needed networks statically.

@bryon I decided the simplest and most secure way forward is to create a jumpbox with two NICs. I ssh to the jumpbox when I need to access the management LAN. I plan to add a web proxy to the jump box so I can access web-based machines in the management LAN. If anyone has alternate ideas then I'd love to hear them.

Reject or Block is fine - I use reject on many a local rule that I block, because that way you "know" instantly its blocked because the firewall send you back info - hey your not getting there, go away! ;) Reject on a wan side rule is almost always a very bad idea.. Since you rarely want the firewall to send anything in response.

I have a problem like this. Two WAN connections, one static and other DHCP. WAN DHCP is my main connection and works normally alone. I did all the configuration to work with failover but when I disconnect the DHCP WAN the other WAN does not go up. I have little knowledge in pfSense so there is probably a problem with the configuration.

Hi all, just thought I would report back on this one. Finally got to site today to do the config. Set the WAN up on the /30 and added a couple of the /29 range as aliases. Set Outbound-NAT to manual and configured LAN to use one of the /29 Worked a treat, so thanks for the help.

@johnpoz thanks for taking the time to suggest transit network. I've actually never heard of it before. My quick Google search only yield to definition, not practical guide. Any article you can point me to?

hi i check route table and see there is one static route for 172.20.20.8 with UGHS flag traffic to wrong gateway 192.168.193.25. manually ( from shell ) delete this route and every things goes right. used command ``` route delete 172.20.20.8

Nope, you could have 5 WANs and 1 LAN with the SG-3100 if you want. -Rico

UPDATE: Turns out it was pfBlocker. Removed it and its rules and presto the firewall is back alive. Now the bug appears to be in pfSense since pfBlockers uses its APIs to set rules....

It could work on the same subnet but should be easier to configure and make work with 2 as you have now. I haven't looked at the documentation here for awhile but they do seem to have what you're looking for. Would it be better for you to bond the connections? That could possibly work for you. https://docs.netgate.com/pfsense/en/latest/book/multiwan/multi-wan-caveats-and-considerations.html