@djmaxx007 See policy routing

Hmm... should I have asked this question in a different category or does my question just make no sense? Seriously not sure what's wrong with my configuration. Has anyone else here managed to route traffic through different WANs based on destination domain?

@johnpoz Ahh. Thank you so much. It's amazing how little some service techs actually understand. That perfectly solved my problem.

@johnpoz said in Pfsense Routing to cisco 4321: > you would create the new interface give it the IP 172.16.0.2/30 this one i know how to do it on pfsense. You have zero need for a /24, but sure you could use it that if you want. But 30 is all you need. thanks for this. %(#ff0000)[Create a gateway under routing to 172.16.0.1 %#ff00000)[Then create a route for 192.168.1.0/24 using that gateway.. Create any firewall rules on the 172.16.0.2 interface that you want to allow. if no rules then 172.16.1/24 could talk to 192.168.1/24 but 192.168.1/24 could not create conversations to 172.16.1/24 You would then need a route on cisco pointing to 172.16.0.2 for 172.16.1/24]] sorry this steps i dont know how to create it on pfsense and on the cisco router sorry im new to pfsense and routing to cisco. your help is really appreciated.

@jnelson well use your existing networks as the transit. And move your actual network to something else 192.168.5/24 on one side and 192.168.2/24 on other for example.. If you have no control over what network they use. Problem is you might have routing problems on their devices. But why can you not get with who manages the mpls routers to fix the problem. Your going to have issues when device sends their syn,ack back to their gateway (pfsense) and pfsense never saw the syn to open the state. The correct setup for what you have there is with transit networks. As to routing on hosts, yeah you would need a route on the client that says hey you want to talk to 192.168.1/24 send it to mpls router at 4.1 vs pfsense at 4.254. And on the other end your app server would need route to 4/24 to send it to 1.254 vs pfsense 1.1 address. Problem with such a setup is you loose firewall between your networks.. I would really suggest you get with who manages the mpls to correct the setup. They should have no problems changing the ips to some new transit networks and fixing the routing. If they are currently using your pfsense IPs on each end as default.. Then you could change your networks and use the existing 4/24 and 1/24 networks as the transit networks.

@qfixxx said in Basic dual WAN policy-based routing setup doesn't work: have to debug what other URLs/IPs maybe involved in subsequent calls to watch.spectrum.net Yeah that can be PITA ;) A sniff of all the traffic when force all its traffic out the correct gateway and it works can be helpful.

@johnpoz Thanks for the notification: the DNS, at least, should now be working.

Well that escalated quickly! You just need a firewall rule to pass the traffic from 192.168.5.0/24 since that is not in the LAN subnet. pfSense only default firewall rule is for the LAN subnet. Anything else you wish to pass requires rules adding. Did that not work when you added it? Steve

@viragomann I think I get what you're saying. I'll play around with it. Thanks.

Additional info. When running Suricata on both WAN and LAN it stops working... Disabling Suricata on the non tagged interface (WAN) makes it run again.

@unsichtbarre said in pfSense as front end for /24: Could I just disable firewall in advanced settings? You could - but now you just exposed pfsense web gui, ssh etc to whatever can talk to any IP on the box.. Disable the firewall might be an option for some internal use of pfsense as just router. But not something I would suggest for when its routing public IP space. As mentioned in another thread - just use any any if you want to just route.. There is no advantage to disable the firewall aspects unless its performance related - and if your box can not route your traffic at speed with firewall enabled then it undersized anyway. Then you can at least filter who can talk to the pfsense gui, etc.

@viragomann said in Secondary WAN and High Availability: @bp81 Exactly. That is what VLANs are meant for, running multiple L2 networks on a single hardware. Yeah, I suppose that does make sense, it just never occurred to me to do it. I'm running an HA configuration now with a competing product using separate physical interfaces, but the router I'm using has 8 interfaces, so it's not as if I needed a vlan for this purpose to economize on limited interfaces either.

@unsichtbarre said in /24 from Cogent: I'm wondering if PFS can be used as a front end router? Yeah sure that is not a problem..