@alteredstate said in How To Direct Traffic For Specific Website(s) Out Specific Gateway?:

I would be forced to continually disable and enable the VPN firewall destination rule each time I use Disney+.

Just create another wifi network then, when you want to watch Disney, connect to your non vpn wifi. When you want to do whatever else, just switch to your vpn wifi..

I would just watch on my TV to be honest.. Why would anyone watch on little screen when there is a big screen available?

But if your going to be using a device where you want to split traffic vpn and non vpn - then yeah the policy routing is really the only way to do that. It can be problematic - especially if laptop is not using pfsense for dns, say doh..

@viragomann
I can ping google.com, it works just fine.

Indeed, in the logs there seem to be recurring patterns (and I totally missed the flags).

home_ip : my home public ip address server_ip : my server public ip address public_ip : multiple public ip addresses were captured by the filter port : multiple port numbers were captured by the filter

Here is for the Default deny rule IPv4 :

block em0 TCP:PA home_ip:port server_ip:443 (*) block em0 ICMP public_ip server_ip block em0 TCP:S public_ip server_ip:port (mostly port 445) block em0 TCP:A/FA/PA 192.241.206.128:port server_ip:443(**) block em0 TCP:R public_ip:port server_ip:80

(*) this line appears so often that it is difficult to see anything else.
(**) I don't know the 192.241.206.128 address, but it is the only one I have with the A, FA and PA flags

Some traffic is passing :

pass em0 TCP:S server_ip:port 99.86.113.21:443 pass em1 TCP:S 192.168.1.2:46178 99.86.113.21:443 (***) pass em1 TCP:S 192.168.1.101:port 34.122.121.32:80 (32.121.122.34.bc.googleusercontent.com)

(***) 192.168.1.2 is another vm (debian) on the LAN --> no internet as well

In the end, the Default deny rule IPv4 seems to be blocking inbound traffic. I could see that it was mostly blocking ip addresses referenced as abusive.

And I think I have missed something, because I don't see all the LAN activities in the logs (e.g., ping). I am currently working on this issue.

@viragomann
Thank you! That plus a blocking rule to prevent the host from going out the gateway I don't want does the trick.

@stephenw10
Really appreciated for the reply, just disabled "reply-to" from the fw rules and the traffic flows to the right BGP path now.

Sipher

@viragomann

i'll use that than.

thanks again.

solved.

@viktor_g I have selected the Outgoing Network Interface to WAN2. But this way proxy is connected but the internet does not work. Because the default gateway is WAN1.
Internet over proxy only works when Both default gateway and Outgoing Network Interface in squid are the same.

@viragomann Did it via winSCP instead.

Thank you

@nicklas-0
Since your router sends packets destined to B to the ISP gateway, it's on the ISP to route them forwards properly.
And since A and B are within the same ISP network, it might be one of his devices where the packets get stuck.

@cerberus2022
IPSec can be set up in one of two modes. The more common mode is "policy-based IPSec", where you have to configure a phase 2 for each subnet pair you want to connect.
However, if you have your subnets sequentially (10.26.1.0/24, 10.26.2.0/24, 10.26.3.0/24) you can also embrace all using a suitable larger mask.
This mode can be used on most IPSec capable devices.

The other mode is "routed IPSec", where you get a virtual gateway IP, to which you can route the respective subnets to the other site.

The only drawback of IPSec is, it cannot be used to forward public traffic to a server at the other site, if you intend to do that.

@gregorywest said in Dynamic URL routing from WAN to LAN:

Is it possible for PFSense to take the incoming URL and use it to route traffic to a particular server? What I am looking for is external WAN clients hitting the firewall with something.myurl.com routed to server2, and other clients coming into somthingelse.myurl.com to be routed to server3. Both of these routes might or might not be using the same IP Ports, so using 'port forwarding' would not work.
Is something like this even possible?

Do you have (or can order) multiple "Public ip addresses" for the firewall :
And then assign different ip's to :
something.myurl.com
and
somthingelse.myurl.com

Would make your life much easier.

Remember that w. some of the mentioned programe. Ie. FTP
the client might not even xfer the url , just resolve locally , and connect to that "remote ip".

/Bingo

I do this with HAproxy - it also supports keeping the original source IP to the destination, I can also terminate SSL/TLS and change ports along the way - very versatile :)

@jenskiebee

Bonding can be realized in combination with pfS as today only by a" bonding box"
In front of pfS.... Oh boy I can tell you... A f@#&* pain in the ass
Sometimes its working sometimes not the speed u get a total other ballgame
And a 100+50 is not Givin you 150 its more about a 125 or less
I got 2x100 and the best shot was 160...

So now we use loadbalance and everyone is happy except the inner nerd ;)

@marvosa Thanks a lot!

Now I understood

@halil o kadar konu açıyoruz 1 allahın kulu dönüş yapmıyor .