@viragomann said in Source based Routing with pfSense:

@birtalevente said in Source based Routing with pfSense:

From this another location, other company the connection is initiated to the WAN1 and WAN2 IPs, but the responses are routed out through the WAN3 ... which is somehow logic because I have in the routing table a.b.c.0/24 on WAN3

No, this is logic, because the destination IP lies within the subnet of WAN3 if I did undersand right your alphabetic variables:

@birtalevente said in Source based Routing with pfSense:

So, the WAN3 network let's say is a.b.c.0/24, WAN3 IP is a.b.c.62
There is another location, other company where the ISP assigned the a.b.c.192 IP address

So if here a.b.c are the same in both variables, your WAN3 IP and that one of the other company are in the same subnet.
If so, the other company should access your router at WAN3 and nothing other.

This is not possible...WAN3 is low speed and dedicatet to other services.

If they come in on an other WAN, they may have set a wrong mask in the WAN configuration (not /24).

They come in on the right WAN because thats how is set up on they side!

Your router cannot response to an address on another interface if the destionation is in the subnet of WAN3 in the end.

That sucks ... 😊

So I need to reconfigure a little bit

Thanks anyway !

Levi

@golserma I didnt even ever heard about it

Is there a specific reason for using 2 separate PfSense instances?

A single instance with 2 WAN interfaces would have no problem routing the way you want it to.

You may be able to do what you are seeking with a static route, but I have never tried what you are planning myself.

Matthew

If I understand you correctly, we are doing this at one of our sites now by using OpenVPN in tap mode

Our PfSense has 2 WAN links, 2 LAN interfaces and about a dozen VLANS.

In the OpenVPN config, we have specified a Server Bridge DHCP start and end range, which is outside our Windows server DHCP scope on the same LAN [this may not be required, we wanted to be able to see which clients were local and which were remote by looking at the IPs]

No tunnel network is specified.

When the client logs in, they get an IP in the same subnet as the LAN interface, and they can access all services within the LAN. They can also route traffic back to the internet as if they were connected via the office network.

I do not have a how to for this, but I recall it was not overly difficult to setup.

Matthew

@abidkhanhk said in Metro Ethernet WAN and routing setting:

Hello,
I am trying to setup a metro ethernet network between 3 sites,
as previous on these sites we have juniper ssg5, and i didnt have any access to their routing configuration or gw information, i was only able to gather limited informaiton by using tracert -d commands from windows, so far i have found that the site have below IPs as their Wan

Site A. WAN192.168.100.1 LAN192.168.1.1
Site B. WAN192.168.100.2 LAN192.168.2.1
Site C. WAN192.168.100.3 LAN192.168.3.1

so in order to make it work, I created the WAN IPs and gave them their opposite firewall's WAN IP as GW.
e.g Site A WAN 192.168.100.1 GW192.168.100.2 and GW 192.168.100.3
and defined static route as 192.168.2.1 over GW 192.168.100.2 and 192.168.3.1 over GW192.168.100.3
However, it is not working so well.. i am not sure what am i doing wrong,
How i can define the GW on these wans, and what kind of static routes to give then.
Can someone please guide me . thanks.
36cc7cc8-d096-4a02-8782-d39344170ea9-image.png

anyone can help?

@johnpoz

LOL-Right you are, both my sons are programmers and one is experimenting with hacking right now, so I guess he COULD be sniffing out traffic on my internal network, but I trust him and don't need to hide anything from my own son.

I feel a bit ridiculous and thank you for the reminder that there is such a thing as to much (and in my case useless)security.

I just deleted to two DNS rules and left the one blocking traffic from LAN2 to LAN and allowed LAN2 to everything else, meaning the internet.

I think I am good.

Cheers

@bldnightowl said in Filtering out TCP:A, TCP:FPA, etc. packets (again):

it would be nice if the UI prevented the flag settings from even being available.

You could put that in as a feature request I would think.

@bingo600 said in How to only send specific route through OpenVPN client connection:

@soupdiver

Netflix is a totally different beast , that does a lot to detect if you are "cheating"
There are other posts on this forum that explains about that.

Yea but what I don't understand is why it's affected at all. I add a filter rule for my machine on ipv4 and something on ipv6 breaks everywhere else.

What I can think of is that they probe not only my v6 but also v4 addresses and maybe shutdown everything if it looks suspicious. Who knows. Guess I have to finder another exit 😁

If your behind a nat, ie pfsense wan has a rfc1918 address, or even a cgnat IP 100.64/10 then no you would not be able to get to it from the internet - without the nat going on in front of pfsense forwarding the traffic to pfsense wan IP.

@viragomann
All of the additional switch interfaces are available on the front of the NG except 1 and 2. I was reading through old forum posts and found where someone was able to resolve their routing issue by using a VIP in the netgate, figured it wouldnt hurt for me to try the same thing.

I'll go back to the separate interfaces approach and try to config again, but I feel like I'm missing something. I have a 3750 behind the Netgate, so I could VLAN it that way as well, but I would prefer not to, since the NG will be doing the routing anyway.

I tried some other tests but no luck. I am officially unable to apply that gateway

😧

@kiokoman Foudn the mistake. The VLAN whcih I assigned to the Interface was not giving out IPs via DHCP to the Clients. I had tha DHCP Server up and running, but it did not work properly. So I switched configuration and set the public IPS to the Interface and seperated the nextcloud network through a separate LAN out on the NIC and all hardware behind that is not connected to the rest of the main Network. So basically a real DMZ. Now it is working

I Have a equal problem with pfSense in AZURE. Hobe someone can give a hint.

@bambos said in Dual WAN - Port Forwarding - Policy Routing for Internet:

To my understanding, port forwarding should work without any settings, as long as reply-to functionality is enabled by default. (under system->advanced->Firewall & NAT)

That's correct. That feature makes sure that responses are send out on the same interface where the request was coming in before, no matter which if it's the default gateway or not.

@bambos said in Dual WAN - Port Forwarding - Policy Routing for Internet:

Is there any way to handle devices on LAN, using gateway on WAN1, and other devices on LAN using gateway on WAN2 ? (For normal traffic / not port forwarding).

This can be done by policy routing rules: https://docs.netgate.com/pfsense/en/latest/multiwan/policy-route.html

Group IPs which you want go out on the same interface in an alias and use this one in a pass rule as source. Expand the advanced options in the rule, go down and find the gateway drop-town. Select the proper gateway.
It's a good advice to have an alias with all RFC1918 networks defined. So you can add this at the destination together with "invert" checked. This avoids this rule to match for local destinations.
Now you can put this rule to the top of the rule set to ensure it is applied before rules which have any.

If you want to use both gateways but use one as default, create a gateway group. You can create multiple gateway groups including the same gateway, e.g. one with WAN1 as tier 1 and WAN2 as tier2, and a second group the other way around.

@bambos said in Dual WAN - Port Forwarding - Policy Routing for Internet:

If i set there default gateway, what does this mean ?

The default gateway is use if no gateway or -group is stated, either in policy routing rule or in a static route.

Ensure that you have outbound NAT rules in place for both WANs.

@jonnydy try to use open VPN site to site with shared key (the easiest and error proof configuration).

@th

OpenWRT on a UBI AP , i didn't know you could do that.

Well to me it seems like you should use multi vlans between the pfSense & the AP.

If your AP doesn't support that, you really don't want to try two different ip ranges on the AP.

/Bingo