Route traffic from LAN Virtual IP to secondary WAN
-
Hi, I have a firewall with two WAN interfaces, and I'd like to have the following setup:
• LAN has two addresses, 10.12.0.254 and 10.12.0.253 (best way I found is by using Virtual IPs)
• If traffic comes to 10.12.0.254, it exits through WAN1
• If traffic comes to 10.12.0.253, it exits through WAN2This allows a client to easily select which WAN to use from its network configuration.
Apparently it's impossible to match traffic incoming from a virtual IP, it only wants the interface. Any idea on how to solve this?
Thanks
-
@john3383 You say "LAN has two addresses"... Does that mean two host computers/machines on the same LAN network, or does it mean your LAN is 2 different networks?
If you mean 2 different networks, what you typed out (10.12.0.254 and 10.12.0.253) are NOT two different networks, that is technically 2 different hosts on the same 10.12.0.X network space. Also, what's your network size - is it a /24 subnet mask size, or /23 or /25?
https://www.aelius.com/njh/subnet_sheet.html
You shouldn't need to use virtual IP addresses anywhere in your setup, but can you clarify what you mean, so then we can help you better?
-
@akuma1x I'd like to have the firewall's presence in the LAN as two addresses in the same network, as described. If a computer selects 254 as its default gateway, traffic leaves through WAN1, if it selects 253 (while being in the exact same subnet) it leaves through WAN2.
It's just a way to select which modem to use for traffic.
Also yes, it's /24, sorry.
-
@john3383 That's technically not how it works... I'm gonna try and give you a basic understanding of the pfsense software and how to do policy routing.
And, before we get too deep, virtual IP addresses are usually used when your ISP gives you multiple public IP addresses (so you can run servers and stuff inside your network) that are coming in over a single internet cable. You have to split them up, so you can use them, in some manner = virtual IP addresses.
On pfsense, you can make and use multiple internal LAN type networks (trusted machines, IOT stuff, cameras, servers, workstations, etc., on and on it's almost endless). These internal networks can be physical interfaces on your pfsense box, or they can be virtual, as in VLAN networks. Then, at the same time, you can also have multiple WAN connections out to the internet. All of these internal LAN networks can use either your single WAN connection - almost every home and business runs a setup like this, one WAN connection. Or, like you are asking, running 2 WAN networks at the same time. You can get even more complicated and have a setup where if one ISP fails, the other connection automatically switches and takes over. That's a discussion for another day.
So, having said all of that, on pfsense you simply create and connect your different WAN networks. Then, on your internal LAN networks, using firewall rules, you policy route on how you want the WAN internet connections to be used. You use the firewall to tell your computers what gateway they will use, not the other way around. It's much simpler this way. I don't even know if you can do it the other way.
Let's see an example:
Computer 1 is on your LAN network, and you've got 2 WAN connections - ISP 1 and ISP 2. On your pfsense box, in the LAN firewall rules section, you use the IP address of computer 1 and make a rule that tells it to use ISP 1 as it's gateway. Computer 2 is also on your LAN network, and you make a separate rule that tells it to use ISP 2 as it's gateway. Computer 3 is on a VLAN, different than your LAN network. In the firewall rules for the VLAN network, you set a rule that tells computer 3 to use ISP 2 as it's gateway. It's pretty easy once you get the hang of it and setup your connections.
Here's the official documentation for policy routing:
https://docs.netgate.com/pfsense/en/latest/multiwan/index.html
And, here's a video of somebody actually setting it all up:
https://www.youtube.com/watch?v=JVsSm5WYi3U
Hope that helps!
-
@akuma1x Thank you very much for taking the time to explain, that does help. I do know that normally it's the firewall to decide, but since I have two very different lines with specific use cases, it's a requirement to let the client decide which line to use. Of course I can do something like that the client chooses to have a specific IP address that will trigger a policy, but that's more cumbersome. Adding policies that route differently by looking at the destination is pure hell (yes, CDNs).
Having the firewall serving as two gateways is not a setup I've seen around indeed, and I believe that some firewalls might be able to do that, but since I'm not seeing any way to do it here, I'm asking in the forums. My WAN connections do have redundancy by default btw.
So it's not feasible to trigger a policy based on the firewall's virtual IP that's receiving the request, right?