Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    2 wan 2 lan, send lan2 traffic out non default gateway of wan2

    Routing and Multi WAN
    4
    6
    195
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      a.dresner
      last edited by

      Hi Everyone,

      Using a 8200 here at my office, the fiber connection we have is slow but has many IP. It's fine for the office but I want to stream music and crap when i'm there so I got a fast second fiber connection to use personally (i'm the company owner).

      I have the second wan and lan setup, wan2 and lan2. Got lan2 talking to lan1 and visa versa.

      However, on the routing side, lan2 is still using the default gateway of wan1. Curious how I can get my traffic out of wan2? I changed the gateway in the default outbound rule in lan2 but that didn't work. I asked Google Gemini and it gave me this (before I roll it out, was wondering if you guys have any feedback for me?):

      You're on the right track creating a second LAN and WAN, but getting LAN2 traffic to route out WAN2 requires some specific configuration in pfSense. Here's a breakdown of how to achieve this, along with common pitfalls to avoid:

      1. Verify Interface Assignments:

      • WAN Interfaces: Double-check that your two WAN connections are correctly recognized and assigned in pfSense under Interfaces > Assignments. They should likely be labeled WAN and WAN2 (or similar). Make sure each WAN interface has a valid gateway assigned by your ISP.
      • LAN Interfaces: Similarly, ensure your LAN and LAN2 interfaces are correctly assigned. LAN will likely be your existing LAN, and LAN2 should be the new interface you created. Assign appropriate IP subnets to each (e.g., 192.168.1.0/24 for LAN and 192.168.2.0/24 for LAN2).

      2. Create Gateway Groups (Crucial Step):

      This is the most likely reason why your LAN2 traffic is still going out the default gateway. You need to tell pfSense which WAN to use for LAN2.

      • Go to System > Routing > Gateways.
      • Click "Add".
      • Give the gateway group a descriptive name (e.g., "WAN2_Group").
      • Add only your WAN2 gateway to this group. Do not include your WAN gateway in this group.
      • Set the "Tier" for WAN2 to 1 (or leave it at the default). Tiers are used for failover, but for this specific routing scenario, a single tier for WAN2 is sufficient.
      • Save the gateway group.

      3. Create Firewall Rules (The Traffic Director):

      Now, you need a firewall rule to direct LAN2 traffic out the WAN2 gateway group.

      • Go to Firewall > Rules.
      • Select the LAN2 interface tab.
      • Add a new rule (the plus button).
      • Important Settings:
        • Action: Pass
        • Interface: LAN2
        • Address Family: IPv4 (or IPv6 if needed)
        • Protocol: Any (or specify protocols if you want to restrict traffic)
        • Source: LAN2 net (This is the network you assigned to LAN2, e.g., 192.168.2.0/24)
        • Destination: Any (or specify destinations if you want to restrict traffic)
        • Gateway: Choose the WAN2_Group you created earlier. This is the critical step.
        • Description: Give the rule a descriptive name (e.g., "LAN2 to WAN2").
      • Save the firewall rule. Make sure it's placed above any other more general LAN2 rules that might override it.

      4. Outbound NAT (Masquerading):

      You need to configure outbound NAT (Network Address Translation) for LAN2 so that traffic appears to originate from the WAN2 IP address.

      • Go to Firewall > NAT.
      • Select the "Outbound" tab.
      • Click "Add" (or the plus button).
      • Important Settings:
        • Interface: WAN2
        • Address Family: IPv4 (or IPv6 if needed)
        • Source: LAN2 net (e.g., 192.168.2.0/24)
        • Destination: Any
        • Translation / Address: Interface Address (This will use the WAN2 IP for NAT)
        • Description: Give the rule a descriptive name (e.g., "LAN2 to WAN2 NAT").
      • Save the outbound NAT rule.

      5. Verify Routing Table:

      After making these changes, check the pfSense routing table to confirm the configuration.

      • Go to Diagnostics > Routes.
      • You should see a route for your LAN2 network pointing to the WAN2 gateway.

      Troubleshooting:

      • Firewall Logs: Check the pfSense firewall logs (Status > System Logs > Firewall) to see if any traffic is being blocked. This is essential for diagnosing issues.
      • Packet Capture: Use the pfSense packet capture tool (Diagnostics > Packet Capture) to analyze traffic on the LAN2 and WAN2 interfaces. This will help you see if traffic is flowing as expected.
      • Gateway Monitoring: Ensure that both WAN gateways are online and responding to pings in Status > Gateways.
      • DNS: Make sure devices on LAN2 are configured to use a DNS server that can be reached via WAN2 (or a public DNS server like 8.8.8.8 or 1.1.1.1).

      By following these steps carefully and checking the logs, you should be able to route traffic from LAN2 out your WAN2 connection. If you still have problems, provide more details about your network setup, and I'll do my best to assist further.

      G B 2 Replies Last reply Reply Quote 0
      • G
        Gblenn @a.dresner
        last edited by Gblenn

        @a-dresner said in 2 wan 2 lan, send lan2 traffic out non default gateway of wan2:

        However, on the routing side, lan2 is still using the default gateway of wan1. Curious how I can get my traffic out of wan2? I changed the gateway in the default outbound rule in lan2 but that didn't work.

        That should absolutely work, as it does for me. BUT if you don't have IPv6 configured and there is still a default allow LAN2 to IPv6, you may need to disable that rule. At least that made it work for me.

        Alternatively, create a new rule above those, just for your on device or devices (you can create an Alias with your IP's), and use WAN2 gateway for those.

        In relation to the suggestion from Gemini (item #2), I do have my WAN connections set up as a group with my Fiber as the primary like this (secondary is LTE):

        0e155c65-4a25-4746-ad54-09b18474d8bd-image.png

        And then that group is set as the default gateway like so:

        2571f14e-5eb7-4279-9c85-2408266ff479-image.png

        I have not added any Outbound NAT at all, and I don't think that is at all necessary. At least not when Outbound set to automatic like I do, in which case masquerading is already the default.

        In addition, I don't think creating the gateway group is needed either, Just that rule on LAN2 in your case...

        I 1 Reply Last reply Reply Quote 0
        • I
          IgiveUp @Gblenn
          last edited by

          @Gblenn problem is that when you create policy routing through non default gateway the traffic seems to be rerouted from nondefault gateway out the default one.

          1 Reply Last reply Reply Quote 0
          • B
            bp81 @a.dresner
            last edited by bp81

            @a-dresner said in 2 wan 2 lan, send lan2 traffic out non default gateway of wan2:

            Curious how I can get my traffic out of wan2? I changed the gateway in the default outbound rule in lan2 but that didn't work.

            This is a bit strange because that typically would work. I would go so far as to say that using gateway groups is a bit overkill here if 1) you don't need LAN2 to failover to using WAN1 in case WAN2 goes down and 2) all LAN2 traffic should always go out WAN2 to the internet.

            It might be interesting to do a traceroute from LAN2 to see what the hops are, to see if the traffic does cross WAN2 but gets routed to WAN1 for egress to the internet? Out of curiosity, is your WAN2 service provided by the same ISP? If so, do you know if it's part of the same fiber circuit? If they are both provided by the same ISP, are they both served through the same device that is the last equipment owned by the ISP, before hitting your network perimeter?

            Edit: poster above mentioned disabling IPv6. A very good idea if you aren't actually using any IPv6 addresses. It can cause odd issues otherwise.

            I 1 Reply Last reply Reply Quote 0
            • I
              IgiveUp @bp81
              last edited by

              @bp81 netflix won't work without ipv6. As soon I disable ipv6 and get rid of all ipvl link local addresses my netflix on Bravia tv dies.

              Setting up dead end 6to4 IP address on WAN solved strange routing behaviour while keeping netflix(thus wife)happy. Non default gateway is treated as gateway now.

              G 1 Reply Last reply Reply Quote 0
              • G
                Gblenn @IgiveUp
                last edited by

                @IgiveUp Netflix works without IPv6 for sure, but if your TV (Netflix) somehow get's a DNS resolution when it tries IPv6, and no traffic, then it fails. Try turning IPv6 off in the TV, and then check that it is completely off in pfsense.
                System > Advanced > Networking
                System > Routing Gateway (None for IPv6)
                WAN and LAN interfaces (IPv6 Configuration Typ - None)
                Services > IPv6 Relay disabled

                @IgiveUp said in 2 wan 2 lan, send lan2 traffic out non default gateway of wan2:

                @Gblenn problem is that when you create policy routing through non default gateway the traffic seems to be rerouted from nondefault gateway out the default one.

                Could you show your rules perhaps? It may be easier to see what might be wrong since there is no reason it shouldn't work. Do you have an floating rules?

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.