Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How can I still use system routing when changing Firewall --> Gateway?

    Scheduled Pinned Locked Moved Routing and Multi WAN
    3 Posts 2 Posters 94 Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A Offline
      alteredstate
      last edited by

      I'm running pfSense 25.07.1-RELEASE (amd64) and have my default gateway set to a WireGuard VPN. However, I need certain hosts to use my regular ATT gateway instead.
      To achieve this, I created an alias called Non_VPN_Hosts, added those hosts to it, and made a Firewall Pass rule that forces traffic from that alias through the ATT gateway.

      This part works, but after doing so, those hosts can no longer reach other networks (LAN/VLANs) as they previously could. I suspect this is because specifying a gateway in the firewall rule causes traffic to bypass the system routing table (as noted under Firewall โ†’ Rule โ†’ Advanced โ†’ Gateway)?

      Is there a way to route these hosts through the ATT gateway for WAN traffic only, while still allowing them to use the system routing table for local network access without creating a bunch of additional firewall rules?

      S 1 Reply Last reply Reply Quote 0
      • S Offline
        SteveITS Galactic Empire @alteredstate
        last edited by

        @alteredstate see https://docs.netgate.com/pfsense/en/latest/multiwan/policy-route.html#bypassing-policy-routing

        Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
        When upgrading, allow 10-15 minutes to reboot, or more depending on packages, CPU, and/or disk speed.
        Upvote ๐Ÿ‘ helpful posts!

        A 1 Reply Last reply Reply Quote 0
        • A Offline
          alteredstate @SteveITS
          last edited by alteredstate

          @SteveITS Thank you very much, this was the nudge I needed! I have non VPN hosts on various VLAN interfaces so I created this Floating firewall rule with an Invert match to alias: RFC1918 and it appears to have resolved the issue.
          Action: Pass
          Apply the action immediately on match: Check
          Interface: Any
          Direction: In
          Address Family: IPv4
          Protocol: Any
          Gateway: ATT
          Defaults for the other settings

          Is this acceptable or should I have went about this differently?

          fc103cab-f97f-4140-a920-11e1d659cb57-image.png

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.