NAT not routing through the specified "exit" WAN/OPT1/OPT2
-
after researching what you just suggested i found someone asking the exact thing i am trying to accomplish however it did not say how to do it, ill keep researching more to find out how to do it but if you have a more direct idea where to find this info it would be greatly apreciated
This is what i basically want to do:
"The difference between policybasedrouting and multiwan is not that big. You even can use both simultaneously (send some special traffic out WAN, other special traffic out WAN2 and use loadbalancing for everything else for example). The main difference is that you use one of the interface gateways as gateway for your firewallrules or a pool of gateways as gateway."
route special traffic (ports) on certain interfaces and load balance the rest.
-
I think i get it now, where you want traffic routed is not done in the NAT Outbound configuration page, it is done in the firewall configuration page, i think i see it now, it makes more sense that way, basically i should leave all traffic on auto on the nat outbound and modify the firewall rules to tell it on what gateway i want what traffic routed,(and also thus what traffic from what subnets) ill run some tests now to test this out.
-
well that worked… i put the firewall rule to NOT route through the default system routing tables and to use the specified outbound load balance pool and dead right on it routed through the proper pool ip.
This however brings me to another question (ill still research this anyway but any help saving me from having to do like 100 tests is greatly apreciated lol)
when i select the "gateway" i can only select, the wan/opt1/opt2 gateways and the loadbalance pool, the first three are self explanatory, altho if the link fails i will have no failover, BUT if i use the pool as gateway how do i specify which gateway from that pool should he use first, then should that fail then what to use next as backup etc.
what im guessing is i would need to create 2 or 3 different loadbalance pools each with a different "order" and just assign the load balance order to that traffic policy
like say i create pool1 pool2 pool3
pool1 has the following config: OPT1 first, OPT2 second, WAN third
pool2 has the following config: OPT2 first, OPT1 second, WAN third
pool3 has the following config: WAN first, OPT1 second, OPT2 thirdSo basically i would have to assign Pool1 as gateway to the .4 subnet, pool2 as gateway to the .5 subnet and pool 3 as gateway to the .6 and .7 subnets.
Is this correct?
ill test this right now but reasurance that i might be correct would be a blessing lol
Thanks again
-
So basically i would have to assign Pool1 as gateway to the .4 subnet, pool2 as gateway to the .5 subnet and pool 3 as gateway to the .6 and .7 subnets.
Is this correct?
yes.
Also read the note:
Load Balancing: both active. Failover order: top -> down.
NOTE: Failover mode only applies to outgoing rules (multi-wan). -
yes i was about to post that the system was working fine now but it had started roundrobiing the connections and how could i stop that, then i remembered that if its set on load balancing it will round robin, so to just use it as use this first then this then this (failover) i had to set it on failover, sounds simple but i could not see it, i just finished creating the rules and im about to test them now. ill post here images of what the rules ended up being.
-
tests complete, its working like a charm, its kinda wierd that the incomming have to be using port forwarding but the outgoing have to use firewall/pool routings, i mean im all for what ever works lol but its complicated as heck… i wish on the NAT outbound it would have said something like:
NOTE: if you want to forward traffic down a specific interface use firewall policies and not NAT Outbound, search "Policy routing" on the forums.
It would have been a lot easier :P but hell its working and not not only is it just working its working better than what i expected it to be working and has WAY more features than i expected to get, im not going to complain! lol more complex... but more features.
lets hope someone else stumbles across this article and finds it as usefull as i have
Rules ended up like this,
Rules
Pools
-
Bah! i think i chanted victory too soon….
Well HTTP works fine.. HOWEVER FTP does not... it doesnt even connect at all to hosts
if i set up the gateway on the firewall rules to anything other than DEFAULT FTP stops working
but if i set the gateway as default then my entire policy routes get ignored.
sigh.. any ideas what should i do now?
-
You might be interrested in this thread:
http://forum.pfsense.org/index.php/topic,7001.0.htmlftp is a whole different story.
this thread will probably help you, since it covers almost all problems you'll encounter with ftp.
http://forum.pfsense.org/index.php/topic,7096.0.html -
"FTP works fine. The only known limitation is not being able to use anything but the primary WAN if you have a multi-WAN setup. That'll be fixed in a future version. "
Argh…... well... that sucks.... because the only interface that also allows PPPoE is the WAN, which also happens to be the crappiest of all links (the 512kb one) id love to set the crappy link as OPT2 but i cant....
Any way to just define any other interface as primary other than wan? (i understand ftp loadbalancing not working, makes sense, but maybe just hardwire it to a single interface perhaps?)
-
ok i read the posts and i sort of understand how this pertains to me but i still have no idea how to apply that particular case scenario into this case scenario (i admit its probably out of inexperience) i know what needs to be done i just have no idea how to do it (the interface is a little to complex to be user friendly on some parts)
-
ok i found about the
TCP LAN-net * 127.0.0.1/31 * *
Rule, however i have no idea where they want me to put this in,(im assuming its the LAN policies?) and why would i need to put this in when i have something that in THEORY also encompasses 127.0.0/31
* LAN net * * * *
-
ok this is what i did, ill test it now and see if its working
Helper is ENABLED on the LAN interface and DISABLED on all 3 WANs
