How to force certain external IPs to go through certain gateways
-
A traceroute uses ICMP.
Your rule is for port 25. (probably TCP or UDP)
So this is testing oranges for apples.Try telnet on port 25 and you should see that you go to the correct gateway.
-
A traceroute uses ICMP.
Your rule is for port 25. (probably TCP or UDP)
So this is testing oranges for apples.Try telnet on port 25 and you should see that you go to the correct gateway.
I probably didn't explain very well. I am not expecting the traceroute to be intercepted by the SMTP rule, but by the fixed IP rule.
The rule has:
Interface:LAN
Protocol: any
Source: any
Destination: Single host or alias : fixedip
Gateway: My WAN ADSL router's addressThe fixedip alias has:
Name: fixedip
Type: Host(s)
IP: (the IP address) -
You use the alias in the field "destination".
You have to use it in the field "source" :) -
That makes no sense to me at all.
fixedip is an address out there on the Internet.
I want all packets FROM my LAN TO fixedip to go via my 1st WAN port
Why should I put fixedip in as the SOURCE of the packets???Just to clarify, the reason for this is that fixedip has its own firewall, which will only accept connections from 1 IP address, the external address of my 1st WAN router.
-
Ah.
In the previous description it sounded like you're trying to force one of your internal clients to a specific WAN.Can you show a screenshot of your rules?
-
A screenshot of my rules will tell you no more than the typed in "screenshot" I included in the first message (other than revealing the actual internal IP address of the external ADSL router in question).
-
You typed what you think you have.
A screenshot shows what you actually have.
You wouldn't believe what kind of descriptions we've got here and the screenshot showed that the rules weren't anything like described ;) -
I promise it's right. I've checked it more than twice.
-
Well, the columns don't match up with what my web interface looks like, and you can't have any in the protocol field with a port specified, so there's a disconnect somewhere…
Please just take a screenshot, it makes things much more clear.
-
Perhaps you are running a different version of pfSense to me - if you check the attached against my original post, you will see the original post was correct (aside from my changing the names).
I have censored the output - I am not happy about revealing more of my firewall setup than absolutely necessary on the public Internet. The IP address shown is the internal IP address of my first ADSL router.
-
So if i read this right:
you have an alias SMTP which contains the port 25.
And you use this alias in the destination fiel which expects an IP.
Try to set this alias in the field destination-port instead of destination.
For this you have to set the protocol to Tcp/udp. Otherwise the destination port field is hidden. -
Thanks for pointing out the problem with the SMTP rule. It shows the danger of using aliases. I would have expected the UI to tell me if I used a port alias in an IP address field. Are rules not validated at all?
However, that's not the rule I am trying to debug.
Please concentrate on the rule I am trying to debug, which is the one which should send all data destined for the IP address in the alias "fixedip" out via WAN1.
-
Can you show us a screenshot of what you get when you mouseover the "fixedip" alias? Then, if possible, show us a traceroute giving you the unexpected behavior? (On windows, I'd suggest "tracert -d whatever.you.are.going.to)
(Please confirm the pfSense box's IP as well as the IP of the machine you're testing from, for completeness.)
-
I withdraw the complaint in shame and bewilderment - I can no longer reproduce the problem!
I have just done 6 tracerts to the fixedip address, and they all went through the correct gateway.
Thanks very much for helping though (and at least my SMTP rule works properly, now you've kindly debugged it for me) :D
