Multi WAN - Route Traffic Via One WAN Link

Derelict

Your gateway rule is protocol TCP only. Probably not what you want.

(192.168.0.10/24 - 192.168.0.40) via WAN 1 and segment 2 (192.168.0.41/24 - 192.168.0.70/24)

Those are not segments. They are ranges of IP addresses.

Do yourself a favor and do things like this on natural IP subnet boundaries instead of decimal.

The 31 addresses 192.168.0.10 through 192.168.0.40 would be a lot easier to deal with if they were, say, 192.168.0.32 through 192.168.0.63 which can be used in firewall rules as 192.168.0.32/27. 41-70 could be 64-95 or 192.168.0.64/27.

While you can use, in these examples, .32 and .63, and .64 and .95 for host addresses, I would not because if you ever decide to put these subnets on actual interfaces, those would be the network and broadcast addresses and therefore unusable. Along that same line of thinking I would also avoid using .33 and .65, which would be the router interface addresses. Exclude a couple more to reserve room for future CARP/HA.

Administrator FCL

Hi Derelict,

Added 192.168.0.32/27 as an Alias and checked with the IP 192.168.0.37, but the result is the same. The traffic is still routed via the Default Gateway. Changed the rules as you mentioned from TCP to TCP/UDP as well. When creating Aliases, it says we can define a range as well as a Subnet. Attached Rules, Created Alias.

Thanx.

alias.PNG_thumb
![fw rule.PNG](/public/imported_attachments/1/fw rule.PNG)
![fw rule.PNG_thumb](/public/imported_attachments/1/fw rule.PNG_thumb)

Derelict

No idea what you're doing.

Why not create a network alias of 192.168.0.32 / 27 instead of all those host entries? That's sort of the point.

Why TCP/UDP Only? Why not any? As it is pings (protocol ICMP) will be blocked.

How are you testing?

This really does just work.

Administrator FCL

Did exactly what you said. Added a Network Alias as 192.168.0.27/27, Protocols - any, added the ip 192.168.0.37/27 to a pc on the LAN with manual proxy set to port 3128 (default), gateway set to pfsense, did not work. Checked with the subnet /24 which is the default on our LAN, still no difference. Where am I wrong now pls…..

Derelict

How are you testing?

You are trying to establish different behaviors for different groups of hosts on a subnet.

You do not use a /27 netmask on the hosts because the subnet is a /24. You configure the hosts with a /24.

You use a /27 netmask to easily identify a group of hosts on the subnet with one firewall rule.

Oh. I see. Squid again.

Connections to squid are made on LAN.

Connections out from squid are made from the firewall itself.

Turn off squid and you will find everything works as you would expect.

Administrator FCL

I checked the outgoing IP with 'what is my ip' - mostly google result.

Derelict

Turn off squid.

Administrator FCL

With Squid turned off, it works, tried both gateways and it works, but I need squid to work as well….....

Derelict

Post in the Cache/Proxy forum.

Administrator FCL

Will do Derelict, thanx very much for your Expert Help….... :)