Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Make host go out specific WAN interface

    Scheduled Pinned Locked Moved Routing and Multi WAN
    27 Posts 3 Posters 6.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • DerelictD Offline
      Derelict LAYER 8 Netgate
      last edited by

      I have no idea. Because he doesn't understand either?

      The Automatic NAT rules show you what source addresses the firewall has determined should be NATted. If your source network is included, you need not do anything. If it is not you can switch to hybrid (or manual) and add it.

      Chattanooga, Tennessee, USA
      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
      Do Not Chat For Help! NO_WAN_EGRESS(TM)

      1 Reply Last reply Reply Quote 0
      • R Offline
        robina80
        last edited by

        the last step i need help with is point 10 (below)  the "no_wan_egress" i imagine this is an alias to some networks?

        10-create-floating-firewall-rules

        Create a floating rule that watches for and rejects outbound WAN traffic that's marked NO_WAN_EGRESS.  This prevents vpnclients from connecting to the internet via the WAN when the VPN interface goes down.

        1 Reply Last reply Reply Quote 0
        • DerelictD Offline
          Derelict LAYER 8 Netgate
          last edited by

          No. It's a mark.

          See this:

          https://www.infotechwerx.com/blog/Prevent-Any-Traffic-VPN-Hosts-Egressing-WAN

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • R Offline
            robina80
            last edited by

            thanks Derelict

            1 Reply Last reply Reply Quote 0
            • R Offline
              robina80
              last edited by

              mmm… somethings not right

              i attach a picture of my rules and floating rules -

              https://s18.postimg.org/fxir0ko49/rules.png

              basically my "internal network" is 10.100.1.0/24

              my "VPNclient" is 10.100.1.10 so it falls within the internal network subnet, i dont know if that matters

              my DHCP server is from the range of 10.100.1.50-10.100.1.200 so my vpnclient alias IP is not in the scope

              as soon as i change my pc NIC to 10.100.1.10 i loose internet

              any help would be great, i persume im doing something really stupid!

              cheers,

              rob

              1 Reply Last reply Reply Quote 0
              • R Offline
                robina80
                last edited by

                ok i have added a new network on my switch "172.17.2.0/24" and i have made my pc "172.17.2.1"

                i have added a new static route on pfsense so the to can talk to eachother ie pfsense and my switch

                i have network access fine ie i can talk to other subnets but i still get no internet activity

                can anyone help please

                thanks

                rob

                1 Reply Last reply Reply Quote 0
                • DerelictD Offline
                  Derelict LAYER 8 Netgate
                  last edited by

                  Static route? Why a static route?

                  You are going to have to produce a diagram. See the one in my sig for the type of info necessary.

                  Chattanooga, Tennessee, USA
                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  1 Reply Last reply Reply Quote 0
                  • R Offline
                    robina80
                    last edited by

                    i attach a better betwork diagram of my static routes to my switch and pfsense

                    https://s18.postimg.org/v2d0so15l/my_network.png

                    yeah i have static routes set up to route traffic from my default network on my pfsense to all my other networks on my switch

                    i attach a picture so you have more of a understanding on my network

                    https://s18.postimg.org/nz8tnpn4p/route.png

                    my pfsense ip is "10.100.1.254" and switch on the same network is "10.100.1.253" and it carrys static routes down it so my devices connected to my switch on different subnets can see the network and the internet

                    on my pc i have made my default gateway the VPN network switch IP "172.17.2.253"

                    1 Reply Last reply Reply Quote 0
                    • DerelictD Offline
                      Derelict LAYER 8 Netgate
                      last edited by

                      Whatever that is it is not a network diagram.

                      Chattanooga, Tennessee, USA
                      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                      1 Reply Last reply Reply Quote 0
                      • DerelictD Offline
                        Derelict LAYER 8 Netgate
                        last edited by

                        Yeah I ain't downloading some zip file from a forum user.

                        Chattanooga, Tennessee, USA
                        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                        Do Not Chat For Help! NO_WAN_EGRESS(TM)

                        1 Reply Last reply Reply Quote 0
                        • R Offline
                          robina80
                          last edited by

                          here you go

                          https://s18.postimg.org/tvlldbuvd/network.png

                          1 Reply Last reply Reply Quote 0
                          • DerelictD Offline
                            Derelict LAYER 8 Netgate
                            last edited by

                            Is 172.17.2.0/24 covered by automatic outbound NAT?

                            Do the firewall rules on the 10.100.1.254 interface pass traffic from all of the static route source addresses?

                            I would not design it that way. I would use another router interface for the transit network to the switch and one for management. Management should probably not be a layer 3 interface on the switch.

                            Chattanooga, Tennessee, USA
                            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                            Do Not Chat For Help! NO_WAN_EGRESS(TM)

                            1 Reply Last reply Reply Quote 0
                            • R Offline
                              robina80
                              last edited by

                              you mean this under firewall > NAT > outbound

                              https://s18.postimg.org/pmgvbe4jd/nat_out.png

                              sorry i dont reallt understand second question?

                              i have an alia called "internal network" with manage and VM networks that are allowed out to the intnernet but the vpn isnt

                              1 Reply Last reply Reply Quote 0
                              • DerelictD Offline
                                Derelict LAYER 8 Netgate
                                last edited by

                                That NAT looks fine.

                                You have a pfSense interface with the 10.100.1.254 address on it.

                                That interface has firewall rules on it.

                                What are those?

                                What, specifically, are you doing that is not working? You are going to need at least some troubleshooting skills to be able to make something like that operate.

                                Chattanooga, Tennessee, USA
                                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                1 Reply Last reply Reply Quote 0
                                • R Offline
                                  robina80
                                  last edited by

                                  i attach a better network diagram including my static routes

                                  https://s18.postimg.org/v2d0so15l/my_network.png

                                  but i would had thought this rule that i attach works as i dont see it not working

                                  https://s18.postimg.org/vduh5aruh/rules.png

                                  my three top rules are for my alias "vpnclients" which in the diagram i showed you is my windows PC with the VPN IP

                                  and the bottom rule is for my "internalnet" to go out to the internet this is the manage and VM subnets

                                  but when i plug in the ethernet cable in my NIC which is on the VPN network i have network access ie i can see the LAN but not the WAN which i would have thought it would of been going out the proton vpn gateway but its not working

                                  1 Reply Last reply Reply Quote 0
                                  • DerelictD Offline
                                    Derelict LAYER 8 Netgate
                                    last edited by

                                    What is Allint ??

                                    Chattanooga, Tennessee, USA
                                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                    1 Reply Last reply Reply Quote 0
                                    • R Offline
                                      robina80
                                      last edited by

                                      allnet is all my actual interface NICS ie manage (i call it home) DMZ and proton vpn

                                      mmm… maybe i shouldnt put proton vpn in the all interfaces as really my all interfaces should be my acyual physical NICS on pfsense, what do you reckon?

                                      1 Reply Last reply Reply Quote 0
                                      • DerelictD Offline
                                        Derelict LAYER 8 Netgate
                                        last edited by

                                        So it's an interface group?

                                        Those are generally only useful on LAN interfaces where all interfaces in the group need exactly the same rules. There are other reasons (like reply-to that make them not very useful on WAN interface.

                                        Instead of taking short cuts you might want to stick to just rules on interface tabs for now.

                                        Chattanooga, Tennessee, USA
                                        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                        Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                        1 Reply Last reply Reply Quote 0
                                        • R Offline
                                          robina80
                                          last edited by

                                          thanks derelict, i will try that

                                          sorry havnt replied just personal issues atm

                                          1 Reply Last reply Reply Quote 0
                                          • R Offline
                                            robina80
                                            last edited by

                                            sorted!!!

                                            i made a stupid mistake

                                            when i was making the vpn interface (so i can use it as a gateway for my specific vpn traffic) i ticked both boxes under "reserved networks" which blocks rfc1918 but i dont want to block them as the virtual vpn ip im assigned is 10.8.0.2 which is a rfc1918 address

                                            i put back protonvpn interface back in the "ALLInt" so i can easily manage the rules under one tab as its long winded otherwise

                                            also in firewall > rules > outbound i had to make it hybrid and copy the wan and make another one for the protonvpn address as it didnt work otherwise

                                            see pic of what i did

                                            https://s10.postimg.org/jk6oiio7t/rule.png

                                            thanks for all your help in this Derelict much appreciated!

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.