Unable to route through backup WAN

himanshus

Hello please bare with me as I am new to this forum.
Below is my scenario

the pfSense box has three physical NIC cards and they are configured as follows.

1. WAN [em0]: (dedicated static IP with Xfinity)
2. LAN [em1]: (192.168.135.1)
3. CELLULAR [em2]: (192.168.5.30) [provided by DHCP from a cellular modem]

Here is what I did:
*client requested a "guest network" so i created a VLAN with ID 4 on [em1] and created a new interface named GUESTS with 10.55.55.1 as its IP and enabled DHCP. now my interfaces in WebGUI looks as following

1. WAN [em0]: (dedicated public static IP with Xfinity 96.76.55.171)
2. LAN [em1]: (192.168.135.1)
3. CELLULAR [em2]: (192.168.5.30) [provided by DHCP from a cellular modem]
4. GUESTS [vlan4, em1]: (10.55.55.1)

*** Welcome to pfSense 2.4.5-RELEASE-p1 (amd64) on fw ***

WAN (wan) -> em1 -> v4: 96.76.55.171/30
LAN (lan) -> em2 -> v4: 192.168.135.1/24
GUESTS (opt1) -> em0.4 -> v4: 10.55.55.1/24
CELLULAR (opt2) -> em0 -> v4: 192.168.5.30/24

Intention is to force all traffic from GUESTS subnet through the CELLULAR interface, but no matter what i have tried (policy routing, outbound NAT setup, assigning CELLULAR gateway in the rules section for the GUESTS subnet), it is not working.

Please help me out anyone if you can. much appreciated. I have used PfSense for over 12 years now and never had this kind of issue. When i do a ping 8.8.8.8 from the diagnosis page, and select the CELLULAR as the source, i get successful replies, but as soon as i pick GUESTS as the source, there is no reply. for some reason i am just not able to tell pfSense that regardless of the CELLULAR interface being assigned a local 192.168.5.30 by the cell modem dhcp, this is indeed a working internet connection and force all traffic from 10.55.55.0/24 subnet through this interface.

viragomann

You need to add an Outbound NAT rule to the CELLULAR interface for the Guest network. Ensure that the outbound NAT is working in hybrid or manual mode.

And you need to add a policy routing rule to the GUEST interface where you state the CELLULAR gateway and put this rule to the top of the rule set to ensure it's applied.
Good advise is to add an alias for RFC1918 networks and use this alias as destination combined with "invert" checked in this rule. So that rule will only be applied on upstream traffic.

Consider that you may need additional rules for allowing access to internal services like DNS in case you provide the pfSense IP as DNS server.

If it doesn't work, post screenshots of your outbound NAT rules and the GUEST rules.

himanshus

Thank you for your response.
I have seriously done exactly like you mentioned in your post even before asking for help on the forum and it is not working. i have now posted the screenshots in my response. I even tried the invert rule and that did not work either. my suspicion is that for some weird reason, the traffic from GUEST subnet (10.55.55.0/24) just does not want to be routed through the CELLULAR gateway. I am really pulling my hair out on this one.

viragomann

@himanshus
Are you able to resolve public hostnames on the GUEST network?

The rule on GUEST is obviously not applied. Check the firewall log to see which rule is applied
Do you have floating rules?

himanshus

From the Guest network subnet, i am not able to ping any public IP or resolve any hostnames. there are no floating rules in the system. where should i look in the logs to see which rule is applied? thank you

viragomann

You have have to enable logging in each unique firewall rule, then try to access some internet resources and check System > Log > Firewall,

himanshus

i was able to enable logging, and found out that the traffic from GUEST network is being routed from WAN interface, despite of there being an outbound rule that specifically says traffic from GUEST should be routed via CELLULAR interface.

i am suspecting that this is a routing problem in PfSense. CELLULAR interface on PfSense has an DHCP IP of 192.168.5.30 and a gateway IP of 192.168.5.1 assigned by the cellular modem and PfSense may be assuming this is a local subnet and therefore there is no routing between the GUEST network (10.55.55.0/24) to the 192.168.5.30 ..

i am stuck there!

viragomann

The routing is not done by outbound NAT rules, it should be done by the policy routing rules.

That issue seems very strange. To investigate what happens, please take some Packet capture in pfSense Diagnostic menu.
Ensure that the CELLULAR gateway is shown as up.
Take a capture on the GUEST interface while you try to access a specific public site. You may filter for that destination.
Then take a capture on CELLULAR and also on WAN and post all results, please.

himanshus

I tried to do packet capture, interestingly - there is absolutely NO packets that are being captured on the GUEST interface. i even tried to change the policy based routing to route the traffic from GUEST network through the default WAN, and then i do receive successful ping response (using diagnostic, ping, source: GUEST) - but even then there is no packet being captured on the GUEST interface.

i am able to capture packets on the WAN, CELLULAR interfaces, but simply no packets are being captured on the GUEST interface - no matter what i tried. this is pretty weird i guess

himanshus

hello viragoman,

After a reboot, I had to do a bunch of tests again, and i have finally verified that it is working now. it was definitely confusing but i am pretty confident that it is working now.

thank you for all your help with this.

viragomann

Okay, that issue were going pretty weird already.

You can simply check your public IP by going to https://whatismyipaddress.com or something like that in the clients browser.