Block Certain LAN IP's from Tier2 Cell Backup WAN
For the last 2 days I have been trying to figure out how to write firewall rules to block specific LAN IP's from using my tier2 Verizon backup wan (for security only). I have read this https://forum.pfsense.org/index.php?topic=47696.0 and https://doc.pfsense.org/index.php/Multi-WAN#Gateway_Groups and https://forum.pfsense.org/index.php?topic=95525.0 trying to piece them together and create my rule. Basically I ONLY want 192.168.1.115 and 192.168.1.104 to be able to send or receive on Tier2 Verizon wan. I have written LAN firewall rules to block 192.168.1.2 (My Phone) in source and destination field and "any" in everything else and also tried changing the "gateway fields"in advanced settings and clearing the state tables inbetween and I have also made sure it was the first rule at the top and it was a no go. Now I have setup both my gateways in the system->routing to monitor ip's and have made a gateway failover group on member down. All devices in my house are set up on static ip's and dont have to worry about them changing. I basically want my 3yr old's tablet to immediately stop youtube on wan failover if I am not a home and other downloads to not consume my 2GB data cap. Can anyone please point me in the right direction? And appreciate it in advance!
P.s I feel like this is probably a stupid question and I am overthinking it! :P
There are a couple different components to do this.
You have a failover gateway group with a Tier 1 WAN and this Verizon Tier 2 WAN.
All of the source hosts (clients) are on LAN
You only want traffic from 192.168.1.115 and 192.168.1.104 to fail over to Verizon. You want everyone else to be offline if your Tier 1 WAN goes down.
I would make an alias called "priority_hosts" or something and add 192.168.1.115 and 192.168.1.104 to it.
Ensure that your Tier 1 gateway is set as the default gateway
Ensure that default gateway switching is unchecked in System > Advanced, Miscellaneous
Ensure there is no gateway set in the default pass rule on LAN.
Right above the default rule on LAN, place a rule that passes traffic sourced from the priority_hosts alias port any dest any port any with the failover group set as the gateway under advanced.
That should get you pretty close.
There are other strategies that could be employed. I can think of other ways to skin this cat. This one is not blocking the hosts from using the Tier 2, more like never routing them that way in the first place.
2 quick questions as I am a little new to pfsense (installed on 9/17 coming from asus ac-87u with merlin)
1. Will the "priority_hosts" use Tier1 wan (Charter) when its up and only drop to the Tier2 wan (Verizon) when member down happens?
2. Is this the most sure fire way that I dont have to worry about the 3yr old eating up 2GBs in 30 seconds if it happens while I am at work? (not trying to doubt you I just really over analyze things)
Yes, as long as your primary connection is tier 1 and your expensive connection tier 2.
As long as those conditions are met, traffic from the other hosts should never be routed out tier 2.
Here is my alias
Here is my firewall rule
I unplugged Tier1 and walked outside to trigger my ip cameras and no go. Never got an email and 192.168.1.104 has Teamviewer and I couldnt get in. I did clear states after creating the rule and default gateway is unchecked. Any ideas?
Sorry buddy it was my fault it wasnt working. I started investigating and found I could ping 22.214.171.124 from 192.168.1.104 and 192.168.1.115 but not dns addresses. I did set dns addreses for each gateway in pfsense but the only way I could make it work was set the clients dns addresses in network settings and everything was A OK. I also then could get into 192.168.1.104 with Teamviewer from my phone on 4G. I owe you a beer!!! One last hard question…..is there a way I could make pfsense connect to a VPN and update a dyndns name to match the VPNs address so I could still remote in and look at my IP cameras? Verizon charges $500 for a static ip and I would like to find a way around it. If it is a hard one to answer can you point me in the right direction? Thank you very much!
Seems like a convoluted way to do it. Why not just set up an OpenVPN server on your firewall that you can connect to to look at your cameras?
I wrote that and it dont make sense sorry I was a little tired. What I meant is ONLY when it switches over to Verizon cell backup do I want it to connect to a vpn and update a dns address so I can still remote in. When I am on tier1 charter wan I have all that already setup on a dns name and that works perfect. On merlins firmware for the asus routers you could write a shell script on wan startup trigger that it detected what interface it was using for the internet gateway and then tell it to connect to a VPN server and update the DNS address (I never successfully got it to work but tried real hard). Is there a way I could do that on pfsense? I use a novatel T1114 router for the tier2 Verizon cell backup and its "wan ip" is not your REAL ip because it is geting it from the dhcp of the tower I think so I need to just connect to a VPN and use its ip with port forwarding to still remote in. Is this even possible? Some people on the internet said they have done it but dont tell how or where to start. This guy said he did it and https://forums.plex.tv/discussion/129884/how-to-publish-server-behind-verizon-wireless-4g-bridge.