Interface Route to local IP

  • Sorry if I'm not describing this correctly, or using the proper terminology.
    I want to route all traffic from Interface A to a Node on Interface B (B-node).
    B-node already works properly and connects to the Internet.
    I just want all traffic coming in from Interface A to go through B-node on its way out to the internet.
    I'm new at pfSense and can't figure out how to do this.
    Thank you for any help, pointers, suggestions and references to pages where I can find information on how to do this.

    P.S.: I'm thinking it would be something like: route
    But I have no idea if that's right or where to enter it…

  • LAYER 8 Global Moderator

    So you have a downstream router and you want to use that as the internet connection?

    So you have the attached first pic?

    So you want PC-A to go through pfsense and use this downstream router?  Do you have any devices on this other network like pc-b?  Do they also point to pfsense?  Do these devices need to talk to each other?

    So why can this other router not just be another wan?  What your trying to do has possible asymmetrical routing concerns.  This downstream router needs to know how to nat your node a network where pc-a sits.

    If you have multiple internet connections they really should all be just wan connections on pfsense, you can then policy route to determine which internet connection you use, or could use in load balance/failover setup.  These pfsense wan connections can be double natted if need be, etc.

    What exactly are you trying to accomplish - why do you have a downstream connection to the internet?  Why do you want to route your node A through this connection and not pfsense normal connection?

    See picture 2 is how you would normally do it.

  • I have a pfSense on a server with 4 ethernet ports. 1 WAN and 3 LAN
    I have a WiFi AP on LAN3
    I have computer on LAN1
    Instead of LAN3 going to the Gateway, I want it to be routed to the computer on LAN1, and then go to the Gateway.
    I'm not sure how else to explain this.

  • LAYER 8 Global Moderator

    "Instead of LAN3 going to the Gateway, I want it to be routed to the computer on LAN1, and then go to the Gateway."

    When you say gateway.. You mean pfsense??  Or your wifi AP?  What are you calling the gateway.  AP is not a gateway.. A gateway would be something that gets a client off the network its on to other networks, like internet.  Or pfsense client on lan 3 wanting to go to lan 1 or lan 2 or internet, etc.. pfsense would be its gateway.  An "Access Point" is never a gateway.  Now if you have it double natting and you just have some wifi router your "calling" a AP then sure it could be the gateway to your wifi devices..

    Why would you want to go to a computer on lan 1 just to go back out pfsense to get to the internet.. Makes ZERO sense to do that.. ZERO!!

    Do you have some vpn connection or something on the computer on lan 1??  And you want your traffic to go through the vpn??  Why would you not just create the vpn connection on pfsense and then policy route the stuff you want to use the vpn.

  • Ok, normally Lan3 would go out the WAN to get to the internet, right?
    Instead, it would work something like this:
    Lan3 -> Lan1 (computer) -> WAN

    I'm Sorry I'm not being very clear.

  • LAYER 8 Global Moderator

    Your being clear – but there is ZERO point to do this... WHY would you want/need to do this - is freaking pointless!!!  Are you wanting to run some sort of proxy on this box on lan 1?

    What is the point of sending traffic to lan 1 computer to just get to the same internet connection??

  • There is a point, but that's not the issue. Can this be done? How? Where can I find out how to do this?

  • LAYER 8 Global Moderator

    Find out how to do what.. Are you running a proxy, are you running a vpn on this box.  You have to run something on this box or even if you send it traffic its not going to do anything with it.

    Without some understanding of what your trying to accomplish no its not possible…

  • Could this be achieved by setting the DHCP default gateway for LAN3 Network to be the IP of LAN1 Host.
    LAN1 host would then need to be able to forward those packets on to the internet after you have done whatever you are trying to do.

    If you are looking at an IDS type solution, I'd highly recommend looking into a switch that can mirror ports (SPAN PORTS) instead.

  • Thanks!
    I will give that a try.
    I was thinking it was a custom Route, but your suggestion sounds logical.

  • LAYER 8 Netgate

    instead of being evasive how about telling us what you are trying to do? Routing to the LAN1 host is easy. What it does with the traffic might not be.

    Create a gateway on LAN called LAN1_HOST with the IP address of LAN1 Host.

    Policy route LAN3 traffic to LAN1 host.

    I want it to be routed to the computer on LAN1, and then go to the Gateway.

    The and then go to the gateway part is up to that host. What it does with the traffic is outside the scope of the firewall.

    Could this be achieved by setting the DHCP default gateway for LAN3 Network to be the IP of LAN1 Host.

    No because the LAN1 host is not on the same subnet as the LAN3 hosts. They will have no idea where to send the traffic to get to LAN3 even if they do accept that as the gateway.

  • Under System / Routing / Gateways:
    Enabled: LAN1_Host / LAN1 /

    In Firewall / Rules / LAN2, there is no option to specify the Gateway.

  • It's under the Advanced options for the rule, I believe.

  • LAYER 8 Netgate

    Where did LAN2 come from?

    Match the traffic coming into LAN1 and set the gateway under advanced on that rule.

  • Sorry about that - meant to say LAN3

    I thought using numbers instead of my assigned names would make it easier for everyone, but instead its just got me confused.
    From now on in all my posts (hopefully not many more :)…) I will refer to them by the assigned names so I don't get confused and muck up everything...again.
    LAN1 = SIF
    LAN2 = THOR
    LAN3 = LOKI

    I seem to be having lots of problems with SIF since I changed it from 192.168.1.x to 192.168.4.x as I was doubled-NAT'd. I've since removed that other NAT device and now single NAT'd with pfSense. Therefore, I've set SIF back to 192.168.1.x, but it still seems to be messed up.

    The DHCP service on SIF is not talking to anyone. I've posted a message in the HDCP/DNS forum asking for help as I cannot seem to get it working now

    Maybe once I get that sorted out, my route from LOKI to (Wormhole) will work.

    I'm also building a new Wormhole to test with because I can't even PING the old Wormhole no matter what Interface I put it on (if different than the Ping Sender's)

    Ugh, what I mess I've made…I really do very much appreciate everyone's help!

  • LAYER 8 Global Moderator

    What are you doing dude.. Completely agree with you here

    "Ugh, what I mess I've made.."

    Do you understand the hairpining that would be going on in this network??  So in going to the internet. Follow your path..


    How does your traffic expect to get back now??  Because if you don't go through your wormhole its asymmetrical and your firewall will kill any states it sees not traffic on once it hits is timeout, etc..

    So yeah what a mess..

    Lets try this again - if you actually explain what you want to accomplish we can go over the options of doing it is whatever it is your wanting to do..  Without a borked up pile of crap!!

  • So, two steps forward, one step backwards

    My Pi VPN/SSL Client in working on and connects to the VPN/SSL Server just fine.
    But…you knew there'd be a 'but'...

    When I enable the Policy Route and Upstream Gateway, it (the Pi) cannot connect to the VPN/SSL Server anymore.
    It just initiates, and then gets a soft reset, and tries again - infinitely...

    So here's how I implemented Derelict's instructions (the Route was Enabled before when I did the test, as was the upstream gateway):

    What did I screw up this time??

  • johnpoz,

    I have a WiFi AP ( on Loki Interface (
    Anyone who connects on that Wifi AP should be sent to the OpenVPN/SSL Client.
    That data is sent to the OpenVPN/SSL Server somewhere 'out there'

    My issue is getting Loki WiFi AP connections to the OpenVPN/SSL Client.

    That's it in a nutshell

  • Ok, I googled around and found this web site that talks about pretty much what I'm trying to do. They set up the VPN Gateway on the same subnet as all the clients (I didn't think you could do that!)

    So I put my Pi on Loki (192.168.3.x) and set it as follows:
    IP Address:

    I set this up in iptables:

    iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
    iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

    While the above web site does not mention the second iptables setting, if I don't include it, the PI randomly aborts the SSH connection.

    I then SSH'd into my Pi while on the Loki Interface and verified that the VPN Client was connecting to the VPN Server and working properly (it was)

    So then I tried to set up the Pi as the new Gateway for Loki using the following setting in pfSense:

    However, now with all that in place, when I'm connected on the Loki Interface, I cannot get to the VPN Server - regular Web Sites don't work either. The Web Browser just reports "No Internet Connection".

    I feel like I'm really close. Its probably some setting not right in pfSense.

    Thank you all for sticking with me on this - I really do appreciate it!!

    Any ideas/suggestions on what I've mis-configured is greatly welcome!!!

  • LAYER 8 Global Moderator

    Anyone who connects on that Wifi AP should be sent to the OpenVPN/SSL Client.
    That data is sent to the OpenVPN/SSL Server somewhere 'out there'

    So you want your traffic to go to a vpn??  Why would you not just setup this vpn connection in pfsense???  Openvpn client, Policy route = done!!  2 freaking minutes.  No asymmetrical routing, no hairpinning, no other boxes/devices needed..

    Then you could route any of your segments to this vpn, you could route just specific hosts, you could route just specific dest traffic…

    You keep saying openvpn/ssl - and you brought up stunnel in your other thread??  So is this vpn connection a openvpn one or stunnel based?  Stunnel will run on pfsense.. Your going down the WRONG PATH trying to setup devices to route to a host on their own network or different local network..  The proper way to do this sort of stuff is at the edge of your network, not internally.  if done on some internal box you either end up with a messy hairpins best case or hairpins and asymmetrical routing at best.  Even when you do this on a transit network to remove the asymmetrical routing issues you end up hairpinning..

    Why can you not just do this the simple easy less complex way by running the vpn connection on pfsense and then policy routing the devices on your network you want to use this vpn connection??

    If you have more than 1 public IP you could run it on some other box via a transit network connection to pfsense without hairpin..

  • I'll say it again: OpenVPN over SSL. I don't know how much clearer I can be. Google it.

    So, no, its not just 'boom' done in pfSense as there is no web interface for stunnel.

    I took the ip address out of the Loki_VPNHost Rule and I am not able to get to the VPN Server from clients connected on that Interface (Loki/192.168.3.x)

    I have some DNS issues to address, but it's almost there!

    Hopefully you'll never have to hear from me again (ha. fat chance)

  • Well, there are two issues:

    1. the VPN won't connect if the LOKI_VPNHOST Rule is active. Once VPN is connected, then I can active that Rule. But if the VPN link goes down, it can't reconnect.

    2. The Traffic over LOKI is redirected through the VPN, but the DNS lookup is not. So I need to be able to set the DNS Resolver to go through the VPN link

  • I think I have it all working now!!!
    I disabled the Gateway rule and just set the gateway for Loki on the DHCP Loki Interface.
    I also set the specific DNS servers on that page as well.
    The Pi likes it too - no more failed connecting.

    Thanks everyone again for all your help!!!

  • LAYER 8 Global Moderator

    "its not just 'boom' done in pfSense as there is no web interface for stunnel. "

    So you seem to be able to do iptables via config file - but stunnel is too hard??

    Working as a asymmetrical hairpinning nightmare.. Have fun with that mess!!  WTF..

    Simple search and here looks to be instructions on bringing up stunnel on pfsense inbound

    I show newer version here,1.txz vs the one in that thread.

    Tell you for sure the time need to create this sort of connection would of be a fraction of the mess you have!!

Log in to reply