Rule to make a website go through another wan



  • Hello,

    I have a 2 wan networks and two lan networks (2 different IP connections) the main connection is wan1->lan1 that everyone uses. I want users in lan1 when accessing a certain website to go through wan2 and not wan1.
    Is it possible? How can i do that?


  • Rebel Alliance Global Moderator

    simple policy route can do that yeah.



  • Hello @johnpoz

    Thank you for your reply.  Can you please elaborate how can i do that. Im still a newbe in pfsense.

    Thanks


  • Rebel Alliance Global Moderator

    Create a rule on your interface where clients sit that you want to go out a specific gateway.  Pick the specific gateway you want them to go out.

    Keep in mind rules are evaluated top down, first rule to trigger wins, no other rules are evaluated.

    See example attached - I currently do not have it enabled.  But when enabled this rule says hey if source is 192.168.9.100 and its ipv4 tcp only, and his destination is anything other than rfc1918 space (notice the !) then go out a vpn gateway I have setup.

    So notice my normal wan public IP, I then enable the rule - kill the states for that client.  Then do a refresh and you see my new public IP for that client is now my vpn connection.






  • Thank you for the clarification. If i want all users in my lan that are accessing www.cnn.com tp go to a specific gateway.  What should i put in the source and destination.


  • Rebel Alliance Global Moderator

    Problem with www.cnn.com is hosted on CDN and IPs going to change all the time or could..  Fastly net.. But create a rule that where destinations you want to use your other wan is in an alias.. This should work.. But if for some reason if the client gets/has a different IP then pfsense has in the alias then it could go out your normal default wan.  But as long as your clients are using pfsense as their dns it should never happen.. But if you were pointing say clients to some other dns than what pfsense uses then sure that could happen.

    You can always see what IPs are in an alias via the diag menu, tables and pick your alias.  See attached example of my rfc1918 alias.




  • Cnn.com was a bad example. we have an online web application and i want all lan users accessing that webapp ( name or ip address) to be routed to the second wan and not their current wan.
    I suppose that would be easier that was you explained earlier as we dont change the ip address of the webapp usually.

    In that case should i put in my source address my webapp public ip address and estination is anything other than rfc1918 space?



  • no, the destination is the webapp ip


  • Rebel Alliance Global Moderator

    ^ correct, if you put in a rule like mine it would send ALL traffic not going to rfc1918 (ie internet) out that gateway.  If you know the IP address or address of the actual FQDN you want to send your clients out the specific wan.  Then use those specific IP(s) as your destination.



  • Is that the correct way (see attached)







  • Rebel Alliance Global Moderator

    yup if the dest port is 8080, if they were going to just 80 or 443 they would not go there via that rule.



  • Super. Thanks for your help.