MultiWAN. Cannot route specific traffic to specific gateway
-
Hello!
I tried a few options and all of them did not work as I expected.
I have 3 ISP's and 3 gateways based on old FreeBSD. I do not want to interfere with them as much as possible because they are configured by the previous administrator in an unknown way.
Immediatly behind this gateways placed pfSense with 3 WAN interfaces (em1 - em3) connected to upstream GW's and one LAN adapter (em0) connected to LAN.
There is several subnets/VLAN's configured on LAN, NAT disabled on pfSense.
I do not use gateway groups at this moment. (Yes, I know that I actualy use only one ISP at the moment.) One of gateways marked as default and all works fine.For example - GW2 is default, GW3 for this experiment and GW1 is in iddle (but online) state.
Now I want to publish web server in my LAN to Internet.
I have create another one VLAN just for testing (VLAN 1500, IP - 10.150.0.0/24). I have deploy a Linux web server (10.150.0.9) in this subnet and configure port forwarding on GW3 (Public IP 3, port 80 and 443 to LAN IP 10.150.0.9 to the same ports).
Of course I have configured specific firewall rule on this VLAN (if source = 10.150.0.9 and dst not in my LAN - use gateway GW3)Now external requests (monitored via tcpdump on each server/interface) are reachs the Web server but when Web server sends a reply this packet leaves my network via GW2 - default gateway instead of GW3. Packet/state counters on the new firewall rule displays 0/0 always.
But when I do "traceroute google.com" from this web server - all traffic goes via GW3 as expected…..
What is wrong??
Any help is appreciated.
Thank you!!! -
Play with RULE and choose a gateway in advanced settings which you want to route.
-
Play with RULE and choose a gateway in advanced settings which you want to route.
I already played with it…
It works for pure outgoing traffice (traceroute from this host to Internet for example) but does not works for reply-packets for incoming traffic.
All replies goes through default gateway. >:( >:( >:( -
Then your problem is upstream. pfSense cannot control which interface reply traffic arrives on. It can only control which interface is used for sending.
Based on the information given so far….
You will need to provide a lot more details to make a real diagnosis.