Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Make host go out specific WAN interface

    Routing and Multi WAN
    3
    27
    3143
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      robina80 last edited by

      hi all,

      i have a pfsense firewall and i have two (x2) WAN addresses and atm all my traffic going out is coming from my WAN1

      if i want to make a single host go out WAN2

      is this possible

      many thanks,

      rob

      1 Reply Last reply Reply Quote 0
      • G
        GoldFish last edited by

        I will try to answer this. Experts : Correct me if i am wrong

        You can setup a rule on LAN interface
        Within the rule, Under Source, select "Single Host or alias", Define the ip address of the machine which should go out through WAN2
        Next under Extra Options, click on "Display Advanced", Scroll down to "Gateway" and choose the one for WAN2

        Just ensure the rules are in correct order else this source will hit the default LAN rule first and follow the regular path

        • pfSense Enthusiast *
        1 Reply Last reply Reply Quote 0
        • R
          robina80 last edited by

          so i dont need to do it under "Firewall > NAT > Outbound" just make a simple rule under "Firewall > Rules"

          i just want this host to use WAN2 for traffic in/out

          and all other traffic to use WAN1 in/out

          1 Reply Last reply Reply Quote 0
          • Derelict
            Derelict LAYER 8 Netgate last edited by

            As long as the source address is already covered in the normal outbound NAT rules on that WAN interface you are good.

            Outbound NAT only determines what NAT takes place. It has no bearing on what gets routed where.

            Policy route your source address with the desired gateway set (or no gateway if the default route is what you need) above any more general rules that would also match the traffic. The rules would be on "LAN"

            Chattanooga, Tennessee, USA
            The pfSense Book is free of charge!
            DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • R
              robina80 last edited by

              This is exactly what im after

              https://forum.pfsense.org/index.php?topic=106305.0

              I still really dont get what outband nat is as i thought it was exactly for this to make a host or network go out a different gateway or wan interface

              1 Reply Last reply Reply Quote 0
              • Derelict
                Derelict LAYER 8 Netgate last edited by

                Outbound NAT has no effect on routing.

                It controls what NAT takes place when a new connection goes out a particular interface.

                Most simple networks can use Automatic NAT.

                Common uses for custom rules are for things like SIP PBXes that need static ports (if the source port from the PBX is 5060, if needs to be sourced from 5060 out the WAN interface (after NAT) too).

                It can be used if you have multiple WAN addresses. (If the connection is to destination TCP/25, set the source address to X.X.X.X, else use X.X.X.Y)

                If you have internal networks with public addresses that are routed to you, you might use a Do Not NAT rule for those source addresses so no NAT happens at all.

                In any case, the routing table or policy routing has already chosen that WAN as the interface to use for the connection. The outbound NAT rules have zero influence over that decision.

                Chattanooga, Tennessee, USA
                The pfSense Book is free of charge!
                DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • R
                  robina80 last edited by

                  ok so below point 9 is what your saying "policy based route" so make that host use the WAN 2 gateway instead of the default one ie WAN1

                  but why has he done point 8?

                  thanks,

                  rob

                  08-configure-outbound-nat

                  There's a new(ish) hybrid mode for outbound NAT which makes this pretty easy.  Add the two rules shown in the screenshots and then set the Mode to Hybrid Outbound NAT.  I use the entire LAN subnet as the source address for these entries, but it could also be limited to the network block chosen for vpnclients (192.168.1.128/27).  I use the entire LAN subnet so I don't have to worry about updating outbound NAT rules if I want to change the vpnclients alias.

                  09-create-lan-firewall-rules

                  Add a rule to block vpnclients from making DNS queries to the LAN IP.  This prevents vpnclients from using the DNS Resolver and prevents DNS leaks if you forget to override DNS settings when adding static DHCP mappings for vpnclients.

                  Add a rule that creates a policy based route for vpnclients.  Traffic that matches the rule will be sent via the VPN (ex:TORGUARD) gateway.  Traffic that doesn't match will fall through to the default LAN rule.

                  1 Reply Last reply Reply Quote 0
                  • Derelict
                    Derelict LAYER 8 Netgate last edited by

                    I have no idea. Because he doesn't understand either?

                    The Automatic NAT rules show you what source addresses the firewall has determined should be NATted. If your source network is included, you need not do anything. If it is not you can switch to hybrid (or manual) and add it.

                    Chattanooga, Tennessee, USA
                    The pfSense Book is free of charge!
                    DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • R
                      robina80 last edited by

                      the last step i need help with is point 10 (below)  the "no_wan_egress" i imagine this is an alias to some networks?

                      10-create-floating-firewall-rules

                      Create a floating rule that watches for and rejects outbound WAN traffic that's marked NO_WAN_EGRESS.  This prevents vpnclients from connecting to the internet via the WAN when the VPN interface goes down.

                      1 Reply Last reply Reply Quote 0
                      • Derelict
                        Derelict LAYER 8 Netgate last edited by

                        No. It's a mark.

                        See this:

                        https://www.infotechwerx.com/blog/Prevent-Any-Traffic-VPN-Hosts-Egressing-WAN

                        Chattanooga, Tennessee, USA
                        The pfSense Book is free of charge!
                        DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
                        Do Not Chat For Help! NO_WAN_EGRESS(TM)

                        1 Reply Last reply Reply Quote 0
                        • R
                          robina80 last edited by

                          thanks Derelict

                          1 Reply Last reply Reply Quote 0
                          • R
                            robina80 last edited by

                            mmm… somethings not right

                            i attach a picture of my rules and floating rules -

                            https://s18.postimg.org/fxir0ko49/rules.png

                            basically my "internal network" is 10.100.1.0/24

                            my "VPNclient" is 10.100.1.10 so it falls within the internal network subnet, i dont know if that matters

                            my DHCP server is from the range of 10.100.1.50-10.100.1.200 so my vpnclient alias IP is not in the scope

                            as soon as i change my pc NIC to 10.100.1.10 i loose internet

                            any help would be great, i persume im doing something really stupid!

                            cheers,

                            rob

                            1 Reply Last reply Reply Quote 0
                            • R
                              robina80 last edited by

                              ok i have added a new network on my switch "172.17.2.0/24" and i have made my pc "172.17.2.1"

                              i have added a new static route on pfsense so the to can talk to eachother ie pfsense and my switch

                              i have network access fine ie i can talk to other subnets but i still get no internet activity

                              can anyone help please

                              thanks

                              rob

                              1 Reply Last reply Reply Quote 0
                              • Derelict
                                Derelict LAYER 8 Netgate last edited by

                                Static route? Why a static route?

                                You are going to have to produce a diagram. See the one in my sig for the type of info necessary.

                                Chattanooga, Tennessee, USA
                                The pfSense Book is free of charge!
                                DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
                                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                1 Reply Last reply Reply Quote 0
                                • R
                                  robina80 last edited by

                                  i attach a better betwork diagram of my static routes to my switch and pfsense

                                  https://s18.postimg.org/v2d0so15l/my_network.png

                                  yeah i have static routes set up to route traffic from my default network on my pfsense to all my other networks on my switch

                                  i attach a picture so you have more of a understanding on my network

                                  https://s18.postimg.org/nz8tnpn4p/route.png

                                  my pfsense ip is "10.100.1.254" and switch on the same network is "10.100.1.253" and it carrys static routes down it so my devices connected to my switch on different subnets can see the network and the internet

                                  on my pc i have made my default gateway the VPN network switch IP "172.17.2.253"

                                  1 Reply Last reply Reply Quote 0
                                  • Derelict
                                    Derelict LAYER 8 Netgate last edited by

                                    Whatever that is it is not a network diagram.

                                    Chattanooga, Tennessee, USA
                                    The pfSense Book is free of charge!
                                    DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
                                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                    1 Reply Last reply Reply Quote 0
                                    • Derelict
                                      Derelict LAYER 8 Netgate last edited by

                                      Yeah I ain't downloading some zip file from a forum user.

                                      Chattanooga, Tennessee, USA
                                      The pfSense Book is free of charge!
                                      DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
                                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                      1 Reply Last reply Reply Quote 0
                                      • R
                                        robina80 last edited by

                                        here you go

                                        https://s18.postimg.org/tvlldbuvd/network.png

                                        1 Reply Last reply Reply Quote 0
                                        • Derelict
                                          Derelict LAYER 8 Netgate last edited by

                                          Is 172.17.2.0/24 covered by automatic outbound NAT?

                                          Do the firewall rules on the 10.100.1.254 interface pass traffic from all of the static route source addresses?

                                          I would not design it that way. I would use another router interface for the transit network to the switch and one for management. Management should probably not be a layer 3 interface on the switch.

                                          Chattanooga, Tennessee, USA
                                          The pfSense Book is free of charge!
                                          DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
                                          Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                          1 Reply Last reply Reply Quote 0
                                          • R
                                            robina80 last edited by

                                            you mean this under firewall > NAT > outbound

                                            https://s18.postimg.org/pmgvbe4jd/nat_out.png

                                            sorry i dont reallt understand second question?

                                            i have an alia called "internal network" with manage and VM networks that are allowed out to the intnernet but the vpn isnt

                                            1 Reply Last reply Reply Quote 0
                                            • Derelict
                                              Derelict LAYER 8 Netgate last edited by

                                              That NAT looks fine.

                                              You have a pfSense interface with the 10.100.1.254 address on it.

                                              That interface has firewall rules on it.

                                              What are those?

                                              What, specifically, are you doing that is not working? You are going to need at least some troubleshooting skills to be able to make something like that operate.

                                              Chattanooga, Tennessee, USA
                                              The pfSense Book is free of charge!
                                              DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
                                              Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                              1 Reply Last reply Reply Quote 0
                                              • R
                                                robina80 last edited by

                                                i attach a better network diagram including my static routes

                                                https://s18.postimg.org/v2d0so15l/my_network.png

                                                but i would had thought this rule that i attach works as i dont see it not working

                                                https://s18.postimg.org/vduh5aruh/rules.png

                                                my three top rules are for my alias "vpnclients" which in the diagram i showed you is my windows PC with the VPN IP

                                                and the bottom rule is for my "internalnet" to go out to the internet this is the manage and VM subnets

                                                but when i plug in the ethernet cable in my NIC which is on the VPN network i have network access ie i can see the LAN but not the WAN which i would have thought it would of been going out the proton vpn gateway but its not working

                                                1 Reply Last reply Reply Quote 0
                                                • Derelict
                                                  Derelict LAYER 8 Netgate last edited by

                                                  What is Allint ??

                                                  Chattanooga, Tennessee, USA
                                                  The pfSense Book is free of charge!
                                                  DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
                                                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                                  1 Reply Last reply Reply Quote 0
                                                  • R
                                                    robina80 last edited by

                                                    allnet is all my actual interface NICS ie manage (i call it home) DMZ and proton vpn

                                                    mmm… maybe i shouldnt put proton vpn in the all interfaces as really my all interfaces should be my acyual physical NICS on pfsense, what do you reckon?

                                                    1 Reply Last reply Reply Quote 0
                                                    • Derelict
                                                      Derelict LAYER 8 Netgate last edited by

                                                      So it's an interface group?

                                                      Those are generally only useful on LAN interfaces where all interfaces in the group need exactly the same rules. There are other reasons (like reply-to that make them not very useful on WAN interface.

                                                      Instead of taking short cuts you might want to stick to just rules on interface tabs for now.

                                                      Chattanooga, Tennessee, USA
                                                      The pfSense Book is free of charge!
                                                      DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
                                                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                                      1 Reply Last reply Reply Quote 0
                                                      • R
                                                        robina80 last edited by

                                                        thanks derelict, i will try that

                                                        sorry havnt replied just personal issues atm

                                                        1 Reply Last reply Reply Quote 0
                                                        • R
                                                          robina80 last edited by

                                                          sorted!!!

                                                          i made a stupid mistake

                                                          when i was making the vpn interface (so i can use it as a gateway for my specific vpn traffic) i ticked both boxes under "reserved networks" which blocks rfc1918 but i dont want to block them as the virtual vpn ip im assigned is 10.8.0.2 which is a rfc1918 address

                                                          i put back protonvpn interface back in the "ALLInt" so i can easily manage the rules under one tab as its long winded otherwise

                                                          also in firewall > rules > outbound i had to make it hybrid and copy the wan and make another one for the protonvpn address as it didnt work otherwise

                                                          see pic of what i did

                                                          https://s10.postimg.org/jk6oiio7t/rule.png

                                                          thanks for all your help in this Derelict much appreciated!

                                                          1 Reply Last reply Reply Quote 0
                                                          • First post
                                                            Last post