Make host go out specific WAN interface

Derelict · Jan 14, 2018, 2:09 AM

Yeah I ain't downloading some zip file from a forum user.

robina80 · Jan 14, 2018, 2:09 AM

here you go

https://s18.postimg.org/tvlldbuvd/network.png

Derelict · Jan 14, 2018, 2:16 AM

Is 172.17.2.0/24 covered by automatic outbound NAT?

Do the firewall rules on the 10.100.1.254 interface pass traffic from all of the static route source addresses?

I would not design it that way. I would use another router interface for the transit network to the switch and one for management. Management should probably not be a layer 3 interface on the switch.

robina80 · Jan 14, 2018, 2:41 AM

you mean this under firewall > NAT > outbound

https://s18.postimg.org/pmgvbe4jd/nat_out.png

sorry i dont reallt understand second question?

i have an alia called "internal network" with manage and VM networks that are allowed out to the intnernet but the vpn isnt

Derelict · Jan 14, 2018, 3:29 AM

That NAT looks fine.

You have a pfSense interface with the 10.100.1.254 address on it.

That interface has firewall rules on it.

What are those?

What, specifically, are you doing that is not working? You are going to need at least some troubleshooting skills to be able to make something like that operate.

robina80 · Jan 14, 2018, 12:32 PM

i attach a better network diagram including my static routes

https://s18.postimg.org/v2d0so15l/my_network.png

but i would had thought this rule that i attach works as i dont see it not working

https://s18.postimg.org/vduh5aruh/rules.png

my three top rules are for my alias "vpnclients" which in the diagram i showed you is my windows PC with the VPN IP

and the bottom rule is for my "internalnet" to go out to the internet this is the manage and VM subnets

but when i plug in the ethernet cable in my NIC which is on the VPN network i have network access ie i can see the LAN but not the WAN which i would have thought it would of been going out the proton vpn gateway but its not working

Derelict · Jan 14, 2018, 5:04 PM

What is Allint ??

robina80 · Jan 14, 2018, 9:53 PM

allnet is all my actual interface NICS ie manage (i call it home) DMZ and proton vpn

mmm… maybe i shouldnt put proton vpn in the all interfaces as really my all interfaces should be my acyual physical NICS on pfsense, what do you reckon?

Derelict · Jan 14, 2018, 11:10 PM

So it's an interface group?

Those are generally only useful on LAN interfaces where all interfaces in the group need exactly the same rules. There are other reasons (like reply-to that make them not very useful on WAN interface.

Instead of taking short cuts you might want to stick to just rules on interface tabs for now.

robina80 · Jan 16, 2018, 12:47 PM

thanks derelict, i will try that

sorry havnt replied just personal issues atm

robina80 · Jan 17, 2018, 11:28 PM

sorted!!!

i made a stupid mistake

when i was making the vpn interface (so i can use it as a gateway for my specific vpn traffic) i ticked both boxes under "reserved networks" which blocks rfc1918 but i dont want to block them as the virtual vpn ip im assigned is 10.8.0.2 which is a rfc1918 address

i put back protonvpn interface back in the "ALLInt" so i can easily manage the rules under one tab as its long winded otherwise

also in firewall > rules > outbound i had to make it hybrid and copy the wan and make another one for the protonvpn address as it didnt work otherwise

see pic of what i did

https://s10.postimg.org/jk6oiio7t/rule.png

thanks for all your help in this Derelict much appreciated!