Allow user to choose gateway 'on the fly'



  • Hi all!

    I have succesfull setup a private ikev2 VPN to connect my local pfsense box to a friend's overseas pfsense box. Now I can choose which gateway should be used to connect to internet based on destination IP address.

    So far so good: now I have US netflix! :-)

    The problem is that sometimes I need to connect to a specific website via gateway 1 (local) and sometimes via gateway 2 (remote VPN).

    The problem is that with destination ip based rules I'm unable to choose which gateway should be used to connect to any specific site unless I login to pfSense and manually change the firewall rule for that destination ip.

    Is there any way to be able to choose which gateway should be used to connect to the internet 'on the fly'?

    My first though was to setup a 'browser based' advanced firewall rule so every connection from Firefox would use gateway 1 and all others should use gateway 2 but I found out there is no 'browser based' firewall option rule on pfsense.

    Is there any work around to accomplish that?

    Any suggestion is very welcome.

    kind regards
    GWR



  • Is there any way to be able to choose which gateway should be used to connect to the internet 'on the fly'?

    The only way I can think of is a shell script that can be executed via ssh, but to use that you'd have to configure pfSense so that a ssh connection doesn't take you to the menu.



  • @gelcom:

    Is there any work around to accomplish that?

    sure, but it'll involve some messy hacking as there isn't really any sort of API to hook into.
    i think you have some options:

    • running a script over ssh to enable/disable a certain rule to flip/flop your gateways & then doing a filter reload.
    • creating a php webpage on the pfsense host that hooks into the right .inc file to flip/flop a rule without any sort of authentication


  • Thanks for the reply.

    Is there any option that do not require coding skils or SSH to pfSense? Most of users are mobile clients.

    kind regards



  • @gelcom:

    Thanks for the reply.

    Is there any option that do not require coding skils or SSH to pfSense? Most of users are mobile clients.

    kind regards

    The only way to do it via browser that I'm aware of is to log in with an admin password and reconfigure, as you've already done.  I doubt you want to give users the admin password.

    On Linux, it's easy to create a ssh command that remotely executes shell commands.  You can then create a desktop icon to run it.  I'm not aware of similar on Windows or tablets/phones.



  • So if you go to the rule and expand advanced options under Extra options settings at the bottom.
    you find a gateway option there.

    You can't use that to select the gateway to use?

    Maybe I  not understanding the issue?


  • LAYER 8 Global Moderator

    You want to do this on the fly in the sense that hey I am on site xyz using wan 1, but while still on site xyz go to site abc using wan 2?

    If wireless you could determine which wan you use based upon which wifi network your on and vlan…  So if on SSID A you got out wan 1, if on SSID B you go out wan 2, etc..  But this would not allow you to connection to xyz via wan 1 and abc via wan 2 like you could do with dest routing rules.

    You could do it via proxy.. Setup 2 proxies - proxy X uses wan 1, proxy Y uses wan 2 and just flip between the proxies on your browser - something like that could work pretty close to what I believe your asking for.



  • @Heimire:

    So if you go to the rule and expand advanced options under Extra options settings at the bottom.
    you find a gateway option there.

    You can't use that to select the gateway to use?

    Maybe I  not understanding the issue?

    As I understand it, he wants to be able to change the gateway on demand and let users do it too.  Of course that brings up the problem of when different people want to use different gateways, how can pfSense handle that?  A router normally has just one gateway for everyone.

    One possibility is to move the VPN from pfSense to the user devices.  Then normal VPN changing the default route would do the trick.



  • "The problem is that with destination ip based rules I'm unable to choose which gateway should be used to connect to any specific site unless I login to pfSense and manually change the firewall rule for that destination ip."

    Based on that line I assumed he had a firewall rule that was destination spesific.
    If thats the case he should be able to assign a different gateway other than the default one in the advanced settings for the rule.

    So that should work I think unless he wants to use for that rule different gateway based on what he needs at that one moment but why have a destination based rule?



  • @Heimire:

    "The problem is that with destination ip based rules I'm unable to choose which gateway should be used to connect to any specific site unless I login to pfSense and manually change the firewall rule for that destination ip."

    Based on that line I assumed he had a firewall rule that was destination spesific.
    If thats the case he should be able to assign a different gateway other than the default one in the advanced settings for the rule.

    So that should work I think unless he wants to use for that rule different gateway based on what he needs at that one moment but why have a destination based rule?

    Except he says:

    The problem is that sometimes I need to connect to a specific website via gateway 1 (local) and sometimes via gateway 2 (remote VPN).

    So, he wants to access the same site, sometimes direct and sometimes via VPN.

    As I mentioned, the way to do that is move the VPN to the user devices and turn it on as needed.  I do that with my notebook.  When I'm away from home, I normally go through whatever gateway I'm connected to.  But if I bring up OpenVPN, then all traffic is sent via the VPN and my home network, to the Internet.


  • LAYER 8 Global Moderator

    "he wants to access the same site"

    That I think is still unclear.. I think its more he wants to access site xyz wan 1, and then site abc via wan 2.  But sure it could access site xyz 1 time with wan 1 and then next time with wan 2, etc..

    I think best way to do something like that would be with 2 proxies and then pointing your browser at specific proxy to use wan 1 or wan 2.



  • Sorry for the delayed reponse…

    @johnpoz:

    "he wants to access the same site"

    That I think is still unclear.. I think its more he wants to access site xyz wan 1, and then site abc via wan 2.  But sure it could access site xyz 1 time with wan 1 and then next time with wan 2, etc..

    This is exactly what I meant. Sorry for the broken English…

    Example: user 1 is a mobile user. He wants to connect to site "xyz.com" using wan 1. A few moments later, he wants to access this same site but using wan 2 without disconnecting from his actual LAN.

    As he does not have admin privileges he cannot access pfSense admin page to update his default gateway.

    @johnpoz:

    I think best way to do something like that would be with 2 proxies and then pointing your browser at specific proxy to use wan 1 or wan 2.

    This is a perfect workaround! I can set 2 proxies so users can choose which proxy to use. As each proxy is linked to a specific gateway the magic is done! Thanks a lot :-)

    kind regards


Log in to reply