2 Wan Gateways - Certain Hosts will not go out non-default gateway



  • Hello all

    I have pfsense 2.4.3-RELEASE. For a FTP server:

    Inbound NAT rules

    Outbound NAT rules

    LAN Rule

    pfsense does not seem to be listening to the LAN Rule, at all. This gateway is not the default gateway. This allows people to connect to the FTP server fine using Passive Mode, but Active Mode does not work as the traffic being sent out from the server is going out the wrong gateway. I am extremely confused as to why it is not being picked up. All the other rules for the default gateway and VIPs there work great. But trying to have certain hosts going out the second gateway does not seem to work.

    Any Ideas?

    Also, yes i know its a messed up internal network scheme. That's how it was when I got here. Please dont laugh too hard


  • Netgate

    That rule has no matches. Why are you matching on source 90.0.0.92? Is there a rule above it that matches instead?



  • @Derelict:

    That rule has no matches. Why are you matching on source 90.0.0.92? Is there a rule above it that matches instead?

    This is the top rule on the LAN interface (besides anti-lockout rule). If I understand it correctly, anything and everything coming from that host should go out the other gateway. That is what I want at least

    Shouldn't this be: anything from 90.0.0.92 go out HQ3GW?


  • Netgate

    Is 90.0.0.92 a host on LAN that is connecting outbound?



  • @Derelict:

    Is 90.0.0.92 a host on LAN that is connecting outbound?

    Yes. This network is a bit… off. Instead of 10.0.0.92, we use 90.0.0.92. Which is the internal IP of the FTP server

    Apparently like 20+ years ago when the network was made, it was a reserved address space? pfsense doesn't seem to mind as it routes everything as it should on the default gateway with all of our IPs. It is only when I am trying to route a host through the second gateway/WAN


  • Netgate

    That rule should work then. Is that gateway up?



  • @Derelict:

    That rule should work then. Is that gateway up?

    Right? I thought I was going crazy. The gateway is up. I know this because the FTP server works, but only with Passive Mode. This goes through the second gateway using an IP on there. But Active Mode connections do not work, as when the client send the PORT command, the server reaches out to connect, but apparently it is going through the first gateway with the wrong IP so then the connection times out



  • Fixed. There was a floating rule that had our LAN in the alias that was catching it before the LAN rules could get it. Found this by going through the states.


  • Netgate

    /tmp/rules.debug is your friend. Nice. Glad to hear you found it.


  • Rebel Alliance Global Moderator

    "Apparently like 20+ years ago when the network was made, it was a reserved address space?"

    Maybe not allocated to someone, but sure not reserved for local use.. What does that have to do with today.. That space is current owned by orange, and clearly not part of rfc1918…

    The correct thing to do would be to re ip it to more appropriate space.