Policy base routing not working traffic is not forwarded to specified gateway and always go to the default gw
-
Im using XG-7100 and the latest pfsense version. all is working well but i have this issue on policy base routing.
the scenario:
I have 2 WAN(gateways) and a 2 LANs.
i wanted each LANs to use specific WAN.Gateway setup
WAN1 gateway is set to default
WAN2 gatewayLAN1 rule i set the gateway to use the WAN1 gateway.
LAN2 rule i set the gateway to use the WAN2 gateway.issue:
even though LAN2 was set to use the WAN2 gateway when i test it its still use the default gateway which is the WAN1.Need your help on this.
Thank you.
-
need more details.
post rules & gateway settings
-
Here
Rule
Action: Pass
Interface: Lan1
address:ipv4
protocol: tcp/udp
source: any
destination:any
Gateway: WAN1(which is the default gw)
Rule
Action: Pass
Interface: Lan2
address:ipv4
protocol: tcp/udp
source: any
destination:any
Gateway: WAN2
but still when testing it by tracing route the of Lan2 it still use the WAN1
-
By default Windows tracert uses ICMP and both Mac OS X and Linux traceroute use UDP.
so if you are running traceroute on windows, your rules dont apply
-
That rule is TCP/UDP only, you may want 'any' there as Heper said.
The traffic may be matched by another rule first. That rule must be above any other rules that might pass it on the LAN2 tab. Also check for floating rules and interface groups which are both processed first.
There may have been an open firewall state for that traffic via WAN1 when you tested. Make sure to clear the states between tests if you add new rules.
Steve
-
Hi Guys,
I cannot make this thing work I've tried your suggestion setting protocol to any. I even reset the state and tried restarting the appliance but still all the traffic is forwarded to the default WAN.
Any other ideas or suggestion?
Thank you,
-
Post screen shots of your LAN rules and your gateway group configuration.
-
-
On that setup even though the PRESIDENT net gateway is set to use the WAN_DHCP as per testing and checking it still using the WAN2GW which is my default gateway.
-
Very unlikely, if not impossible. Something is not how it seems.
-
@derelict Tell me what is wrong. thanks
-
Not sure based on the information at hand. Have you messed about with floating rules?
-
@derelict i don't have floating rules configured
-
Chat the contents of /tmp/rules.debug to me then. And please specify exactly how you are testing. Source IP address, dest IP address, method of testing.
Execute
cat /tmp/rules.debugin Diagnostics > Command Prompt and copy/paste the output.
-
@derelict dude i send to you the rule.debug dump let me know if you find the resolution. thank you
-
You have WAN, WAN1, and WAN2 defined. You are policy routing PRESIDENT out WAN, not WAN1. You stated you have two WANs but there are three. What, exactly, are you trying to do?
GWWAN1GW = " route-to ( lagg0.101 X.X.X.225 ) "
GWWAN2GW = " route-to ( lagg0.102 Y.Y.Y.113 ) "
GWWAN_DHCP = " route-to ( lagg0.4090 192.168.1.1 ) "pass in quick on $PRESIDENT $GWWAN_DHCP inet from 10.10.8.0/24 to any tracker 1531493401 keep state label "USER_RULE"
-
@derelict thanks for looking on it. Policy routing is not working. As you can see the president although on policy it is set to wan. But on the contrary it still uses the wan2 which the default gateway. What i want is to make that work.
-
@derelict all is working my pfsense setup except the policy routing.
-
What WANs are supposed to be active? You have WAN WAN1 and WAN2 but you said you only have 2 WANs. I think you need to delete the WAN gateway and policy route to WAN1 instead. But I'm kind of just guessing because you seem to not be reading what I am saying.
In other words, change the policy routing on PRESIDENT to GWWAN1GW instead of GWWAN_DHCP and test again.
-
@derelict my friend all of those is active. Yeah on start of the topic i mention 2 wans but just summarize my issue so its more direct. But now i showed you the real scenario.
So what i wanted is to have that president vlan use the wan as its gateway.
-
And the wan1 im using it for my web and outside communication. Wan and wan2 is for surfing
-
Just for testing before i use the wan1 for president gateway before but its still the same it did not work also.
-
And that is what it will do. Not sure what you are doing wrong. Maybe a testing flaw.
Policy routing pretty much just works.
What is the source IP address you are testing from? How are you testing?
Are you getting any alerts at the top of the dashboard that the filter rules can't load or anything?
-
Has anyone verified that the vlan setup on lagg0 is working as intended?
-
@heper Yes man its working all vlans its working. they can browse internet but only through default gateway.
-
i'm using the XG-7100
-
Hardware does not matter in this case.
-
@derelict i use the pres network to test, making tracert and compare. I also observe the traffic on both wan and wan2.
-
@derelict said in Policy base routing not working traffic is not forwarded to specified gateway and always go to the default gw:
What is the source IP address you are testing from? How are you testing?
You did not answer that question. What is the Source IP address of the host you are testing from? I am really not asking for these details to waste your time. Honest.
We need to figure out what you are doing wrong - from a distance - and if we ask for details it's because we are trying to figure out where the mistake you made is. Because if there was not a mistake made, it would be working.
-
Thank you for helping i appreciate it guys. The source ip address is the vlan 8 which is the vlan of pres. And testing using traceroute example to google.com to see where i am passing through.
During the testing also i run streaming on vlan 8 and then compare it with vlan 5 and 4 to view the usage traffic.
By the way i replied on this question.
Thanks again.
-
Sigh - looking for the actual host IP address of the host you are testing from, not the interface.
-
Hi Derelicit,
On vlan 8 i sometime use the 10.10.8.26 to check if its going through WAN.
Thank you,
-
Did you clear the firewall states between running tests?
Do you see any alerts shown on the dashboard indicating the ruleset might not loading as expected?
Steve
-
Hi guys,
Thank you for the support. I finally manage to find the issue and resolve it.
The problem was in my L3 switch since i configure the svi on it and then forward all traffic to fw " 0.0.0
0 0.0.0.0 10.10.2.1" Doing this the fw always sees that the packets came in a single vlan.Again thank you
-
This post is deleted!
-
Only 23days to find a problem.... I wish my bosses were as nice
