FW rule by source network device



  • Hello everybody!

    Not too long ago I got an internet access via fibre channel. I live in the country where my old access method (DSL) could be called flaky at best. So it was a no-brainer to take the fibre channel. The catch was that now I no longer had a public IPv4 address, but a typical DS-lite access with public IPv6 addresses. My IPv4-address on the WAN side of my router is in the 100.64.0.0/10 range (CGN).

    So I can reach my own network from the outside via IPv4 and at the same time get some other things working again (like file transfers via XMPP), I decided to go for a VPN provider. I can choose between OpenVPN or WireGuard, which meant that my Fritz!Box 7580 will no longer do as my access router, which is why I am now with pfsense. 😎

    I have been using FreeBSD since version 3.4 on servers and desktops (which makes me feel kinda old right about now), but I have never used FreeBSD as a router before. I am quite willing to read an learn though!

    Sorry for the long introduction, but I have always found it very hard to help people out if I had no idea about their background (and thus their knowledge) and no idea about what they were actually trying to get done and why in the long run. Hope this was enough but not too much information for you guys!

    The machine running pfsense has 3 physical network devices in use (currently as devices called WAN, LAN and OPT1). The VPN will probably wind up as OPT2 (which of course won't be a physical device). My network has the range 172.24.0.0/14. LAN has 172.25.250.250 and OPT1 has 172.27.250.250. Note that both these IPs are in the same subnet!

    I would like to retain the option of connecting using the VPN or not on a per-machine basis. The idea I had was to configure those machines I wanted to use the VPN to have the default gateway 172.27.250.250 and the others to use 172.25.250.250. Then I'd have to set up a firewall rule that sends anything that comes from LAN to WAN and anything that comes from OPT1 to OPT2.

    Is this even possible? I have not found a way to set up a rule by interface yet. And if it can be done, will it work as I think it will and is it a good idea? I have never tried to do anything like this before, so I may have committed a thought crime somewhere along the way. 😬

    I am grateful for any hints (including links for further reading)!

    Cheers!
    Chris



  • it sounds like youre trying to do policy based routing, and this is definitely something you can accomplish with PFSense.

    Youre going to want to define gateways, and in the advanced option of a firewall rule (at the bottom of the rule edit page) you can define a gateway to send traffic to that matches the rule.


Log in to reply