Can not block traffic from wan1 to single internal IP



  • I have two wans (wan1 and wan2) and for the life of my I can not block all traffic from wan1 to 10.0.0.22 (A server)

    My Settings ar as followers.

    2019-05-17.png 2019-05-17 (3).png 2019-05-17 (2).png 2019-05-17 (1).png

    Has anyone any idea what ive done wrong is ive said i can't seem to do this
    Many Thanks


  • LAYER 8 Global Moderator

    Rules on your lan only block traffic that enters the lan interface FROM the lan network... wan net would never be a source of traffic of into the lan interface..

    From your rules there is no way traffic from your wan could get to the lan, I see not rules to allow it - did you setup rules on your floating tab?

    Traffic from wan would not be allowed to lan at all from your rules. Did you at one point have a port forward setup, and you still have an active state? Do you have port forward setup with an allow rule on your floating? Are you not natting at all and have an allow rule on your floating?



  • @johnpoz Well with the setup i have traffic from wan1 is going to lan so its not blocking anything

    I have nothing in floating never used them because, States have been cleaned after every change, I have no port forward at all from wan1. Im finding this very confussing if my honest.

    I have a dual wan connection set under gateway

    2019-05-17 (5).png 2019-05-17 (4).png


  • LAYER 8 Global Moderator

    So how do know that traffic that is hitting your server is coming wan1..

    Lets see your state in your state table for this.



  • @johnpoz When i turn torrents on both graphs Max out wan one 6mb wan two 46mb

    WAN	tcp	192.168.0.19:25481 (10.0.0.22:46035) -> 213.101.14.149:5516	ESTABLISHED:ESTABLISHED	11 / 1	460 B / 44 B
    
    WAN2	tcp	192.168.0.10:6197 (10.0.0.22:51015) -> 194.225.49.60:13823	SYN_SENT:CLOSED	5 / 0	300 B / 0 B
    

    .19 is wan1, .10 is wan2

    2019-05-17 (6).png


  • LAYER 8 Global Moderator

    those sure look like outbound states to me..

    Here is inbound state example to my plex from outside
    inboundstateexmpale.png

    That 64.53 address is my WANIP..

    And looks like your allowing both your wans to be used outbound in your duel gateway you setup. And wan1 is first on the list, etc.



  • @johnpoz Yea thats correct John, But i still can't block Wan1 from 10.0.0.22

    2019-05-17 (8).png


  • LAYER 8 Global Moderator

    Huh??

    You mean you don't want traffic going outbound of wan 1?? Then don't freaking setup a policy that allows it.. You have a dual gateway setup and policy route out that... So what the F do you think is going to happen??

    policyrouteoutbound.png

    And you have your 2 wans on the same freaking network anyway?? pointing to the same place??

    samegateway.png

    And one is clearly local with less than 1 ms response, and the other is isp??



  • @johnpoz I think im not explaining this correct or you are maybe misunderstanding me.

    All i want to do is this

    I want Wan2 to go everywhere on the network and Wan1 to go everywhere also BUT not to one single IP (10.0.0.22) that is it nothing more.

    Also There both ISPs, BT and Virgin.


  • LAYER 8 Global Moderator

    Your not understanding how it works.. Is what the problem is!!

    Your rules allow anything on the lan to go anywhere outside the lan... Which wan interface you use is via gateway group you setup..

    wangroup.png

    So you have this...

    outbound.png

    If you don't want 10.0.0.22 to use wan 1, then you have to setup a rule on lan to only send it out wan2 - not your group.. If you allow traffic out from wan1 from the client - then YES the answer will come back via that interface..

    answer.png

    You could do say this if you only want that .22 box to use wan 2

    somethinglikethis.png

    Rules are evaluated as traffic enters an interface from the network its attached too... First rule to trigger wins, no other rules are evaluated.. So your rule says hey anything on the lan - go out this gateway group which includes both 1 and 2.. So yeah that is what is going to happen!! And then yes the answers will come back through wan interface it left on.

    If you don't want specific client to use the group, then force it out a different one... Keep in mind you need to make sure what happens wan 2 is down - then it could still go out the group and therefore wan1.. Depending on what you tell pfsense to do with the rules when gateway is down, etc.


Log in to reply