• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Clarification on Gateway for users

Scheduled Pinned Locked Moved Routing and Multi WAN
12 Posts 3 Posters 749 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • K
    killmasta93
    last edited by Oct 31, 2019, 3:11 AM

    Hi,
    I was wondering if someone could clear up my question, currently we have dual WAN, the idea i that i want a set of users to navigate on the WAN2 which has better speeds then the default WAN, ( i dont put it as the default because that IP is registered with the banks and changing that is a headache) so i put a pool of IP on the LAN and on advance i put the gateway to use WAN2, as soon as i do that, those users cannot see another VLANs would i also need to put a rule on the VLAN?

    Thank you

    Tutorials:

    https://www.mediafire.com/folder/v329emaz1e9ih/Tutorials

    1 Reply Last reply Reply Quote 0
    • V
      viragomann
      last edited by Nov 2, 2019, 9:31 PM

      If you state a gateway in a filter rule this rule allows only traffic to that gateway. Since the gateway cannot reach your other internal networks, they are not accessible.

      So you have to add an additional filter rule with your internal networks in the destination box and without a gateway stated and put this rule to the top of the rule set.

      1 Reply Last reply Reply Quote 0
      • D
        Derelict LAYER 8 Netgate
        last edited by Derelict Nov 2, 2019, 10:37 PM Nov 2, 2019, 10:37 PM

        https://www.netgate.com/docs/pfsense/routing/bypassing-policy-routing.html

        https://docs.netgate.com/pfsense/en/latest/book/multiwan/policy-routing-configuration.html#bypassing-policy-routing

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • K
          killmasta93
          last edited by Nov 3, 2019, 6:36 PM

          Thanks for the reply, so adding those rules i can see now ping the VLANs but whats odd is that the IP i want to use to navigate on the WAN2 is not navegating on the WAN2 it still using the WAN default.
          the ip 192.168.3.211, now 192.168.3.211 can ping the VLAN scannerfreenas NET

          Screenshot from 2019-11-03 13-33-12.png

          Tutorials:

          https://www.mediafire.com/folder/v329emaz1e9ih/Tutorials

          1 Reply Last reply Reply Quote 0
          • D
            Derelict LAYER 8 Netgate
            last edited by Nov 3, 2019, 6:54 PM

            Is the WAN2 gateway marked as up?

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • K
              killmasta93
              last edited by Nov 4, 2019, 3:53 PM

              Thanks for the reply, correct it is up and running
              Screenshot from 2019-11-04 10-52-04.png

              Tutorials:

              https://www.mediafire.com/folder/v329emaz1e9ih/Tutorials

              1 Reply Last reply Reply Quote 0
              • D
                Derelict LAYER 8 Netgate
                last edited by Nov 4, 2019, 3:55 PM

                Then there is some other rule somewhere matching and passing the traffic, or you are looking at dangling states. Reload www.wimi.com a couple times.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • K
                  killmasta93
                  last edited by Nov 4, 2019, 5:15 PM

                  Thanks for the reply, after carefully looking at the rules, it was a rule of the squid as i have WPAD i disabled on the machine the autodetect and now it shows the the WAN2 gateway but whats very odd i tried to ping my email server, which is on the VIP on the WAN2 i check the states and saw this, i tried adding the IP of the email server on top the 192.168.3.213 but no luck. The VIP of the email server ends in 236

                  LAN	icmp	192.168.3.211:1 -> 192.168.3.213:1 (181..xx.xxx.236:1)	0:0	35 / 0	2 KiB / 0 B	
                  WAN2	icmp	181.57.xx.xx:36351 (192.168.3.211:1) -> 192.168.3.213:36351	0:0	35 / 0	2 KiB / 0 B
                  
                  
                  
                  LAN	tcp	192.168.3.211:56953 -> 192.168.3.213:80 (181.xx.xx.236:80)	CLOSED:SYN_SENT	2 / 0	104 B / 0 B	
                  WAN2	tcp	181.57.xxx.xx:60892 (192.168.3.211:56953) -> 192.168.3.213:80	SYN_SENT:CLOSED	2 / 0	104 B / 0 B
                  

                  Thank you

                  Tutorials:

                  https://www.mediafire.com/folder/v329emaz1e9ih/Tutorials

                  1 Reply Last reply Reply Quote 0
                  • D
                    Derelict LAYER 8 Netgate
                    last edited by Nov 4, 2019, 5:23 PM

                    So you are trying to connect to a port-forwarded IP address? You will need to bypass policy routing for that too.

                    A better solution than NAT reflection is split DNS so inside connections are made to inside IP addresses.

                    Chattanooga, Tennessee, USA
                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • K
                      killmasta93
                      last edited by Nov 5, 2019, 2:25 AM

                      @Derelict said in Clarification on Gateway for users:

                      split DNS

                      Thanks for the reply, yes that's correct currently I have NAT reflection , a split DNS is just an A record on pfSense on Host override? so if mail.mydomain.com to resolve to the 192.168.3.213 rather then resolving by the WAN?

                      Thank you

                      Tutorials:

                      https://www.mediafire.com/folder/v329emaz1e9ih/Tutorials

                      1 Reply Last reply Reply Quote 0
                      • D
                        Derelict LAYER 8 Netgate
                        last edited by Nov 5, 2019, 2:28 AM

                        Yes. You will have to also bypass that NAT reflected address and it should work.

                        Split DNS is better. But better is subjective.

                        Put a bypass rule like the others but for destination 192.168.3.213

                        Chattanooga, Tennessee, USA
                        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                        Do Not Chat For Help! NO_WAN_EGRESS(TM)

                        1 Reply Last reply Reply Quote 1
                        • K
                          killmasta93
                          last edited by Nov 7, 2019, 3:25 AM

                          Thanks for the reply, your right it had to be done that way thank you again

                          Tutorials:

                          https://www.mediafire.com/folder/v329emaz1e9ih/Tutorials

                          1 Reply Last reply Reply Quote 0
                          1 out of 12
                          • First post
                            1/12
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                            This community forum collects and processes your personal information.
                            consent.not_received