Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Default outbound interface

    Scheduled Pinned Locked Moved Routing and Multi WAN
    8 Posts 2 Posters 685 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jgraham5481
      last edited by

      Is there a way to change the "default outbound" interface? For example, the "LAN" is always what it chooses as the source interface for functions like AD lookup, internal DNS lookups, etc. In my case I set the LAN up as a local only /30 mgmt interface. I could always move things around, but would be nice to know if you could change this.

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by johnpoz

        huh? The source interface would be the interface in the network trying to talk to.. If the dest IP is in your lan /30 then yes it would use that interface as source.

        How about you draw up your network, and the point out what exactly your wanting to accomplish. Or what you feel it should be doing but isn't

        example: Here is a basic network, I assume you have something more than just lan, since you state your using that as management interface (only?) So you have at least 1 other network

        basic.png

        What do you feel is not working as it should, or what exactly are you trying to accomplish. in this sort of setup, lan and opt would not be natted when talking to each other. And only when either lan or opt network talking to internet/wan would traffic be natted to your wan IP..

        So for example if device on opt network 192.168.1.X wanted to talk to device on lan network 192.168.0.X then the source interface talking to your lan /30 would be yes the lan interface. But the source IP for the traffic would still be 192.168.1.X no nat should be happening between these networks - unless you setup a gateway on them so pfsense thinks they are wan interfaces. Which you would never really do..

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • J
          jgraham5481
          last edited by jgraham5481

          In my case I am very multi LAN. There are features that tie in to the idea of LAN and only apply there, like the "bypasslan" option in strong swan that only applies to the factory defined "lan", which I get and I know there are fixes waiting to test. Was just curious if I could define an alternate interface, with out that being the "factory lan". If not, I get it, but most other platforms have a way to define the source interface it uses for various tasks. My thought was, since the LAN has these unique attributes, peg an interface that will rarely be used to this, so no one interface has these chosen features applied to them, except the one that I will only use in a worst case scenario situation.

          1 Reply Last reply Reply Quote 0
          • J
            jgraham5481
            last edited by

            Also, my authentication servers and DNS servers live on the other side of a VPN tunnel, and that local management interface I'd rather not have routes to/for it, as it's a last bastion of hope in a bad situation.

            1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator
              last edited by johnpoz

              @jgraham5481 said in Default outbound interface:

              but most other platforms have a way to define the source interface it uses for various tasks

              You mean what IP a service binds too - not sure what that has to do with router or firewall? What specific service are you talking about?

              So you have some stuff are accessed via a site to site vpn? Well yeah there is going to be route to what network(s) are on the other side of the vpn.. Not sure what that has to do with interface or IP a service binds too..

              I have read over your 2 post multiple times, and still no clue to what your actually trying to accomplish or what you feel is an issue.

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              1 Reply Last reply Reply Quote 0
              • J
                jgraham5481
                last edited by

                OK Here's what I have:

                WAN:
                50.x.x.x

                LANs
                172.16.120.1/30
                10.0.13.254/24
                10.0.60.0/24
                10.0.61.0/24
                10.0.62.0/24

                VPN
                172.16.120.13/30

                So if I need to contact my auth server at 10.0.6.159 (on the other side of the VPN), it will always originate from 172.16.120.1, I would prefer it originate from 10.0.13.254. I do not have routes on the other side of the VPN for 172.16.120.1/30, nor do I want their to be any.

                1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator
                  last edited by johnpoz

                  @jgraham5481 said in Default outbound interface:

                  it will always originate from 172.16.120

                  When what contacts it? Pfsense? You have this server setup as authentication server in pfsense.

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  1 Reply Last reply Reply Quote 0
                  • J
                    jgraham5481
                    last edited by

                    It gets weirder, made the factory LAN 10.0.13.254/24 and made the 172.16.120.1 another interface (basically flipped the drop downs, and adjusted the IP's and DHCP, etc). Now when attempting to reach 10.0.6.159, it originates from the VPN /30 IP, so weird.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.